All Products
Search
Document Center

Server Load Balancer:Add an HTTPS listener

Last Updated:Jan 17, 2024

If you want to encrypt data transmission for your application, you can create an HTTPS listener to forward HTTPS requests. HTTPS listeners support encrypted data transmission between Application Load Balancer (ALB) and clients that have SSL or TLS enabled.

Prerequisites

Procedures

This topic describes two procedures that can be used to create an HTTPS listener. You can choose a method as needed.

  • Manual creation: You can create an HTTP listener and configure advanced features, such as mutual authentication.

  • Quick creation: You can use a template to quickly create an HTTP listener. You only need to specify a listener protocol, a listener port, a server certificate, and a backend server group.

Manual creation

Step 1: Create a listener

  1. Log on to the ALB console.
  2. In the top navigation bar, select the region in which the ALB instance resides.

  3. Use one of the following methods to open the listener configuration wizard:

    • On the Instances page, find the ALB instance that you want to manage and click Create Listener in the Actions column.

    • On the Instances page, click the ID of the ALB instance that you want to manage. On the Listener tab, click Create Listener.

  4. On the Configure Listener wizard page, set the following parameters and click Next.

    Parameter

    Description

    Listener Protocol

    Select a listener protocol.

    In this example, HTTPS is selected.

    Listener Port

    Enter the port on which the ALB instance listens. The ALB instance listens on the port and forwards requests to backend servers. In this example, port 443 is used. In most cases, port 80 is used for HTTP and port 443 is used for HTTPS.

    Valid values: 1 to 65535.

    Note

    On the same ALB instance, the ports of listeners that use the same protocol must be unique. HTTP listeners and HTTPS listeners must use different ports.

    Listener Name

    Enter a name for the listener.

    Tag

    Configure the Tag Key and Tag Value parameters to add a tag. You can add one or more tags.

    After you specify tags, you can filter listeners by tag on the Listener tab.

    Advanced Settings

    You can click Modify to configure the advanced settings.

    Enable HTTP/2

    Specify whether to enable HTTP/2 for the listener.

    Idle Connection Timeout Period

    Specify a timeout period for idle connections. Unit: seconds. Valid values: 1 to 60. To specify a longer timeout period,

    go to the Quota Center console.

    If no request is received within the specified timeout period, CLB closes the connection. When a request is received, CLB establishes a new connection.

    Note

    This feature is unavailable for HTTP/2 requests.

    Connection Request Timeout

    Specify a request timeout period. Unit: seconds. Valid values: 1 to 180. To specify a longer timeout period, go to the Quota Center console.

    If no response is received from the backend server within the request timeout period, ALB returns the HTTP 504 error code to the client.

    Compression

    If you enable compression, specific types of files are compressed. If you disable compression, no file is compressed.

    Brotli supports all file types. GZIP supports the following file types: text/xml, text/plain, text/css, application/javascript, application/x-javascript, application/rss+xml, application/atom+xml, application/xml, and application/json.

    Retrieve Client IP

    Specify whether to enable the ALB instance to retrieve client IP addresses from the X-Forwarded-For header. If you enable this feature, you must specify trusted IP addresses.

    • If you set the trusted IP address list to 0.0.0.0/0, the ALB instance retrieves the leftmost IP address in the X-Forwarded-For header. The IP address is the source client IP address.

    • If you set the trusted IP address list in the format of proxy1 IP, proxy2 IP,.., the ALB instance compares the IP addresses in the X-Forwarded-For header from right to left against the trusted IP address list. The first IP address that is not on the trusted IP address list is considered the source client IP address.

    Usage notes

    If the X-Forwarded-For header contains multiple IP addresses, such as X-Forwarded-For: <client-ip-address>, <proxy1>, <proxy2>, …,

    the leftmost IP address is the source client IP address. If you want to enable the matching based on source IP addresses and throttling based on QPS per client IP address features in ALB forwarding rules, you must turn on the Retrieve Client IP switch to allow the ALB instance to retrieve source client IP addresses from the X-Forwarded-For header. For more information, see Create a forwarding rule.

