A content delivery network (CDN) is a service that offers a large distributed network of web servers to increase a web site's availability and performance.
This page describes support for HTTPS on several CDNs.
Notes about the terminology used on this page:
- A "bucket" refers to an account with a CDN provider and its associated domain name(s) or other identifier(s). The term originates with Amazon S3, though the HTTPS Everywhere development team has adopted this term more generally.
- "HTTP" refers specifically to the use of TCP port 80 for unencrypted HTTP, as opposed to the HTTP protocol in general, unless otherwise specified (such as in the term "HTTP header").
This list includes only "traditional" CDNs that host individual files of the webmaster's choice.
It does not include services such as CloudFlare that proxy an entire website. Such services generally offer HTTPS only as a premium feature.
The list was based primarily on a cursory glance at some HTTPS Everywhere rulesets. It is not yet meant to be comprehensive.
Unless otherwise specified, all entries refer to "shared SSL," in which the domain names contain the name of the CDN provider. HTTPS support on custom domain names almost always requires a premium account.
HTTPS on same domain as HTTP
These generally allow HTTPS requests to be made to any bucket, at a slight additional cost per request to the account holder, without any special setup required.
HTTPS on different domain from HTTP
Some CDNs put HTTP and HTTPS on different domains, but the mapping from one to the other is predictable enough that an HTTPS Everywhere ruleset can be written.
These also generally allow HTTPS requests to be made to any bucket. (CDNs that don't should be placed in the "HTTPS as premium service only" or "Investigation needed" sections as appropriate.)
- Rackspace Cloud Files (an Akamai reseller[3])
- SoftLayer (an EdgeCast reseller;
*.http.cdn.softlayer.net
→ *.https.cdn.softlayer.net
)
- (at least one other I'm probably forgetting)
HTTPS as premium service only
These may or may not allow HTTPS for any given bucket, depending on the pricing plan ordered by the account holder. Some domains may offer both HTTP and HTTPS; some may not offer HTTPS at all; etc.
- CDNetworks (Pantherssl branded service offers HTTPS; the basic CDNetworks brand may not)
- Internap (Internap brand has
*.https.internapcdn.net
for example; Voxel brand limits HTTPS to premium accounts despite using the same *.voxcdn.com
domain hierarchy for all buckets)
- Limelight Networks (HTTPS available on
*.hs.llnwd.net
but not on other domains such as *.vo.llnwd.net
)
No HTTPS at all
Investigation needed
- Akamai Technologies (Akamai branded service — resellers may differ; HTTPS probably not supported on buckets configured for streaming video[4])
a*.g.akamai.net
can mostly (but not entirely?) be rewritten to a248.e.akamai.net
- EdgeCast Networks (most domains offer HTTPS or at least have an HTTPS equivalent, but some that don't may exist[5]).
TODOs
- Consider giving some advice that is actually useful to the target audience of the Portfolio hosting article
- Consider linking to individual HTTPS Everywhere rulesets where available
- MaxCDN offers "free shared SSL"; how are the domains and folders assigned? IIRC they are a NetDNA reseller; NetDNA itself offers HTTPS only as a premium feature
- Highwinds offers free shared SSL with "no setup fee" (but does no setup fee mean no setup? The domain used for shared SSL doesn't seem to be the standard
hwcdn.net
)
- Is Internap an EdgeCast reseller to any extent? See the CNAME chain for
http.cdnlayer.com
. (Answer: Yes. Or at least they used to be, as http.cdnlayer.com
is dying or defunct. TODO: Fix this - it is probably more correct to say that SoftLayer used to be an Internap reseller but is now an EdgeCast reseller...)
- ↑ For the Amazon Web Services listed here, HTTPS support is enabled by default, but it can be disabled for specific buckets (in the sense that the response is HTTP 403).
- ↑ S3 is sometimes called a CDN, though by itself it is not strictly a CDN because one bucket's data can only exist in one geographical location at a time. A set of buckets is often used as origin points for a true CDN, and several HTTPS Everywhere rules rewrite requests from a CDN with unknown HTTPS support to S3.
S3 bucket names MAY contain periods. It is NOT RECOMMENDED that website administrators use periods in S3 bucket names if they wish to fully support HTTPS on their site, since the certificate doesn't have enough wildcard depth to cover
foo.bar.s3.amazonaws.com
, and s3.amazonaws.com/foo.bar/
redirects to the former(cn) if the bucket is locked to one datacenter location. The redirect is a 301 with an XML body but no Location:
header, so most browsers wouldn't know how to follow it anyway.
- ↑ http://www.rackspace.com/cloud/cloud_hosting_products/files/technology/?page=cdn
- ↑ This HTTPS Everywhere bug report gives an example of such a bucket.
- ↑ Detailed notes on the construction of EdgeCast URLs will be kept here.
Categories: Computer security