This topic describes how to add an HTTPS listener to an Application Load Balancer (ALB) instance. HTTPS is used for applications that require encrypted data transmission. You can create HTTPS listeners that use encrypted connections to distribute HTTPS requests. HTTPS listeners enable traffic encryption between an ALB instance and clients that initiate SSL or TLS sessions.
- An ALB instance is created. For more information, see Create an ALB instance.
- At least one SSL server certificate and one TLS security policy are deployed on the ALB instance. For more information, see TLS security policies.
- The forwarding actions in the default forwarding rule are configured and the destination backend servers are specified. For more information, see Manage server groups.
Step 1: Configure an HTTPS listener
To configure an HTTPS listener, perform the following steps:
- Log on to the ALB console.
- Use one of the following methods to open the listener configuration wizard:
- On the Instances page, find the ALB instance that you want to manage and click Create Listener in the Actions column.
- On the Instances page, click the ID of the ALB instance that you want to manage. On the Listeners tab, click Create Listener.
- On the Configure Listener wizard page, set the following parameters and click Next.
Parameter Description Listener Protocol Select a protocol for the listener.
HTTPS is selected in this example.
Listening Port Enter the port on which the ALB instance listens. The ALB instance listens on the port and forwards requests to backend servers. 443 is entered in this example. In most cases, port 80 is used for HTTP and port 443 is used for HTTPS.
Valid values: 1 to 65535.Note The ports on which an ALB instance listens must be unique.
Listener Name Enter a name for the listener. The name must be 2 to 256 characters in length. The name can contain only Chinese characters and the characters in the following string:
Advanced Settings Click Modify to configure advanced settings. Enable HTTP/2 Specify whether to enable HTTP/2. Idle Connection Timeout Period Specify the timeout period of idle connections. Unit: seconds. Valid values: 1 to 60.If no request is received within the specified timeout period, ALB closes the connection. ALB recreates the connection when a new connection request is received.Note This feature is unavailable for HTTP/2 requests. Connection Request Timeout Period Specify the request timeout period. Unit: seconds. Valid values: 1 to 180.
If no response is received from the backend server within the request timeout period, SLB returns an HTTP 504 error to the client.
Gzip Compression Specify whether to enable Gzip compression for specific file types.
Gzip supports the following file types:
Add HTTP Header Fields You can add the following HTTP header fields:
X-Forwarded-For: Add the header field to obtain the real IP address of the client.
SLB-ID: Add the header field to obtain the ID of the ALB instance.
X-Forwarded-Proto: Add the header field to obtain the listener protocol of the ALB instance.
X-Forwarded-Clientcert-subjectdn: Add the header field to obtain information about the owner of the client certificate.
X-Forwarded-Clientcert-issuerdn: Add the header field to obtain the information about the authority that issues the client certificate.
X-Forwarded-Clientcert-fingerprint: Add the header field to obtain the fingerprint of the client certificate.
X-Forwarded-Clientcert-clientverify: Add the header field to obtain the verification result of the client certificate.
X-Forwarded-Port: Add the header field to obtain the ports on which the ALB instance listens.
X-Forwarded-Client-Port: Add the header field to obtain the port over which a client communicates with the ALB instance.
QUIC Update Select whether to enable the QUIC update feature. If you enable QUIC update, select a QUIC listener and associate the listener with the ALB instance.
Step 2: Configure an SSL certificate
To create an HTTPS listener, you must configure an SSL certificate to ensure that data transmission is encrypted and the identities of users are verified by a trusted authority.
The mutual authentication supports region, see Release notes.
|Certificate||Description||Required for one-way authentication||Required for mutual authentication|
|Server certificate||The certificate that is used to identify the server.
Your browser uses the server certificate to verify whether the certificate sent by the server is signed and issued by a trusted certification authority (CA). For more information, see Alibaba Cloud SSL Certificates Service.
You must upload the server certificate to the ALB system.
You must upload the server certificate to the ALB system.
|Client certificate||The certificate that is used to identify the client.
The server identifies the client by checking the certificate sent by the client.
You must install the client certificate on the client.
|CA certificate||The server uses a CA certificate to verify the signature on the client certificate. If the signature is invalid, the connection request is denied.||No||Yes
You must upload the CA certificate to the ALB system.
|TLS security policy||A TLS security policy contains TLS protocol versions and cipher suites that are available for HTTPS listeners. For more information, see TLS security policies.||Yes||Yes|
- On the Configure SSL Certificate wizard page, select a server certificate or click Buy Certificate in the Server Certificate drop-down list to purchase a new certificate.
- To enable mutual authentication or configure a TLS security policy, click Modify next to Advanced Settings.
- Enable mutual authentication, select an uploaded CA certificate, or click Purchase a CA certificate to purchase a CA certificate. Note If you want to disable mutual authentication, perform the following operations:
- On the Instances page, click the ID of the ALB instance that you want to manage.
- On the Listeners tab, click the ID of the HTTPS listener that you want to manage.
- On the Listener Details tab, disable mutual authentication.
- For more information about TLS security policies, see TLS security policies.
- Click Next.
Step 3: Select a server group
On the Select Server Group wizard page, select a server group from the Server Group drop-down list, confirm the information about the backend server, and click Next.
Step 4: Review the configuration
On the Configuration Review wizard page, confirm the configuration and then click Submit.
- What are the SSL protocol versions supported by HTTPS listeners?
HTTPS listeners support TLSv1, TLSv1.1, TLSv1.2, and TLSv1.3. For more information, see TLS security policies.
- Can backend servers obtain the protocol version used by the associated HTTPS listener?
Yes, backend servers can obtain the protocol version used by the associated HTTPS listener.
- Which HTTP version is used by HTTPS listeners to distribute network traffic to backend
- If the received client requests use HTTP 1.1 or HTTP 2.0, Layer 7 listeners use HTTP 1.1 to distribute network traffic to backend servers.
- If the received client requests do not use HTTP 1.1 or HTTP 2.0, Layer 7 listeners use HTTP 1.0 to distribute network traffic to backend servers.