This topic describes how to configure one-way authentication for HTTPS requests. After you enable this feature, only clients need to authenticate the identities of servers during HTTPS communication.
Prerequisites
A CLB instance is created. For more information, see Create and manage a CLB instance.
A vServer group is created. ECS01 and ECS02 are added to the vServer group, and different applications are deployed on ECS01 and ECS02.
The domain name is registered and an Internet content provider (ICP) number is obtained for the domain name. For more information, see Register a domain name on Alibaba Cloud and ICP filing application overview.
Required certificates are deployed. If the certificates are purchased from a third-party service provider, you must upload them to Certificate Management Service. In addition, make sure that the certificates are associated with your domain name. For more information, see Get started with SSL Certificates Service.
Step 1: Upload the server certificate to the CLB instance
Before you can configure an HTTPS listener, you must purchase a server certificate and upload it to the CLB instance.
Log on to the CLB console.
In the left-side navigation pane, choose
.On the Certificates page, click Add Certificate.
On the Add Certificate page, set the parameter. The following table describes some of the parameters. Set the other parameters based on your business requirements. After you set the parameters, click Create.
Parameter
Description
Select Certificate Source
In this example, Alibaba Cloud Certificate is selected.
Certificates
Select the certificate that you want to upload from the drop-down list.
Region
Select the region where you want to deploy the certificate. You cannot use a certificate in regions where the certificate is not deployed. If you want to use the certificate in multiple regions, select all the regions where you want to use the certificate.
Step 2: Create an HTTPS listener
Log on to the CLB console.
In the left-side navigation pane, choose
.In the top navigation bar, select the region where the CLB instance is deployed.
On the Instances page, find the CLB instance that you want to manage and click Configure Listener in the Actions column.
In the Protocol & Listener step, set the parameters. The following table describes some of the parameters. Set the other parameters based on your business requirements. After you set the parameters, click Next.
Parameter
Description
Select Listener Protocol
In this example, HTTPS is selected.
Listener Port
In this example, the default port 443 is selected.
In the Certificate Management Service step, set the parameters. The following table describes some of the parameters. Set the other parameters based on your business requirements. After you set the parameters, click Next.
Parameter
Description
Server Certificate
Select the certificate uploaded in Step 1.
In the Backend Servers step, set the parameters. The following table describes some of the parameters. Set the other parameters based on your business requirements. After you set the parameters, click Next.
Parameter
Description
Server Group Type
In this example, vServer Groups is selected.
Server Group
Select the server group that you want to use.
In the Health Check step, set the parameters based on your business requirements. After you set the parameters, click Next.
In the Confirm step, check whether the parameters are correctly set and click Submit.
Step 3: Configure domain name resolution
Log on to the CLB console.
In the top navigation bar, select the region in which the CLB instance is deployed.
Find the CLB that you want to manage and copy the IP address.
Perform the following steps to add an A record:
Log on to the Alibaba Cloud DNS console.
On the Domain Name Resolution page, click Add Domain Name.
In the Add Domain Name dialog box, enter the domain name of your host and click OK.
ImportantBefore you create the A record, you must use a TXT record to verify the ownership of the domain name.
Find the domain names that you want to manage and click Configure in the Actions column.
On the DNS Settings page, click Add Record.
In the Add DNS Record panel, configure the following parameters and click OK.
Parameter
Description
Type
Select A from the drop-down list.
Host
Enter the prefix of your domain name.
DNS Request Source
Select Default.
Record Value
Enter the IP address of the CLB instance.
TTL
Select a time-to-live (TTL) value for the CNAME record to be cached on the DNS server. The default value is used in this example.
Step 4: Test network connectivity
Enter the domain name of the CLB instance into the address bar of your browser and refresh the page multiple times to test whether the requests are forwarded to the backend applications. The following figures show that the requests are alternately forwarded to ECS01 and ECS02.
References
For more information about the requirements for third-party certificates, see Certificate requirements. For more information about how to upload a third-party certificate, see Upload a third-party certificate.
For more information about how to create an HTTPS listener, see Add an HTTPS listener.
If you have higher requirements for security, you can use mutual authentication, which requires the client and server to authenticate each other before communication can be established. For more information, see Configure mutual authentication on an HTTPS listener.