In Web App Service, you can enable HTTPS for a deployment environment. This feature helps you enhance the security of a website. You do not need to enable your application to support HTTPS. Web App Service removes Secure Sockets Layer (SSL) certificates from incoming requests after you enable HTTPS for a deployment environment in Web App Service. Then, Web App Service relays these requests to a backend application by using HTTP. In Web App Service, you can enable HTTPS on a reverse proxy or a Server Load Balancer (SLB) instance.
(Optional) Obtain a certificate
You can use Web App Service self-signed certificates. This type of certificate is issued by a non-trusted certification authority (CA). When being visited with self-signed certificates, a website may be considered invalid. We recommend that you use this type of certificate only for testing.
- Alibaba Cloud SSL Certificates: You can purchase or obtain certificates at no extra charge in the SSL Certificates console.
- Third-party CA: For information about how to obtain certificates from a third-party CA, see the documentation that is provided by the CA.
Configure HTTPS on a reverse proxy
- Log on to the Web+ console.
- On the Overview page, click View All in the upper-right corner of the Last Updated Deployment Environment section.
- On the Applications and Environments page, click > on the left side of an application to view a list of deployment environments related to the application.
- Click the name of an environment to go to the Environment Details page.
- In the left-side navigation pane, click Configurations.
- In the Environment section, click Reverse Proxy, turn on the Enable Reverse Proxy switch, select Nginx (1.14.2) in the Reverse Proxy Type field, and select HTTPS in the Protocol field.
- Use one of the following methods to configure certificates:
- Auto-configure certificates: Turn on the Auto-configure Certificate switch. After this switch is turned on, Web App Service generates self-signed server certificates for a reverse proxy. This type of certificate is issued by a non-trusted CA. When being visited with self-signed certificates, a website may be considered invalid. We recommend that you use this type of certificate only for testing.
- Upload certificates: Turn off the Auto-configure Certificate switch if you want to use trusted CA certificates in a production environment. Then, obtain certificates from a trusted CA and upload these certificates to Web App Service. You need to upload a public key certificate file and a private key file to Web App Service for each certificate. You must keep private key files confidential to prevent against information leakage.
- After the configurations are complete, click Change Configuration in the upper-right corner to apply the update.
Configure HTTPS on an SLB instance
If you want to use HTTPS in Web App Service and your environment includes a Server Load Balancer (SLB) instance, we recommend that you enable HTTPS on the SLB instance.
- On the Environment Details page, select Configurations, and click Internet Load Balancer SLB.
- Turn on the Enable Internet SLB switch.
- Select Surrogate Purchase in the Instance Source field.
- Enter 443 in the Listening Port field.
The SLB instance listens on port 443. You can use the port to access applications over the Internet. If an SLB instance is purchased by Web App Service on your behalf, Web App Service will help you create and maintain the listening port.
- Select HTTPS in the SLB Protocol field.
- Select a certificate in the Server Certificate section.
You must add a certificate file to SLB before you enable HTTPS on an SLB instance. You can click one of the links in the Server Certificate section to manage or purchase certificates.
- Configure SLB forwarding rules.
The common format of a forwarding policy is a combination of a fully qualified domain name (FQDN) and path. A valid forwarding policy must include either an FQDN or a path. The following lists examples of valid forwarding policies:
- Click Change Configuration in the upper-right corner to apply the update.
- You cannot configure HTTPS on an SLB instance if you have enabled HTTPS on a reverse proxy.
- The method that is used to configure HTTPS on an Internet-facing SLB instance is the same as the method for an internal SLB instance. You can configure HTTPS on both an Internet-facing SLB instance and an internal SLB instance.