    Add HTTP Header

    The X-Forwarded-For header is selected by default. The header is used to retrieve source client IP addresses. ALB inserts source client IP addresses into the header and passes the header to backend servers. For more information, see Enable ALB to preserve client IP addresses.

    Select the HTTP headers that you want to add. Valid values:

    • Add SLB-ID to Retrieve ALB ID: Add the SLB-ID header to store the ID of the ALB instance.

    • Add X-Forwarded-Proto to Retrieve Listening Protocol: Add the X-Forwarded-Proto header to store the listener protocol.

    • Add X-Forwarded-Clientcert-subjectdn to Retrieve Client Server Certificate Owner Info: Add the X-Forwarded-Clientcert-subjectdn header to store the owner information about the client certificate.

    • Add X-Forwarded-Clientcert-issuerdn to Retrieve Client Certificate Issuer Info: Add the X-Forwarded-Clientcert-issuerdn header to store information about the authority that issues the client certificate.

    • Add X-Forwarded-Clientcert-fingerprint to Retrieve Fingerprint of Client Certificate: Add the X-Forwarded-Clientcert-fingerprint header to store the fingerprint of the client certificate.

    • Add X-Forwarded-Clientcert-clientverify to Retrieve Verification Result of Client Certificate: Add the X-Forwarded-Clientcert-clientverify header to store the verification result of the client certificate.

    • Add X-Forwarded-Port to Retrieve Listening Port: Add the X-Forwarded-Port header to store the listener port.

    • Add X-Forwarded-Client-srcport to Retrieve Client Port: Add the X-Forwarded-Client-srcport header to store the client port.

    QUIC Update

    Specify whether to enable Quick UDP Internet Connections (QUIC) upgrade. To use this feature, you must select a QUIC listener from the Associated QUIC Listeners drop-down list.

Step 2: Add an SSL certificate

To create an HTTPS listener, you must configure an SSL certificate for identity authentication to secure data transmission. The following table describes the certificates that are supported by ALB.

Certificate

Description

Required for one-way authentication

Required for mutual authentication

Server certificate

A server certificate is used to authenticate the identity of a server.

Your browser checks whether the certificate sent by the server is signed and issued by a trusted certificate authority (CA). For more information, see What is an SSL certificate?

Yes

You can purchase or upload a server certificate in the Certificate Management Service console. ALB obtains the certificate from Certificate Management Service and uses the certificate.

Yes

You can purchase or upload a server certificate in the Certificate Management Service console. ALB obtains the certificate from Certificate Management Service and uses the certificate.

CA certificate

A CA certificate is used by a server to verify the signature on a client certificate. If the signature is invalid, the connection request is denied.

Note

A client certificate is used to authenticate the identity of the client when the client communicates with the server. You need to install a client certificate only on the client.

No

Yes

You can purchase or upload a CA certificate in the Certificate Management Service console. ALB obtains the certificate from Certificate Management Service and uses the certificate.

Note

If you want to access multiple domain names or add multiple server certificates, you can add additional certificates to the HTTPS listener. For more information, see Add an additional certificate.

  1. In the SSL Certificate step, select a server certificate.

    If no server certificate is available, click Create SSL Certificate in the drop-down list to go to the Certificate Management Service console. Then, you can purchase or upload a server certificate. For more information, see Purchase an SSL certificate and Upload an SSL certificate.

  2. To enable mutual authentication or configure a TLS security policy, click Modify next to Advanced Settings.

  3. Turn on Enable Mutual Authentication in the Advanced Settings section. Select Alibaba Cloud from the CA Certificate Source drop-down list and select a CA certificate from the Default CA Certificate drop-down list.

    If no CA certificate is available, click Purchase CA Certificate to create one. For more information, see Purchase and enable a private CA.

