This topic describes how to add an HTTPS listener to a Classic Load Balancer (CLB) instance. HTTPS is intended for applications that require encrypted data transmission. You can add an HTTPS listener to forward HTTPS requests.

Prerequisites

A CLB instance is created. For more information, see Create a CLB instance.

Step 1: Configure an HTTPS listener

  1. Log on to the CLB console.
  2. Select the region where the CLB instance is deployed.
  3. Use one of the following methods to open the listener configuration wizard:
    • On the Instances page, find the CLB instance that you want to manage and click Configure Listener in the Actions column.
    • On the Instances page, click the ID of the CLB instance that you want to manage. On the Listener tab, click Add Listener.
  4. Set the following parameters and click Next.
    Parameter Description
    Select Listener Protocol Select a protocol for the listener.

    In this example, HTTPS is selected.

    Listening Port Enter the port on which the CLB instance listens. The CLB instance uses the port to receive requests and forward the requests to backend servers. Valid values: 1 to 65535.
    Listener Name Enter a name for the listener.
    Advanced Click Modify to configure advanced settings.
    Scheduling Algorithm Select a scheduling algorithm.
    • Weighted Round-Robin (WRR): Backend servers that have higher weights receive more requests than those that have lower weights.
    • Round-Robin (RR): Requests are evenly and sequentially distributed to backend servers.
    Enable Session Persistence

    Specify whether to enable session persistence.

    After session persistence is enabled, CLB forwards all requests from a client to the same backend server.

    CLB maintains the persistence of HTTP sessions based on cookies. CLB allows you to use the following methods to process cookies:

    • Insert cookie: If you select this option, you need only to specify the timeout period of the cookie.

      CLB inserts a cookie (SERVERID) into the first HTTP or HTTPS response that is sent to a client. The next request from the client contains the cookie. Then, the listener distributes the request to the recorded backend server.

    • Rewrite cookie: If you select this option, you can specify the cookie that you want to insert into an HTTP or HTTPS response. You must specify the timeout period and lifecycle of the cookie on the backend server.

      After you specify a cookie, CLB overwrites the original cookie with the specified cookie. The next time CLB receives a client request that carries the specified cookie, the listener distributes the request to the recorded backend server.

    Enable HTTP/2 Select whether to enable HTTP/2.0 for the frontend protocol of the CLB instance.
    Enable Access Control Specify whether to enable access control.

    Select an access control method after you enable access control. Then, select an access control list (ACL) that is used as the whitelist or blacklist of the listener.

    • Whitelist: Only requests from the IP addresses or CIDR blocks in the specified ACL are forwarded. Whitelists apply to scenarios that require you to allow only specific IP addresses to access an application.

      Your business may be adversely affected if the whitelist is not set properly. After you configure a whitelist for a listener, only requests from IP addresses that are added to the whitelist can be forwarded by the listener. If you enable a whitelist but the whitelist does not contain an IP address, the CLB listener does not forward requests.

    • Blacklist: Requests from the IP addresses or CIDR blocks in the specified ACL are not forwarded. You can use the blacklist feature when you want to deny access from specified IP addresses.

      If you enable a blacklist but the blacklist does not contain an IP address, the CLB listener forwards all requests.

    Note IPv6 instances can be associated with only IPv6 ACLs, while IPv4 instances can be associated only with IPv4 ACLs. For more information, see Create an access control list.
    Enable Peak Bandwidth Limit

    Specify whether to set a bandwidth limit for the listener.

    If a CLB instance is billed based on bandwidth usage, you can set different bandwidth limit values for different listeners. This limits the amount of traffic that flows through each listener. The sum of the bandwidth limit values of all listeners that are added to a CLB instance cannot exceed the bandwidth of this CLB instance. By default, this feature is disabled and all listeners share the bandwidth of the CLB instance.

    Note If a CLB instance is billed based on the amount of data transfer, the bandwidth of its listeners is not automatically limited.
    Idle Timeout Specify the timeout period of idle connections. Unit: seconds. Valid values: 1 to 60.

    If no request is received within the specified timeout period, CLB closes the connection. CLB recreates the connection when a new connection request is received.

    Request Timeout Specify the request timeout period. Unit: seconds. Valid values: 1 to 180.

    If no response is received from the backend server within the request timeout period, CLB returns an HTTP 504 error to the client.

    Enable Gzip Compression Specify whether to enable Gzip compression for a specified file type.

    Gzip supports the following file types: text/xml, text/plain, text/css, application/javascript, application/x-javascript, application/rss+xml, application/atom+xml, and application/xml.

