HTTPS is an extension of HTTP and uses the SSL/TLS protocol to encrypt data transmission between clients and servers. If your services need to transmit sensitive data, such as user information or identity information, or you want to improve service security, you can add an HTTPS listener to your Classic Load Balancer (CLB) instance. HTTPS listeners can forward HTTPS requests over encrypted connections.
Prerequisites
A CLB instance is created. For more information, see Create and manage CLB instances.
Step 1: Add an HTTPS listener
- Log on to the CLB console.
In the top navigation bar, select the region in which the CLB instance is deployed.
Use one of the following methods to open the listener configuration wizard:
On the Instances page, find the CLB instance that you want to manage and click Configure Listener in the Actions column.
On the Instances page, click the ID of the CLB instance that you want to manage. On the Listener tab, click Add Listener.
In the Protocol & Listener step, configure the following parameters and click Next.
Parameter
Description
Listener Protocol
Select a listener protocol.
In this example, HTTPS is selected.
Backend Protocol
In this example, an HTTPS listener is used. Backend Protocol is set to HTTP.
Listener Port
Specify the listener port to receive and forward requests to backend servers. Valid values: 1 to 65535.
Listener Name
Enter a name for the listener.
Tag
Select or enter a tag key and a tag value.
Advanced Settings
Click Modify to configure advanced settings.
Scheduling Algorithm
Select a scheduling algorithm.
Weighted Round-robin (WRR): Backend servers that have higher weights receive more requests than backend servers that have lower weights.
Round Robin (RR): Requests are distributed to backend servers in sequence.
Session Persistence
Specify whether to enable session persistence.
After session persistence is enabled, CLB forwards all requests that are from the same client to the same backend server.
Cookie Option:
Insert Cookie: If you select this option, you need to specify only the timeout period of the cookie.
CLB inserts a cookie (SERVERID) into the first HTTP or HTTPS response that is sent to a client. The next request from the client contains the cookie, and the listener forwards the request to the recorded backend server.
Session Persistence Timeout Period: If you select Insert Cookie, specify a timeout period for session persistence.
Rewrite Cookie: If you select this option, you can specify the cookie that you want to insert into an HTTP or HTTPS response. In this case, you must specify the timeout period and lifetime of the cookie on a backend server.
After you specify a cookie, CLB overwrites the original cookie with the specified cookie. The next time CLB receives a client request that contains the specified cookie, the listener distributes the request to the recorded backend server.
Cookie Name: If you select Rewrite Cookie, you must specify a name for the cookie.
Enable HTTP/2
Specify whether to enable HTTP/2 for the CLB instance.
Access Control
Specify whether to enable access control.
Select an access control method after you enable access control. Then, select an access control list (ACL) as the whitelist or blacklist of the listener.
- Whitelist: allows access from specific IP addresses. Only requests from the IP addresses or CIDR blocks specified in the network ACL are forwarded. Whitelists apply to scenarios in which you want to allow access only from specific IP addresses. Your service may be adversely affected if the whitelist is not properly configured. After a whitelist is configured, only requests from IP addresses that are added to the whitelist are forwarded by the listener.
If a whitelist is configured but no IP address is added to the whitelist, the listener forwards all requests.
- Blacklist: denies access from specific IP addresses. Requests from the IP addresses or CIDR blocks specified in the network ACL are denied. Blacklists apply to scenarios in which you want to deny access from specific IP addresses.
If a blacklist is configured but no IP address is added to the blacklist, the listener forwards all requests.
NoteIPv6 instances can be associated only with IPv6 ACLs, and IPv4 instances can be associated only with IPv4 ACLs. For more information, see Create an ACL.
Bandwidth Throttling for Listeners
Specify whether to set the bandwidth limit of the listener.
If a pay-by-bandwidth CLB instance is used, you can set a maximum bandwidth for each listener to limit the amount of network traffic forwarded by listeners. The sum of the maximum bandwidth of all listeners that are added to a CLB instance cannot exceed the maximum bandwidth of the CLB instance. By default, this feature is disabled and all listeners share the bandwidth of the CLB instance.
ImportantFor example, the maximum bandwidth of an Internet-facing CLB instance is 5 Mbit/s, and you configure two listeners. You allocate 5 Mbit/s of bandwidth to Listener A, and do not allocate bandwidth to Listener B. In this case, Listener B is inaccessible. Exercise caution when you allocate bandwidth.
If three listeners are configured for an internal-facing CLB instance, and the total bandwidth allocated to Listener A and Listener B is 5,120 Mbit/s, Listener C is inaccessible. Exercise caution when you allocate bandwidth.
If a pay-by-data-transfer CLB instance is used, the bandwidth of listeners is unlimited by default.
Idle Connection Timeout Period
Specify the timeout period of an idle connection.
If no request is received within the specified timeout period, CLB closes the connection. When a request is received, CLB establishes a new connection.
Connection Request Timeout
Specify the timeout period of a request.
If no response is received from the backend server within the request timeout period, CLB returns the HTTP 504 error code to the client.
GZIP Compression
If you enable GZIP compression, files of specific types are compressed. If you disable GZIP compression, no file is compressed.
GZIP supports the following file types:
text/xml
,text/plain
,text/css
,application/javascript
,application/x-javascript
,application/rss+xml
,application/atom+xml
, andapplication/xml
.Custom HTTP Header
Select the HTTP headers that you want to add. Valid values:
X-Forwarded-For: Retrieve Client IP
: obtains client IP addresses.NoteBy default, Layer 7 listeners of CLB use the X-Forwarded-For to preserve client IP addresses. This header cannot be disabled.
