CDN China Internet Expert

Readiness +1 213-239-8878 Checklist

Overview When looking to successfully launch a service into China, it is important to keep in mind that China’s Internet is a unique network operating within the China Firewall. is connected internally and to global carriers by Chinese Internet Service Providers (ISPs), and governed by the laws and regulations of the People’s Republic of China.

China Telecom is the largest ISP both in China and around the world. Although no longer a monopoly, China Telecom is joined by relatively few major carriers, with (formerly ) and being the only two other major providers. While foreign companies dominate global Internet, China has a thriving local services market delivered to users from local data centers by the major ISPs.

For foreign hosted services, all traffic must enter Mainland China through a limited number of international gateways - all of which are filtered by network equipment commonly referred to as “China’s Great Firewall” or “The GFW”. As IP addresses are often shared by service providers (especially in the case of cloud providers), the default mechanism used to filter content is to scan the domain names and URLs for banned keywords or pre-identified problematic companies/providers, and deny those addresses. As such, a significant part of preparing to enter into China is to consider how your operations will look. How are your domain names currently used? What content will they be delivering? How will the China government perceive the business you are operating within the country?

This document aims to provide a high level checklist for working through and integrating a China CDN into your service delivery plans. Many of these points also apply to China hosting. As services grow over time, a combination of China hosting and China CDN are adopted. en.chinacache.com Planning and Configuration

Service Area Do you plan to deliver content to Mainland China only or all/part of the Greater China (including Hong Kong, Taiwan, Macao)?

Origin What is the origin domain name/IP address? Where is the origin being hosted? Will you be leveraging a global CDN as your origin for your China CDN?

Content Review all third party links on your website as they may be blocked in China. Use Chinese equivalent of the blocked services. For example, substitute Facebook and Twitter with Weibo and WeChat, YouTube with Youku, Analytics with Baidu Analytics, etc.

Domain Name Do you have an ICP for your domain (tied to the root domain)? This is required to serve content on the Mainland China Network - If not, more will be discussed in the next section. Review included domains (those called by code within your pages): are they suitable/optimized for China? It is also important to analyze other domains that are being leveraged for your web application and determine if those are causing additional latency. In some more advanced cases, you can take advantage of separating your content into discrete “channels” (sub-domains) and leveraging various services for each domain

ICP License

Before applying for an ICP license, a company must meet the following three criteria: - The company must have a China business entity. - The domain must be registered with a China registrar. - The origin must have a China IP address. ICP filing requirements vary slightly across different regions in China. Click here to check the requirements. A website with an ICP license can still get blocked if the content on the website is considered illegal or improper by the regulatory agency. en.chinacache.com The regulatory agency revokes ICP license without giving out reasons. Hosting providers, including ChinaCache, are strictly forbidden to serve Internet content without a valid ICP license, so if your ICP license gets revoked, ChinaCache will move your services to RIM, where the content is delivered from the rim of Mainland China – Taiwan, Hong Kong, etc., instead of from within Mainland China. Illegal Content

If your website contains illegal content (e.g. gambling, adult, etc.), it will be blocked in China without notifications from the regulatory agency. Use your own root domains to deliver all content and avoid direct domain names such as those provided by Amazon S3 and others in your site code. This ensures the availability of your website even if the third party domains are taken down. Instead, use host headers/hostname bindings to associate your domain to the third party domains.

Global Delivery Do you already have a Global Server Load Balancer (GSLB) solution, AKA traffic manager? Which traffic manager will own first response for Mainland China? Which will own outside China?

SSL Certificate

Which domains require SSL certificates? How many sub-domains/channels (such as “www”) are planned? Do you plan to use your own certificate? Or do you plan to procure one through the CDN vendor? Security

Consider where your security module is located. If you are leveraging a security solution with a global CDN provider, dynamic requests can be sent to CDN origin and be protected through global service. For origin in China, we recommend using a security solution located within China to avoid the additional layer of latency. Additionally, even if the origin is located outside of China, a China based security solution can still be implemented within the China CDN architecture. en.chinacache.com SSL Certificate

What are the bandwidth requirements for each channel? This is typically measured in Mbps. What are the traffic requirements for each channel? This is typically measured in bytes(MB, GB, TB, etc.)

TCP Port Requirement

List the ports for each of your service domains (user-facing) and origin domains. Confirm if any port rewrite (such as from 443 at Edge to 80 at origin) is required for specific domains. Identify any non-standard (80/443) ports such as 8080 and how they are used.

Browser/App HTTP Request/Response Headers

Is the “True-Client-IP” required by your application or to appear in your logs? - CDNs proxy user requests, and therefore the requestor’s IP is replaced by the CDN node. Does the origin have cache control headers set? Are additional headers (typically starting with “X-”) required? - Are these for sending to the client/browser? Or for sending to the origin? Or both?

Cache Keys and Query Strings

Will new content be created with unique URLs? - This removes the need for most purge requests. Content URLs are changed, not overwritten. - This allows for extremely long TTLs which improve performance over time, and save CDN costs. - If not, new content releases will have to be purged Do query strings (value after “?”) modify content at all? If not, they can be ignored to improve caching.

en.chinacache.com Redirects

Caching Permanent Redirects (HTTP/301) is generally not recommended. Is there a need for this? Edge-based 302 Redirects are recommended as these are not cached. Edge rules improve performance.

Origin Outage and Errors

What should happen to expired content if origin is unavailable? Continue to use expired or show “Error”? Origin error page handling: caching 404s can reduce origin hits.

Pre-Cutover Testing

CDN CNAME

Each CDN-accelerated service domain will have a matching CNAME assigned by CDN providers. - This should be tested before cutting over production. CNAMEs cannot, by default, be accessed directly. CNAMEs are proxies for service domains. Testing a CDN CNAME can be done using Dig or NSLookup command (from China) to obtain an IP for the CNAME. A HOSTS file on a client PC/Mac anywhere in the world can then be used to perform functional testing - The actual service domain is used, preceded by the IP returned by the CNAME (creating a binding).

Performance Testing

Third-party tools that provide Agents (servers in data centers) can be used to test performances. Providers include: Catchpoint, Dynatrace, ThousandEyes, and Tingyun.

en.chinacache.com Client Testing

The test can be conducted in multiple browsers, including Firefox, Chrome, Safari, etc. HTTP and SSL should be checked on all SSL service domains. Unexpected URLs should be checked to see how they respond, such as “/what-happens.php” Default pages should be checked to be sure they work as expected such as “/index.html” “/index.php” Production Cutover Monitoring and Alerting Add your service domains to tools of your choice to monitor performance in Mainland China.

DNS TTL (Time-to-live) For new services and domains, it is suggested that the TTL be set to 4 hours (14400 seconds) For existing services being switched over to the CDN, we recommend lowering the TTL to 5 minutes (300 seconds) - It allows for a fast rollback if problems occur China is a heavily congested & complex network (as mentioned in the intro). High TTL reduces the need for DNS queries, which improves reliability. Post Cutover DNS TTL Once the service is working as expected, we recommend increase the TTL for all service domains - This is suggested to be set to 4 hours (14400 seconds), but 1 hour (3600 seconds) is also common Expect the Unexpected Moving traffic to within the China Firewall changes the data flow Always remember that DNS needs to work first. For any failure, start by verifying the DNS is accessible and resolving to the right IP address

en.chinacache.com