    Add HTTP Header Fields You can add the following HTTP header fields:
    • Use the X-Forwarded-For header field to retrieve the real IP addresses of clients.
    • Use the SLB-ID header field to retrieve the ID of the CLB instance.
    • Use the SLB-IP header field to retrieve the public IP address of the CLB instance.
    • Use the X-Forwarded-Proto header field to retrieve the listener protocol used by the CLB instance.
    Obtain Client Source IP Address Specify whether to retrieve the real IP address of the client. By default, this feature is enabled.
    Automatically Enable Listener After Creation Specify whether to immediately enable the listener after it is created. By default, this feature is enabled.

Step 2: Configure an SSL certificate

When you add an HTTPS listener, you must upload a server certificate or CA certificate and select a TLS security policy, as shown in the following table.

Certificate Description Required for one-way authentication Required for mutual authentication
Server certificate The certificate that is used to identify the server.

Your browser uses the server certificate to verify whether the certificate sent by the server is signed and issued by a trusted certification authority (CA).

Yes

You must upload the server certificate to the certificate management system of CLB.

Yes

You must upload the server certificate to the certificate management system of CLB.

Client certificate The certificate that is used to identify the client.

The server identifies the client by checking the certificate sent by the client. You can sign a client certificate with a self-signed CA certificate.

No Yes

You must install the client certificate on the client.

CA certificate The server uses a CA certificate to verify the signature on the client certificate. If the signature is invalid, the connection request is denied. No Yes

You must upload the CA certificate to the certificate management system of CLB.

TLS security policy TLS security policies are supported by only high-performance CLB instances.

A TLS security policy contains TLS protocol versions and cipher suites that are available for HTTPS. For more information, see Manage TLS security policies.

Yes Yes
Before you upload a certificate, take note of the following items:
  • CLB supports the following public key algorithms: RSA 1024, RSA 2048, RSA 4096, ECDSA P-256, ECDSA P-384, and ECDSA P-521.
  • The certificate that you want to upload must be in the PEM format.
  • After you upload a certificate to CLB, you can manage the certificate. You do not need to bind the certificate to backend servers.
  • It may take a few minutes to upload, load, and verify the certificate. Therefore, an HTTPS listener is not enabled immediately after it is created. It requires approximately 1 to 3 minutes to enable an HTTPS listener.
  • The ECDHE cipher suite used by HTTPS listeners supports forward secrecy. It does not support the security enhancement parameters that are required by the DHE cipher suite. Therefore, you cannot upload certificates (PEM files) that contain the BEGIN DH PARAMETERS field. For more information, see Certificate requirements.
  • HTTPS listeners do not support Server Name Indication (SNI). You can choose TCP listeners and configure SNI on backend servers.
  • By default, the timeout period of session tickets for HTTPS listeners is set to 300 seconds.
  • The actual amount of data transfer on an HTTPS listener is larger than the billed amount because a portion of data is used for handshaking.
  • If a large number of connections are established, a large amount of data is used for handshaking.
  1. On the SSL Certificates wizard page, select the server certificate that you uploaded. You can also click Create Server Certificate to upload a server certificate.
  2. To enable mutual authentication or configure a TLS security policy, click Modify next to Advanced.
  3. Enable mutual authentication, and select an uploaded CA certificate. You can also upload a CA certificate.
  4. For more information about TLS security policies, see Manage TLS security policies.

Step 3: Add backend servers

After you configure the listener, you must add backend servers to process client requests. You can use the default server group that is configured for the CLB instance. You can also create a vServer group or a primary/secondary server group. For more information, see Backend server overview.

The default server group is selected in this example.

  1. On the Backend Servers wizard page, select Default Server Group. Then, click Add More.
  2. In the My Servers panel, select the Elastic Compute Service (ECS) instances that you want to add as backend servers and click Next.
  3. On the Configure Ports and Weights wizard page, specify the weights of the backend servers that you want to add. A backend server with a higher weight receives more requests.
    Note If the weight of a backend server is set to 0, no request is distributed to the backend server.
  4. Click Add. On the Default Server Group tab, specify the ports that you want to open on the backend servers (ECS instances) to receive requests. Valid values: 1 to 65535.

    You can specify the same port on different backend servers that are added to a CLB instance.

  5. Click Next.

Step 4: Configure health checks

CLB performs health checks to check the availability of the ECS instances that serve as backend servers. The health check feature improves the overall availability of your workloads and avoids the exceptions that may occur on backend ECS instances. Click Modify to modify the configurations of health checks. For more information, see Configure health check.

Step 5: Submit the configurations

  1. On the Confirm wizard page, check the configurations. You can click Modify to modify the configurations.
  2. After you confirm the configurations, click Submit.
  3. When Successful appears, click OK.

    After you configure the listener, you can view the listener on the Listener tab.