HTTPS Settings
You can manage the protocol connecting users with your website and the Arvancloud CDN service’s edge servers in the Arvancloud account. You can also change the settings in the HTTPS protocol for content loading, settings for the free Arvancloud SSL/TLS certificate and upload your certificate. Other settings such as HSTS and HTTP2 can be accessed in the section.
HTTPS Activation
Activating this, the connection of your website users with CDN edge servers will be established on the HTTPS protocol, and the secure SSL/TLS protocol will be activated for your domain.
Activating the Arvancloud certificate gives you an SSL certificate through Let’s Encrypt for your domain. This certificate is valid for 3 months and will be reactivated automatically.
You can use the following sample request to enable HTTPS via API:
curl --location --request PATCH 'https://napi.arvancloud.ir/cdn/4.0/domains/example.com/ssl' \
--header 'authority: napi.arvancloud.ir' \
--header 'accept: application/json, text/plain, */*' \
--header 'authorization: API KEY 1 2 3 4' \
--header 'content-type: application/json' \
--data '{"ssl_status":true}'
You can also use your own SSL/TLS certificate by uploading a private certificate. By selecting this option and uploading the files related to the private key and certificate of your domain, in PEM format, your domain will use the uploaded private certificate.
You can use the following sample request to upload custom certificate via API:
curl --location 'https://napi.arvancloud.ir/cdn/4.0/domains/yourdomain.com/ssl/certificates' \
--header 'authority: napi.arvancloud.ir' \
--header 'accept: application/json, text/plain, */*' \
--header 'authorization: API KEY 1 2 3 4' \
--header 'content-type: multipart/form-data; boundary=----WebKitFormBoundary7ZnkHJORO8lP1SVi' \
--data 'data'
Setting HTTPS as Default
Activating this means that all of the HTTP traffic will be directed to HTTPS automatically. Using HSTS (HTTP Strict Transport Security) protocol, this is done in the safest possible way and will prevent possible Man-in-the-Middle attacks. After activating and caching HSTS settings, it is impossible to apply changes until the configuration expires.
You can use the following sample request to enable HTTPS via API:
curl --location --request PATCH 'https://napi.arvancloud.ir/cdn/4.0/domains/example.com/ssl' \
--header 'authority: napi.arvancloud.ir' \
--header 'accept: application/json, text/plain, */*' \
--header 'authorization: API KEY 1 2 3 4' \
--header 'cache-control: no-cache' \
--header 'content-type: application/json' \
--data '{"https_redirect":true}'
Rewriting Files Based on HTTPS
Activation of this option automatically changes all HTTP links in HTML and JS files with HTTPS ones.
You can use the following sample request to enable HTTPS via API:
curl --location --request PATCH 'https://napi.arvancloud.ir/cdn/4.0/domains/example.com/ssl' \
--header 'authority: napi.arvancloud.ir' \
--header 'accept: application/json, text/plain, */*' \
--header 'authorization: API KEY 1 2 3 4' \
--header 'cache-control: no-cache' \
--header 'content-type: application/json' \
--data '{"replace_http":true}'
Configuring the Minimum TLS Version
In this section, you can select the minimum supported TLS version. When you choose the minimum TLS version, any user with an older TLS version cannot visit the website through HTTPS.
You can use the following sample request to enable HTTPS via API:
curl --location --request PATCH 'https://napi.arvancloud.ir/cdn/4.0/domains/example.com/ssl' \
--header 'authority: napi.arvancloud.ir' \
--header 'accept: application/json, text/plain, */*' \
--header 'authorization: API KEY 1 2 3 4' \
--header 'content-type: application/json' \
--data '{"tls_version":"TLSv1.2"}'
HSTS Protocol
The main job of this protocol is to ensure the secure transfer of website links from HTTP to HTTPS. In the Arvancloud user panel, you can access all of its advanced settings, including the browser’s required duration to display the webpage in HTTPS, the compatibility of all subdomains with HSTS, and preparing the domain for search engines.
Clicking on Edit Settings allows the activation of these features.
Most users connect to servers through HTTP protocol by default. If secure protocol becomes mandatory, these requests must automatically change to HTTPS. Using typical methods can have security risks. HSTS is a set of security policies that allow websites to be accessible only through the HTTPS protocol. These policies are announced to the user on a website by sending a header as Strict-Transport-Security.
You can use the following sample request to enable HTTPS via API:
curl --location --request PATCH 'https://napi.arvancloud.ir/cdn/4.0/domains/example.com/ssl' \
--header 'authority: napi.arvancloud.ir' \
--header 'accept: application/json, text/plain, */*' \
--header 'authorization: API KEY 1 2 3 4' \
--header 'content-type: application/json' \
--data '{"hsts_status":true,"hsts_max_age":"2mo","hsts_subdomain":true,"hsts_preload":true}'
Browser Reaction to HSTS
Receiving the user’s request, the server sends a Header with HSTS protocol policies such as below:
Strict-Transport-Security: max-age=2628000; includeSubDomains;
This means that the domain and all subdomains will be only accessible through HTTPS for the next 2628000 seconds (1 month). The browser then does 2 important things:
It changes all unsafe links to secure ones. For example, the website http://www.arvancloud.ir will become https://www.arvancloud.ir.
If the browser cannot determine the website's security, it will display an error and will block access.
Google and Preload Solution
Suppose a user using a new operating system has entered a website address in the browser for the first time and in an unsafe environment. in this very first connection and receiving HSTS security policies, there is a security risk. In the Chromium project, Google decided to hardcode websites that needed to use HTTPS all the time. You can also add your website’s name to this list by adding your domain to this page. Before, make sure your website matches these conditions:
It has a valid certificate.
All HTTP traffic is transferred to HTTPS.
All subdomains are only accessible through HTTPS.
The correct header is sent to users for the configurations.
Arvancloud does all of these items for you automatically. You only need to add your domain name to the Google list. Currently, Google Chrome, Firefox, Opera, Safari, and soon Microsoft Internet Explorer will use this Google list.
Browsers that Support HSTS
Google Chrome version 4.0.211.0 and higher
Firefox version 4 and higher
Internet Explorer 11 and Microsoft Edge (Windows 10)
Opera version 12 and higher
Safari with OS X Mavericks since January 2013
Arvancloud’s Default Connection Protocol with Main Servers
You can determine the connection method between your website’s main servers and Arvancloud edge servers. The connection can be HTTP, HTTPS, or automatic. To enable the HTTPS or automatic option, your server needs to support the HTTPS protocol.
In the automatic setting, the protocols connecting the two groups of servers are determined by the users’ requests. You can specify the connection protocol with the main server separately for each record in the activation section. If the protocol option is set to default in the activation section, the settings of this section will be applied.
You can use the following sample request to enable HTTPS via API:
curl --location --request PATCH 'https://napi.arvancloud.ir/cdn/4.0/domains/example.com/load-balancers/settings' \
--header 'authority: napi.arvancloud.ir' \
--header 'accept: application/json, text/plain, */*' \
--header 'authorization: API KEY 1 2 3 4' \
--header 'Content-Type: text/plain' \
--data '{"protocol":"https"}'