    Note
    • Only standard and WAF-enabled ALB instances support mutual authentication. Basic ALB instances do not support mutual authentication.

    • If you want to disable mutual authentication after you enable this feature, perform the following operations:

      1. On the Instances page, click the ID of the NLB instance that you want to manage.

      2. On the Listener tab, click the ID of the HTTPS listener that you want to manage.

      3. On the Listener Details tab, disable mutual authentication in the SSL Certificate section.

  4. Select a TLS security policy and click Next.

    If no TLS security policy is available, click Create TLS Security Policy to create one.

    A TLS security policy contains TLS protocol versions and cipher suites that are available for HTTPS listeners. For more information, see TLS security policies.

Step 3: Select a server group

In the Server Group step, select a server group, view the backend servers, and then click Next.

Step 4: Review the configurations

In the Confirm step, confirm the configurations and click Submit.

Quick creation

If you select this method, you only need to specify a listener protocol, a listener port, a server certificate, a TLS security policy, and a server group.

  1. Log on to the ALB console.
  2. In the top navigation bar, select the region where the ALB instance resides.

  3. On the Instances page, find the NLB instance that you want to manage and click its ID.

  4. Click the Listener tab. On the Listener tab, click Quick Create Listener.

  5. In the Quick Create Listener dialog box, configure the following parameters and click OK.

    Parameter

    Description

    Listener Protocol

    Select a listener protocol. In this example, HTTPS is selected.

    Listener Port

    The frontend port that is used to receive and forward requests to backend servers.

    You can select a commonly used port, or enter a port number. Valid values: 1 to 65535.

    Server Certificate

    Select a server certificate from the drop-down list.

    If no server certificate is available, click Create SSL Certificate to create one. For more information, see Purchase an SSL certificate and Upload an SSL certificate.

    Resource Group

    Select a resource group for the server group.

    TLS Security Policy

    If no TLS security policy is available, click Create TLS Security Policy to create one. For more information, see TLS security policies.

    Server Group

    Configure the Server Type parameter and select a server group based on the specified server type.

FAQ

  • What are the TLS versions supported by HTTPS listeners?

    HTTPS listeners support TLS 1.0, 1.1, 1.2, and 1.3. For more information, see TLS security policies.

  • Can backend servers retrieve the TLS version used by the associated HTTPS listener?

    Yes, backend servers can retrieve the TLS version used by the associated HTTPS listener.

  • Which HTTP version is used by HTTPS listeners to distribute network traffic to backend servers?

    • If client requests use HTTP/1.1 or HTTP/2, Layer 7 listeners use HTTP/1.1 to distribute network traffic to backend servers.

    • If client requests use protocols other than HTTP/1.1 and HTTP/2, Layer 7 listeners use HTTP/1.0 to distribute network traffic to backend servers.

  • What requirements does a wildcard listener certificate need to meet?

    When you configure a wildcard certificate for an HTTPS listener, take note of the following limits:

    • When you select a wildcard certificate, ALB can identify certificates that contain only one wildcard (*), which must be on the leftmost side of the domain name. For example, ALB can identify *.example.com and *test.example.com, but cannot identify test*.example.com.

    • Requirements for wildcard certificates:

      • Levels of wildcard domain names: A wildcard domain name can match specific domain names that are of the same level as the wildcard domain name. For example, *.example.com can match test.example.com but cannot match test.test.example.com, which is one level lower than the wildcard domain name.

      • Internationalized domain names (IDNAs):

        • If the wildcard character is the only wildcard character and on the leftmost side of the wildcard domain name, IDNAs can match the wildcard domain name. For example, xn--fsqu00a.example.com can match *.example.com.

        • If the wildcard character is not on the leftmost side of the wildcard domain name, IDNAs cannot match the wildcard domain name. For example, xn--fsqu00atest.example.com cannot math *test.example.com.

      • Match scope: The wildcard character (*) can match digits, letters, and hyphens (-). For example, *.example.com can match test.example.com but cannot match test_test.example.com.

References