Add Protocol Downgrade to an existing configuration

You can apply the Protocol Downgrade (HTTPS Downgrade to Origin) behavior to an existing DD property, provided that configuration meets various requirements.

The property must deliver securely (HTTPS)

To support Protocol Downgrade (HTTPS Downgrade to Origin), an existing DD property must be set up to deliver content securely, via HTTPS. The following apply:

  • Standard TLS (L1): This is supported. You just need to add the behavior.
  • Shared Certificate hostname: This is supported. You just need to add the behavior.
  • Enhanced TLS (L3): This is NOT supported. You can migrate your configuration to Standard TLS (L1), if PCI compliance is not a concern in your environment. (It is not supported with Standard TLS.) Otherwise, you can work with your Account Representative to implement the legacy Protocol Downgrade behavior.
  • No security: This would apply if your current configuration delivers exclusively via HTTP and you need to convert to HTTPS, but want to keep the connection from your origin to the end user as HTTP. Here, you can apply security to this configuration (Standard TLS or Shared certificate hostname), and then apply this behavior. This would be similar to adding the behavior to a new property.

Add the Protocol Downgrade (HTTPS Downgrade to Origin) behavior

  1. In the Property Configuration Settings options, click Add Behavior.
  2. In the Search available behaviors field, input "Protocol Downgrade" to filter the listed behaviors. Ensure that you select Protocol Downgrade (HTTPS Downgrade to Origin) from the list.
  3. The new behavior is added to your configuration. Set the Status slider to "On."

The Cache Key Sharing behavior might be necessary

Once you enable Protocol Downgrade (HTTPS Downgrade to Origin) in your DD property, a warning message is added to the Errors/Warnings/Notes Messages Display at the bottom of the Property Manager Editor UI. (Click the up triangle——to display messages.)

As a result of the change from HTTPS to HTTP, the cache key will change. You should add this behavior and set it to "On," if your origin cannot handle the excessive additional requests that this change may require.