A General Solution for Publishing Web-Based Services Hosted Overseas in China

  • Zhong Wang, Solutions Architect
  • Rui Chen, Staff Solutions Architect
  • Kexue Wei, Staff Solutions Architect


  1. Leverage existing service outside of China, either hosted on-premises or in public cloud
  2. Solve network quality issues with Alibaba Cloud CEN and proxy servers
  3. Realize domain name consistency with on-the-fly domain name conversion
  4. Achieve great performance by leveraging Alibaba Cloud CDN and DCDN


  1. Alibaba Cloud DNS service hosting the new domain name “example.cn”
  2. Two Alibaba Cloud VPCs, one in Shanghai, one in US East. Both VPCs are attached to a Cloud Enterprise Network (CEN), establishing reliable, low latency, private connection between Shanghai and US East. Instructions for CEN configuration can be found at https://www.alibabacloud.com/help/doc-detail/65885.htm
  3. Deploy ECS instance in Shanghai VPC, running HAProxy (www.haproxy.org) in TCP mode, serving user requests for example.cn at a public IP (or Elastic IP). All user requests are then proxied to the ECS instance running Nginx in US East VPC via CEN.
  4. Deploy ECS instance in US East VPC, running Nginx. It is important to choose a region that is geographically close to where the existing service is hosted (US East in this example) to minimize latency over public Internet. Configure Nginx proxy_pass and sub_filter to convert the domain part of the requests on the fly, ie. from “example.cn” to “example.com”, so that all HTTPS requests to example.cn from users in China are converted to example.com and proxied to the origin web server in US East via public Internet. The URLs in the returned HTML are converted back to example.cn and forwarded to users in China via HAProxy. The Nginx server needs to have ngx_http_proxy_module and ngx_http_sub_module loaded to perform the conversion.

Example haproxy.conf

listen HTTPS
mode tcp
server us-nginx <nginx private IP>

Example nginx.conf (“Server” Section Only)

server {
listen 443;
server_name example.cn;
ssl on;
root html;
index index.html;
ssl_certificate cert/example.cn.pem;
ssl_certificate_key cert/example.cn.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_pass https://example.com/;
sub_filter_types *;
sub_filter https://example.com https://example.cn;
sub_filter_once off;
proxy_set_header Accept-Encoding "";

Adding DCDN to the Picture

  1. Static contents can be cached at CDN PoPs close to end users for faster access, which also helps to reduce the load on the HAProxy server, Nginx server and CEN bandwidth.
  2. Dynamic requests are routed to HAProxy via Alibaba Cloud backbone network, yielding better performance than routing via public Internet.

Unified Entry Point

geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb {
$geoip2_data_country_code country iso_code;
map $geoip2_date_country_code $geo_sub_domain {
default www.example.com;
CN example.cn;
server {
server_name example.com
if ($closest_server != $host) {
rewrite ^ $scheme://$geo_sub_domain$request_uri break;

Further Considerations

  1. Server Load Balancer and Auto Scaling for multiple HAProxy and Nginx instances
  2. Hardening Security Groups and server ACLs
  3. Deploying Web Application Firewall to protect the web service




Alibaba Cloud

Alibaba Cloud

