All Products
Search
Document Center

Server Load Balancer:Configure one-way authentication for HTTPS requests

Last Updated:Jan 05, 2024

This topic describes how to configure one-way authentication for HTTPS requests. After you enable this feature, only clients need to authenticate the identities of servers during HTTPS communication.

Prerequisites

  • A CLB instance is created. For more information, see Create and manage a CLB instance.

  • A vServer group is created. ECS01 and ECS02 are added to the vServer group, and different applications are deployed on ECS01 and ECS02.

  • The domain name is registered and an Internet content provider (ICP) number is obtained for the domain name. For more information, see Register a domain name on Alibaba Cloud and ICP filing application overview.

  • Required certificates are deployed. If the certificates are purchased from a third-party service provider, you must upload them to Certificate Management Service. In addition, make sure that the certificates are associated with your domain name. For more information, see Get started with SSL Certificates Service.

Step 1: Upload the server certificate to the CLB instance

Before you can configure an HTTPS listener, you must purchase a server certificate and upload it to the CLB instance.

  1. Log on to the CLB console.

  2. In the left-side navigation pane, choose CLB > Certificates.

  3. On the Certificates page, click Add Certificate.

  4. On the Add Certificate page, set the parameter. The following table describes some of the parameters. Set the other parameters based on your business requirements. After you set the parameters, click Create.

    Parameter

    Description

    Select Certificate Source

    In this example, Alibaba Cloud Certificate is selected.

    Certificates

    Select the certificate that you want to upload from the drop-down list.

    Region

    Select the region where you want to deploy the certificate. You cannot use a certificate in regions where the certificate is not deployed. If you want to use the certificate in multiple regions, select all the regions where you want to use the certificate.

Step 2: Create an HTTPS listener

  1. Log on to the CLB console.

  2. In the left-side navigation pane, choose CLB > Instances.

  3. In the top navigation bar, select the region where the CLB instance is deployed.

  4. On the Instances page, find the CLB instance that you want to manage and click Configure Listener in the Actions column.

  5. In the Protocol & Listener step, set the parameters. The following table describes some of the parameters. Set the other parameters based on your business requirements. After you set the parameters, click Next.

    Parameter

    Description

    Select Listener Protocol

    In this example, HTTPS is selected.

    Listener Port

    In this example, the default port 443 is selected.

  6. In the Certificate Management Service step, set the parameters. The following table describes some of the parameters. Set the other parameters based on your business requirements. After you set the parameters, click Next.

    Parameter

    Description

    Server Certificate

    Select the certificate uploaded in Step 1.

  7. In the Backend Servers step, set the parameters. The following table describes some of the parameters. Set the other parameters based on your business requirements. After you set the parameters, click Next.

    Parameter

    Description

    Server Group Type

    In this example, vServer Groups is selected.

    Server Group

    Select the server group that you want to use.

  8. In the Health Check step, set the parameters based on your business requirements. After you set the parameters, click Next.

  9. In the Confirm step, check whether the parameters are correctly set and click Submit.

Step 3: Configure domain name resolution

  1. Log on to the CLB console.

  2. In the top navigation bar, select the region in which the CLB instance is deployed.

  3. Find the CLB that you want to manage and copy the IP address.

  4. Perform the following steps to add an A record:

    1. Log on to the Alibaba Cloud DNS console.

    2. On the Domain Name Resolution page, click Add Domain Name.

    3. In the Add Domain Name dialog box, enter the domain name of your host and click OK.

      Important

      Before you create the A record, you must use a TXT record to verify the ownership of the domain name.

    4. Find the domain names that you want to manage and click Configure in the Actions column.

    5. On the DNS Settings page, click Add Record.

    6. In the Add DNS Record panel, configure the following parameters and click OK.

      Parameter

      Description

      Type

      Select A from the drop-down list.

      Host

      Enter the prefix of your domain name.

      DNS Request Source

      Select Default.

      Record Value

      Enter the IP address of the CLB instance.

      TTL

      Select a time-to-live (TTL) value for the CNAME record to be cached on the DNS server. The default value is used in this example.

Step 4: Test network connectivity

Enter the domain name of the CLB instance into the address bar of your browser and refresh the page multiple times to test whether the requests are forwarded to the backend applications. The following figures show that the requests are alternately forwarded to ECS01 and ECS02.

ECS01ECS02

References