All Products
Search
Document Center

Server Load Balancer:Use custom TLS security policies to improve website security

Last Updated:Jan 17, 2024

This topic describes how to configure a custom TLS security policy for Application Load Balancer (ALB). In most cases, websites or applications deployed on Alibaba Cloud use HTTPS to encrypt data transmission. ALB provides some commonly used TLS security policies to enhance the security of services that use HTTPS. ALB also allows you to configure custom TLS security policies. For example, you can specify the TLS versions that you want to use, or disable certain TLS cipher suites.

Limits

  • Basic ALB instances do not support custom TLS security policies. Standard and WAF-enabled ALB instances support custom TLS security policies. If you use a basic ALB instance and want to use custom TLS security policies, upgrade the ALB instance to the standard or WAF-enabled edition. For more information, see Modify the configurations of ALB instances.

  • When you specify TLS versions and cipher suites for a custom TLS security policy, make sure that the TLS versions and cipher suites are supported by the clients, such as browsers. Otherwise, the clients may fail to establish connections to the server.

Prerequisites

Step 1: Create a custom TLS security policy

  1. Log on to the ALB console.

  2. In the top navigation bar, select the region in which the ALB instance is deployed.

  3. In the left-side navigation pane, click TLS Security Policies.

  4. On the Custom Policy tab, click Create Custom Policy.

  5. Enter a policy name, select a minimum TLS version, and select the cipher suites that you want to use. For more information, see TLS security policies. After you set the parameters, click Create.

Step 2: Apply the custom TLS security policy to an HTTPS listener

Create an HTTPS listener and apply the custom TLS security policy

  1. Log on to the ALB console.

  2. In the top navigation bar, select the region in which the ALB instance is deployed.

  3. In the left-side navigation pane, click Instances.

  4. On the Instances page, find the ALB instance, and click Create Listener in the Actions column.

  5. In the Configure Listener step, set the parameters. The following table describes some of the parameters. Set the other parameters based on your business requirements, or keep the default values. After you set the parameters, click Next.

    Parameter

    Description

    Listener Protocol

    In this example, HTTPS is selected.

    Listener Port

    In this example, port 443 is selected.

  6. In the Configure SSL Certificate step, set the parameters. The following table describes some of the parameters. Set the other parameters based on your business requirements, or keep the default values. After you set the parameters, click Next.

    Parameter

    Description

    Server Certificate

    Select a server certificate.

    TLS Security Policy

    Select the custom TLS security policy created in Step 1.

  7. In the Select Server Group step, set the parameters. The following table describes some of the parameters. Set the other parameters based on your business requirements, or keep the default values. After you set the parameters, click Next.

    Parameter

    Description

    Server Group

    Select a server group.

  8. In the Configuration Review step, check whether the parameters are valid and click Submit.

Apply the custom TLS security policy to an existing HTTPS listener

  1. Log on to the ALB console.

  2. In the top navigation bar, select the region in which the ALB instance is deployed.

  3. In the left-side navigation pane, click Instances.

  4. On the Instances page, click the ID of the ALB instance that you want to manage.

  5. On the Listener tab, click the ID of the HTTPS listener that you want to manage.

  6. In the SSL Certificates section, click the 编辑 icon next to TLS Security Policy.

  7. In the Edit TLS Security Policy dialog box, select the custom TLS policy that you created, and click Save.

Step 3: Add a DNS record

  1. Log on to the ALB console.

  2. In the top navigation bar, select the region in which the ALB instance is deployed.

  3. Find the ALB instance for which you want to add a DNS record and copy the domain name.

  4. To create a CNAME record, perform the following steps:

    1. Log on to the Alibaba Cloud DNS console.

    2. On the Domain Name Resolution page, click Add Domain Name.

    3. In the Add Domain Name dialog box, enter the domain name of your host and click OK.

      Important

      Before you create the CNAME record, you must use a TXT record to verify the ownership of the domain name.

    4. Find the domain names that you want to manage and click Configure in the Actions column.

    5. On the DNS Settings page, click Add DNS Record.

    6. In the Add Record panel, set the following parameters and click Confirm.

      Parameter

      Description

      Record Type

      Select CNAME from the drop-down list.

      Hostname

      Enter the prefix of the domain name, such as www.

      DNS Request Source

      Select Default.

      Record Value

      Enter the CNAME, which is the domain name of the ALB instance.

      TTL

      Select a time-to-live (TTL) value for the CNAME record to be cached on the DNS server. The default value is used in this example.

Step 4: Verify the result

Enter the domain name of the ALB instance into the address bar of your browser and refresh the page multiple times. Check whether requests are alternatively distributed between ECS01 and ECS02 over HTTPS.

ECS01ECS02

References