SLB-ID: Retrieve SLB ID
: obtains the ID of the CLB instance.SLB-IP: Retrieve SLB IP
: obtains the IP address of the CLB instance.X-Forwarded-Proto: Retrieve Listener Protocol
: obtains the listener protocol.
Client IP Address Preservation
Specify whether to obtain client IP addresses. By default, this feature is enabled.
Automatically Enable Listener
Specify whether to immediately enable the listener after it is created. By default, listeners are enabled after they are created.
Step 2: Configure an SSL certificate
Certificate description
To add an HTTPS listener, you must upload a server certificate or a certificate authority (CA) certificate and select a TLS security policy. The following table describes the differences between servers certificates and CA certificates.
Certificate | Description | Required for one-way authentication | Required for mutual authentication |
Server certificate | A server certificate is used to authenticate the identity of a server. Your browser uses the server certificate to check whether the certificate sent by the server is signed and issued by a trusted CA. For more information, see What is an SSL certificate? | Yes You must upload the server certificate to the certificate management system of CLB. | Yes You must upload the server certificate to the certificate management system of CLB. |
CA certificate | A certificate is used to authenticate the signature of a client certificate. If the signature fails the authentication, the connection request is rejected. Note A client certificate is used to authenticate the identity of the client when the client communicates with the server. You need to install a client certificate only on the client. | No | Yes You must upload the CA certificate to the certificate management system of CLB. |
Usage notes
Before you upload a certificate, take note of the following rules:
CLB supports the following public key algorithms: RSA 1024, RSA 2048, RSA 4096, ECDSA P-256, ECDSA P-384, and ECDSA P-521.
The certificate that you want to upload must be in the PEM format.
After you upload a certificate to CLB, CLB can manage the certificate. You do not need to associate the certificate with backend servers.
It may take a few minutes to upload, load, and verify the certificate. Therefore, an HTTPS listener is not available immediately after it is created. It requires about 1 to 3 minutes to enable an HTTPS listener.
The Elliptic-curve Diffie–Hellman Ephemeral (ECDH) suites used by HTTPS listeners support forward secrecy. You cannot upload security enhancement parameter files that are required by DHE. In other words, PEM files that contain the
BEGIN DH PARAMETERS
string are not supported. For more information, see Certificate requirements.By default, the timeout period of session tickets for HTTPS listeners is 300 seconds.
The actual amount of data transfer on an HTTPS listener is greater than the billed amount because a portion of data is used for handshaking.
Therefore, the amount of data transfer greatly increases when a large number of connections are established.
Procedure
In the Certificate Management Service step, select an uploaded server certificate or click Create Server Certificate to upload a server certificate. You can also purchase a certificate.
Optional: Click Modify next to Advanced Settings to enable mutual authentication or configure TLS security policies.
Turn on Mutual Authentication and select an uploaded CA certificate or create a CA certificate. For more information, see Purchase and enable a private CA.
Configure the TLS Security Policy parameter. For more information, see TLS security policies.
NoteTLS security policies are supported only by high-performance CLB instances.
A TLS security policy contains TLS protocol versions and cipher suites that are available for HTTPS. For more information, see TLS security policies.
Step 3: Add backend servers
You must add backend servers to the listener to process client requests. You can use the default server group that is configured for the CLB instance. You can also create a vServer group. For more information, see Backend server overview.
In this example, backend servers are added to the default server group.
In the Backend Servers step, select Default Server Group and click Add More.
In the Servers panel, select the backend servers that you want to add and click Next.
In the Weight column, configure the weights of the backend servers.
NoteAn Elastic Compute Service (ECS) instance with a higher weight receives more requests. The default weight is 100. You can click Reset to set Weight to the default value.
If the weight of a backend server is set to 0, no request is distributed to the backend server.
Click Add. On the Default Server Group tab, specify the ports that you want to open on the backend servers to receive requests. Click Next.
You can specify the same port for backend servers that are added to the same CLB instance.
Step 4: Configure health checks
CLB performs health checks to check the availability of backend ECS instances. The health check feature improves overall service availability and reduces the impact of backend server failures.
Optional: In the Health Check step, click Modify to modify the health check configuration.
For more information, see Configure and manage CLB health checks.
Click Next.
Step 5: Submit the configurations
In the Confirm step, check the configurations of the listener. You can click Modify to modify the configurations.
Confirm the configurations and click Submit.
After Configuration Successful appears, click OK.
After you configure the listener, you can view the listener on the Listener tab.
References
HTTPS supports higher security than HTTP but may consume more resources, such as computing resources, and may increase the network latency. In scenarios that do not transmit sensitive data, such as internal network communication, staging environments, and development environments, you can use HTTP listeners. For more information, see Add an HTTP listener. In production environments, we recommend that you use HTTPS to encrypt data transmission.
For more information about backend servers, see the following topics:
For more information about health checks, see How CLB health checks work. For more information about health check parameters, see Configure and manage CLB health checks.
For more information about scheduling algorithms, see SLB scheduling algorithms.
For more information about how to create URL-based or domain name-based forwarding rules for HTTPS listeners, see Forward requests based on domain names or URLs.
For more information about how to redirect requests from HTTP to HTTPS, see Redirect requests from HTTP to HTTPS.
For more information about how to configure one-way authentication, see Configure one-way authentication for HTTPS requests.
For more information about how to configure mutual authentication, see Configure mutual authentication on an HTTPS listener.
For more information about how to configure a CLB instance to serve multiple domain names over HTTPS, see Configure a CLB instance to serve multiple domain names over HTTPS.
For more information about how to allow backend servers to obtain client IP addresses from HTTPS listeners, see Enable Layer 7 listeners to preserve client IP addresses.