Use CLB to redirect requests from HTTP to HTTPS - Server Load Balancer

HTTPS is a protocol used to encrypt data transmission. After you upgrade to HTTPS, you can use Classic Load Balancer (CLB) to redirect requests from HTTP to HTTPS. HTTP-to-HTTPS redirection is transparent to users and facilitates user access. This topic describes how to use CLB to redirect requests from HTTP to HTTPS.

Key features

Smooth redirection: HTTP-to-HTTPS redirection is transparent to users and does not degrade user experience.
Reduced loads: Backend servers do not need to process the redirection logic and can focus on the key business logic. This increases the work efficiency of backend servers.

Scenarios

HTTPS upgrade: Upgrade existing websites or applications from HTTP to HTTPS to improve the communication security between users and servers.
Domain name change or website migration: If a website is migrated to a different domain name, redirection maintains uninterrupted user access.

Example

A company created a CLB instance in a region of Alibaba Cloud, and configured an HTTP listener for the CLB instance. To improve the security of data transmission, the company wants to upgrade the website to HTTPS. To prevent service interruptions and access failures during the upgrade, the company uses CLB to redirect requests from HTTP to HTTPS. The website is upgraded from HTTP to HTTPS while maintaining service security.

Precautions

HTTP-to-HTTPS redirection is available for CLB in all regions.
To configure HTTP-to-HTTPS redirection, make sure that the HTTP listener and HTTPS listener are associated with the same CLB instance.

Prerequisites

Backend servers ECS01 and ECS02 are created, and applications are deployed on ECS01 and ECS02. In this example, the backend servers use the 64-bit Alibaba Cloud Linux 3.2104 LTS operating system. For more information, see Create an instance on the Custom Launch tab.
Sample commands for deploying test applications on ECS instances
Commands for deploying test applications on ECS01:
```
yum install -y nginx
systemctl start nginx.service
cd /usr/share/nginx/html/
echo "Hello World !  This is ECS01." > index.html
```
Commands for deploying test applications on ECS02:
```
yum install -y nginx
systemctl start nginx.service
cd /usr/share/nginx/html/
echo "Hello World !  This is ECS02." > index.html
```
A CLB instance is created. In this example, an Internet-facing CLB instance is used. For more information, see Create and manage a CLB instance.
Required certificates are deployed. If the certificates are purchased from a third-party service provider, you must upload the certificates to Certificate Management Service. Make sure that the certificates are associated with your domain name. For more information, see Get started with Certificate Management Service.

Procedure

Step 1: Create an HTTPS listener

Log on to the CLB console.
In the top navigation bar, select the region in which the CLB instance is deployed.
On the Instances page, find the CLB instance that you want to manage and click Configure Listener in the Actions column.
In the Protocol & Listener step, configure the parameters and click Next.
The following section describes only the parameters relevant to this topic. For other parameters, use the default values. For more information about the other parameters, see Add an HTTPS listener.
- Select Listener Protocol: Select HTTPS.
- Listener Port: In this example, port 443 is used.
In the Certificate Management Service step, select a server certificate or click Create Server Certificate in the Server Certificate drop-down list. Retain the default values for other parameters and click Next.
In the Backend Servers step, select backend servers. In this example, backend servers are added to the default server group.
1. Select Default Server Group and click Add More.
2. In the Servers panel, select ECS1 and ECS2, and click Next.
3. In the Ports/Weights step, specify weights for ECS01 and ECS02 and click Add.
4. Specify ports for ECS01 and ECS02 and click Next. In this example, ECS01 and ECS02 use port 80.
In the Health Check step, retain the default parameter values and click Next.
In the Confirm step, check the configurations of the listener and click Submit. After the configurations are complete, click OK in the message that appears.

Step 2: Configure a forwarding rule for the HTTP listener

On the Listener tab, click Add Listener.

In the Protocol & Listener step, configure the parameters and click Next. The following table describes the parameters.

Parameter	Description
Select Listener Protocol	Select a listener protocol. In this example, HTTP is selected.
Listener Port	Specify the listener port that is used to receive and forward requests to backend servers. In this example, port 80 is used.
Advanced Settings	You can click Modify next to Advanced Settings to configure the advanced settings. In this example, only the Redirection by Listener parameter is modified. The default settings are retained for other parameters.
Redirection by Listener	Specifies whether to redirect traffic from the HTTP listener to an HTTPS listener. In this example, Redirection by Listener is turned on, and Listener is set to the HTTPS listener created in Step 1: Create an HTTPS listener.

In the Confirm step, click Submit. After the configurations are complete, click OK.

This way, all HTTP requests on port 80 of the HTTP listener are redirected to port 443 of the HTTPS listener and are forwarded based on the configurations of the HTTPS listener.

Step 3: Configure an A record

Log on to the CLB console.
In the top navigation bar, select the region in which the CLB instance is deployed.
Find the CLB that you want to manage and copy the IP address.

Perform the following steps to add an A record:

Log on to the Alibaba Cloud DNS console.
On the Domain Name Resolution page, click Add Domain Name.
In the Add Domain Name dialog box, enter the domain name of your host and click OK.
Important
Before you create the A record, you must use a TXT record to verify the ownership of the domain name.
Find the domain names that you want to manage and click Configure in the Actions column.
On the DNS Settings page, click Add Record.

In the Add DNS Record panel, configure the following parameters and click OK.

Parameter	Description
Type	Select A from the drop-down list.
Host	Enter the prefix of your domain name.
DNS Request Source	Select Default.
Record Value	Enter the IP address of the CLB instance.
TTL	Select a time-to-live (TTL) value for the CNAME record to be cached on the DNS server. The default value is used in this example.

Step 4: Verify the result

Use a client that has Internet access to test whether HTTP requests sent to the CLB instance can be redirected to HTTPS.

Open the CLI of the client.
Run the following command: curl -v http://<Domain name of the CLB instance>. The HTTP 302 status code indicates that requests sent to the CLB instance are redirected to HTTPS, as shown in the following figure.

HTTP redirect status codes

The following table describes the HTTP redirect status codes supported by CLB.

HTTP status code	Description
302	This status code indicates temporary redirects. The requested resource is temporarily relocated. Clients can continue accessing the original URL.

FAQ

Why is the Redirection by Listener parameter not displayed?

The Redirection by Listener parameter is not available to existing HTTP listeners of CLB instances. This parameter is available only when you create an HTTP listener.

References

CLB performs redirection based on listener rules. Application Load Balancer (ALB) performs HTTP-to-HTTPS redirection on the application layer and supports more flexible features and configurations. For example, you can configure redirection based on URLs or requests headers. For more information, see Redirect HTTP requests to an HTTPS listener.