This topic describes how to associate multiple certificates with an HTTPS listener of an Application Load Balancer (ALB) instance to distribute requests destined for different domain names to different NGINX services deployed on backend servers.

Scenario

After ALB receives an HTTPS request, ALB matches the requested domain name against the certificates that you uploaded. If one of the certificates is matched, ALB sends the request to a backend server based on the forwarding rule that you configured for the domain name and then returns the corresponding certificate to the client. If no certificate is matched, ALB sends the request to a backend server in the default server group and returns the default certificate to the client. The following configurations are used in this example:
  • The default certificate: default. The default server group: RS1.
  • The domain name example1.com is associated with the additional certificate example1. Requests destined for example1.com are forwarded to RS1.
  • The domain name example.org is associated with the additional certificate example2. Requests destined for example.org are forwarded to RS2.
Access multiple domain names

Prerequisites

  • An ALB instance is created. For more information, see Create an ALB instance.
  • RS1 and RS2 are created. For more information, see Manage server groups.
  • An Elastic Compute Service (ECS) instance is added to each server group. In this example, ECS01 is added to RS1 and ECS02 is added to RS2. Different NGINX services are deployed on the ECS instances.
  • You have purchased the required certificates from Alibaba Cloud. If the certificates are purchased from a third party service provider, you must upload them to SSL Certificates Service. In addition, make sure that the certificates are associated with your domain names. For more information about how to create a certificate, see Apply for a certificate. In this example, the following certificates are used:
    • The default certificate.
    • The additional certificate example1 that is associated with example.com.
    • The additional certificate example2 that is associated with example.org.

Background information

The number of additional certificates that can be associated with an ALB instance: 10 for a basic ALB instance and 25 for a standard ALB instance. The default certificate is not included in this quota.

Step 1: Create an HTTPS listener

  1. Log on to the ALB console.
  2. In the top navigation bar, select the region where the ALB instance is deployed.
  3. On the Instances page, find the ALB instance that you want to manage and click Create Listener in the Actions column.
  4. On the Configure Listener page, set the parameters of the listener and click Next.
    The following configurations are used in this example. For more information about the other parameters and how to create an HTTPS listener, see Add an HTTPS listener.
    • Select Server Certificate: In this example, the default certificate is selected.
    • Select Server Group: In this example, RS1 is selected.

Step 2: Add an additional certificate

  1. On the Instances page, find the ALB instance that you want to manage and click its ID.
  2. On the Listener tab, find the HTTPS listener that you created and click Manage Certificate in the Actions column.
  3. On the Certificates tab, click Add Extended Validation Certificate.
  4. In the Add Extended Validation Certificate dialog box, select the certificate example1 and click OK. Repeat the preceding steps to add the certificate example2.

Step 3: Create forwarding rules

  1. On the Instances page, find the ALB instance that you want to manage and click its ID.
  2. On the Listener tab, find the HTTPS listener that you created and click View/Modify Forwarding Rule in the Actions column.
  3. On the Forwarding Rules tab, click Add New Rule.
  4. Set the parameters of the forwarding rule and click OK. In this example, the following configurations are used:
    • If the requested Domain Name is example.com, then Forward the request to RS1. Weight: 100.
    • If the requested Domain Name is example.org, then Forward the request to RS2. Weight: 100.
    Note
    • An ECS instance with a higher weight receives more requests. In this example, the default value 100 is used.
    • Valid values: 1 to 100.

Step 4: Create CNAME records

Create CNAME records to map example.com and example.org to the publicly accessible domain name of the ALB instance.

  1. Log on to the ALB console.
  2. In the top navigation bar, select the region where the ALB instance that you want to manage is deployed.
  3. Find the ALB instance that you want to manage, and copy the domain name.
  4. To create a CNAME record, perform the following operations:
    1. Log on to the Alibaba Cloud DNS console.
    2. On the Manage DNS page, click Add Domain Name.
    3. In the Add Domain Name dialog box, enter the domain name of your host and click OK.
      Notice Before you create the CNAME record, you must use a TXT record to verify the ownership of the domain name.
    4. In the Actions column of the domain name that you want to manage, click Configure.
    5. On the DNS Settings page, click Add Record.
    6. In the Add Record panel, set the following parameters and click Confirm.
      Parameter Description
      Type Select CNAME from the drop-down list.
      Host Enter the prefix of your domain name.
      ISP Line Select Default.
      Value Enter the CNAME. The CNAME is the domain name of the ALB instance that you copied in Step 3.
      TTL TTL: Time-to-live (TTL) limits the lifetime of the record on a server. In this example, the default value is used.
      Note
      • Newly created CNAME records immediately take effect. The time that is required for a modified CNAME record to take effect is limited by the TTL. The default value of TTL is 10 minutes.
      • If the CNAME record that you want to create conflicts with an existing record, we recommend that you specify another domain name.

Step 5: Test connectivity

Enter example.com and example.org in the address bar of a browser to check whether you can access ALB. In this example, NGINX is used to set up two static websites on ECS01 and ECS02.
  • In the address bar of the browser, enter the domain name example.com, which is associated with the additional certificate example1. If you can access the domain name, it indicates that the request is sent to ECS01 in RS1 based on the forwarding rule that you configured. Test result:ECS01 test result
  • In the address bar of the browser, enter the domain name example.org, which is associated with the additional certificate example2. If you can access the domain name, it indicates that the request is sent to ECS02 in RS2 based on the forwarding rule that you configured. Test result:ECS02 test result