All Products
Search
Document Center

Server Load Balancer:Use CLB to redirect requests from HTTP to HTTPS

Last Updated:Dec 19, 2024

HTTPS is a protocol used to encrypt data transmission. After you upgrade to HTTPS, you can use Classic Load Balancer (CLB) to redirect requests from HTTP to HTTPS. HTTP-to-HTTPS redirection is transparent to users and facilitates user access. This topic describes how to use CLB to redirect requests from HTTP to HTTPS.

Key features

  • Smooth redirection: HTTP-to-HTTPS redirection is transparent to users and does not degrade user experience.

  • Reduced loads: Backend servers do not need to process the redirection logic and can focus on the key business logic. This increases the work efficiency of backend servers.

Scenarios

  • HTTPS upgrade: Upgrade existing websites or applications from HTTP to HTTPS to improve the communication security between users and servers.

  • Domain name change or website migration: If a website is migrated to a different domain name, redirection maintains uninterrupted user access.

Example

A company created a CLB instance in a region of Alibaba Cloud, and configured an HTTP listener for the CLB instance. To improve the security of data transmission, the company wants to upgrade the website to HTTPS. To prevent service interruptions and access failures during the upgrade, the company uses CLB to redirect requests from HTTP to HTTPS. The website is upgraded from HTTP to HTTPS while maintaining service security.

image

Precautions

  • HTTP-to-HTTPS redirection is available for CLB in all regions.

  • To configure HTTP-to-HTTPS redirection, make sure that the HTTP listener and HTTPS listener are associated with the same CLB instance.

  • You must enable the redirection by listener feature for an HTTP listener of an CLB instance when you are creating the listener. The feature cannot be enabled for an existing HTTP listener.

Prerequisites

  • Backend servers ECS01 and ECS02 are created, and applications are deployed on ECS01 and ECS02. In this example, the backend servers use the 64-bit Alibaba Cloud Linux 3.2104 LTS operating system. For more information, see Create an instance on the Custom Launch tab.

    Sample commands for deploying test applications on ECS instances

    Commands for deploying test applications on ECS01:

    yum install -y nginx
    systemctl start nginx.service
    cd /usr/share/nginx/html/
    echo "Hello World !  This is ECS01." > index.html

    Commands for deploying test applications on ECS02:

    yum install -y nginx
    systemctl start nginx.service
    cd /usr/share/nginx/html/
    echo "Hello World !  This is ECS02." > index.html
  • A CLB instance is created. In this example, an Internet-facing CLB instance is used. For more information, see Create and manage a CLB instance.

  • Required certificates are deployed. If the certificates are purchased from a third-party service provider, you must upload the certificates to Certificate Management Service. Make sure that the certificates are associated with your domain name. For more information, see Get started with Certificate Management Service.

Procedure

Step 1: Create an HTTPS listener

  1. Log on to the CLB console.

  2. In the top navigation bar, select the region in which the CLB instance is deployed.

  3. On the Instances page, find the CLB instance that you want to manage and click Configure Listener in the Actions column.

  4. In the Protocol & Listener step, configure the parameters and click Next.

    The following section describes only the parameters relevant to this topic. For other parameters, use the default values. For more information about the other parameters, see Add an HTTPS listener.

    • Select Listener Protocol: Select HTTPS.

    • Listener Port: In this example, port 443 is used.

  5. In the Certificate Management Service step, select a server certificate or click Create Server Certificate in the Server Certificate drop-down list. Retain the default values for other parameters and click Next.

  6. In the Backend Servers step, select backend servers. In this example, backend servers are added to the default server group.

    1. Select Default Server Group and click Add More.

    2. In the Servers panel, select ECS1 and ECS2, and click Next.

    3. In the Ports/Weights step, specify weights for ECS01 and ECS02 and click Add.

    4. Specify ports for ECS01 and ECS02 and click Next. In this example, ECS01 and ECS02 use port 80.

  7. In the Health Check step, retain the default parameter values and click Next.

  8. In the Confirm step, check the configurations of the listener and click Submit. After the configurations are complete, click OK in the message that appears.

Step 2: Configure a forwarding rule for the HTTP listener

  1. On the Listener tab, click Add Listener.

  2. In the Protocol & Listener step, configure the parameters and click Next. The following table describes the parameters:

    Parameter

    Description

    Select Listener Protocol

    Select a listener protocol.

    In this example, HTTP is selected.

    Listener Port

    Specify the listener port that is used to receive and forward requests to backend servers.

    In this example, port 80 is used.

    Advanced Settings

    You can click Modify next to Advanced Settings to configure the advanced settings.

    In this example, only the Redirection by Listener parameter is modified. The default settings are retained for other parameters.

    Redirection by Listener

    Specifies whether to redirect traffic from the HTTP listener to an HTTPS listener.

    In this example, Redirection by Listener is turned on, and Listener is set to the HTTPS listener created in Step 1: Create an HTTPS listener.

  3. In the Confirm step, click Submit. After the configurations are complete, click OK.

This way, all HTTP requests on port 80 of the HTTP listener are redirected to port 443 of the HTTPS listener and are forwarded based on the configurations of the HTTPS listener.

Step 3: Configure an A record

Note
  • For domains not registered on Alibaba Cloud, you must first add the domain name to Alibaba Cloud DNS before you can create a DNS record.

  • If your CLB instance is internal-facing, you must first associate an Elastic IP address (EIP) with it, then create an A record to map the domain name to the EIP for Internet access.

  1. In the left-side navigation pane, choose CLB > Instances.

  2. On the Instances page, find the CLB instance that you want to manage and copy the Endpoint of the CLB instance.

  3. Perform the following steps to create an A record.

    1. Log on to the Alibaba Cloud DNS console.

    2. On the Authoritative DNS Resolution page, find the domain name that you want to manage, and click DNS Settings in the Actions column.

    3. On the DNS Settings page, click Add Record.

    4. In the Add Record panel, configure the following parameters, use the default values for all the other parameters or set them based on actual conditions, and click OK.

      Parameter

      Description

      Record Type

      Select A from the drop-down list.

      Hostname

      The prefix of your domain name. In this example, www is entered.

      Note

      If you use a root domain name, enter @.

      Record Value

      Enter the A address corresponding to your domain name. In this example, the IP address of your CLB instance is used.

Step 4: Verify the result

Use a client that has Internet access to test whether HTTP requests sent to the CLB instance can be redirected to HTTPS.

  1. Open the CLI of the client.

  2. Run the following command: curl -v http://<Domain name of the CLB instance>. The HTTP 302 status code indicates that requests sent to the CLB instance are redirected to HTTPS, as shown in the following figure.

    image

HTTP redirect status codes

The following table describes the HTTP redirect status codes supported by CLB.

HTTP status code

Description

302

This status code indicates temporary redirects. The requested resource is temporarily relocated. Clients can continue accessing the original URL.

FAQ

Why is the Redirection by Listener parameter not displayed?

The Redirection by Listener parameter is not available to existing HTTP listeners of CLB instances. This parameter is available only when you create an HTTP listener.

References

CLB performs redirection based on listener rules. Application Load Balancer (ALB) performs HTTP-to-HTTPS redirection on the application layer and supports more flexible features and configurations. For example, you can configure redirection based on URLs or requests headers. For more information, see Redirect HTTP requests to an HTTPS listener.