A General Solution for Publishing Web-Based Services Hosted Overseas in China

  • Zhong Wang, Solutions Architect
  • Rui Chen, Staff Solutions Architect
  • Kexue Wei, Staff Solutions Architect

Background

  1. Leverage existing service outside of China, either hosted on-premises or in public cloud
  2. Solve network quality issues with Alibaba Cloud CEN and proxy servers
  3. Realize domain name consistency with on-the-fly domain name conversion
  4. Achieve great performance by leveraging Alibaba Cloud CDN and DCDN

Solution

  1. Alibaba Cloud DNS service hosting the new domain name “example.cn”
  2. Two Alibaba Cloud VPCs, one in Shanghai, one in US East. Both VPCs are attached to a Cloud Enterprise Network (CEN), establishing reliable, low latency, private connection between Shanghai and US East. Instructions for CEN configuration can be found at https://www.alibabacloud.com/help/doc-detail/65885.htm
  3. Deploy ECS instance in Shanghai VPC, running HAProxy (www.haproxy.org) in TCP mode, serving user requests for example.cn at a public IP (or Elastic IP). All user requests are then proxied to the ECS instance running Nginx in US East VPC via CEN.
  4. Deploy ECS instance in US East VPC, running Nginx. It is important to choose a region that is geographically close to where the existing service is hosted (US East in this example) to minimize latency over public Internet. Configure Nginx proxy_pass and sub_filter to convert the domain part of the requests on the fly, ie. from “example.cn” to “example.com”, so that all HTTPS requests to example.cn from users in China are converted to example.com and proxied to the origin web server in US East via public Internet. The URLs in the returned HTML are converted back to example.cn and forwarded to users in China via HAProxy. The Nginx server needs to have ngx_http_proxy_module and ngx_http_sub_module loaded to perform the conversion.

Example haproxy.conf

listen HTTPS
bind 0.0.0.0:443
mode tcp
server us-nginx <nginx private IP>

Example nginx.conf (“Server” Section Only)

server {
listen 443;
server_name example.cn;
ssl on;
root html;
index index.html;
ssl_certificate cert/example.cn.pem;
ssl_certificate_key cert/example.cn.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_pass https://example.com/;
sub_filter_types *;
sub_filter https://example.com https://example.cn;
sub_filter_once off;
proxy_set_header Accept-Encoding "";
}
}

Adding DCDN to the Picture

  1. Static contents can be cached at CDN PoPs close to end users for faster access, which also helps to reduce the load on the HAProxy server, Nginx server and CEN bandwidth.
  2. Dynamic requests are routed to HAProxy via Alibaba Cloud backbone network, yielding better performance than routing via public Internet.

Unified Entry Point

geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb {
$geoip2_data_country_code country iso_code;
}
map $geoip2_date_country_code $geo_sub_domain {
default www.example.com;
CN example.cn;
}
server {
server_name example.com
www.example.com
example.cn;
if ($closest_server != $host) {
rewrite ^ $scheme://$geo_sub_domain$request_uri break;
}
...
}

Further Considerations

  1. Server Load Balancer and Auto Scaling for multiple HAProxy and Nginx instances
  2. Hardening Security Groups and server ACLs
  3. Deploying Web Application Firewall to protect the web service

--

--

--

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

7 Features of Java

Calculating Pythagorean Triplets in Elixir, Python and JavaScript

Logging at HF (part 2)

Fastest LRU Cache in Java

New version of Try OCaml in beta!

AuroraFS — Procedure to check your airdrop

Prepping for the AWS cloud practitioner exam? I created cartoon slides to make it fun!

What is Ansible and How it Works?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com

More from Medium

Cloud Hypervisor + GDB + Arm64 Part 3: Gap analysis

How to install docker and docker-compose on an almost air-gapped computer ( a computer…

Multi-architecture container images for Amazon ECR

Devops Container Orchestration Using the Docker Swarm Model

Devops Container Orchestration Using the Docker Swarm Model