When a request is back to the origin server via an EdgeOne edge node, if the origin-pull traffic uses the HTTPS protocol, EdgeOne does not perform legitimacy verification on the origin certificate validity by default. If you currently have higher security requirements for this handshake, EdgeOne can be configured to perform origin certificate verification. This allows custom validation methods to verify the origin certificate legitimacy, preventing malicious attacks such as origin-pull traffic hijack.
Note:
Only plan of Basic Edition or above support using this feature.
Supported Verification Methods
Verification Method
Verification Content
No verification
No verification of the origin server response cert legitimacy.
Verify with Specified Trusted CA Certificate
Verify whether the origin certificate is issued by the CA and check its validity period. If the origin certificate is not issued by the CA or is not within the valid period, the handshake fails with a 525/555 response.
Operation Steps
Scenario: Verify origin certificate with specified trusted CA certificate
For example: The origin server for the current domain example.com uses certificates issued by a certain CA. To avoid hijacking of origin-pull traffic, only origin certificates issued by this CA are trusted.
1. Log in to the Tencent Cloud EdgeOne console, select the configured site from the site list, and enter the site management secondary menu.
2. In the left sidebar, click DNS > Domain Management. On the domain management page, select the domain name to configure the certificate, then click Edit in the HTTPS column to pop up the certificate configuration.
3. Find the Origin Certificate Validation card and click Configure. Select the verification method as Verify with Specified Trusted CA Certificate, then check the trusted CA certificate.
4. Click Save to issue the configuration. The configuration will take effect after deployment.
5. Directly use the curl command to trigger an access test and check whether the request responds normally. If the request response is normal and the response header EO-Cache-Status is MISS or RefreshHit, it signifies the current request has returned to the origin normally. If the origin server's configured certificate is not issued by the CA, the back-to-origin handshake fails, and you can see a 525/555 status code.
