HTTPS is applicable to applications that require encrypted data transmission. You can add an HTTPS listener to forward HTTPS requests.

Prerequisites

An SLB instance is created. For more information, see Create an SLB instance.

Step 1: Start the listener configuration wizard

To start the listener configuration wizard, perform the following operations:

  1. Log on to the Server Load Balancer console.
  2. In the left-side navigation pane, choose Instances > Server Load Balancers.
  3. Select the region of the target SLB instance.
  4. Use one of the following methods to start the listener configuration wizard:
    • On the Server Load Balancers page, find the target SLB instance and then click Configure Listener in the Actions column.Configure Listener-private
    • On the Server Load Balancers page, click the ID of the target SLB instance. On the Listener tab, click Add Listener.Add Listener

Step 2 Configure an HTTPS listener

To configure an HTTPS listener, perform the following operations:

  1. In the Protocol and Listener step, configure the listener parameters listed in the following table.
    Parameter Description
    Select Listener Protocol Select the protocol type of the listener.

    In this example, select HTTPS.

    Listening Port The listening port used to receive requests and forward the requests to backend servers.

    Valid values: 1 to 65535.

    Note The listening port numbers must be unique in an SLB instance.
    Advanced
    Scheduling Algorithm SLB supports three scheduling algorithms: round robin, weighted round robin (WRR), and weighted least connections (WLC).
    • Weighted Round-Robin (WRR): A backend server with a higher weight is more likely to be scheduled and receives more requests.
    • Round-Robin (RR): Requests are evenly and sequentially distributed to backend servers.
    • Weighted Least Connections (WLC): Requests are distributed to the backend server with the least number of connections. If two backend servers have the same number of connections, the backend server with a higher weight will receive more requests.
    Enable Session Persistence

    Specifies whether to enable session persistence.

    After session persistence is enabled, SLB forwards all requests from the same client to the same backend server.

    HTTP session persistence is implemented through cookies. SLB provides two methods to handle cookies:

    • Insert cookie: You only need to specify the cookie timeout period.

      SLB inserts a cookie (SERVERID) to the first HTTP or HTTPS response packet sent to a client. The next request from the client will contain the cookie, and the listener will distribute the request to the recorded backend server.

    • Rewrite cookie: You can specify the cookie to be inserted into the HTTP or HTTPS response to meet your specific needs. You must maintain the timeout period and lifecycle of the cookie on the backend server.

      SLB will overwrite the original cookie if it discovers that a new cookie has been specified. The next request will contain the new cookie, and the listener will distribute the request to the recorded backend server. For more information, see Session persistence rule configuration.

    Enable HTTP/2 Specifies whether to enable HTTP/2.
    Enable Access Control Specifies whether to enable access control.
    Access Control Method

    The access control method. Select an access control method after you enable access control.

    • Whitelist: Only requests from the IP addresses or CIDR blocks in the specified access control list are forwarded. The whitelist feature is applicable to scenarios where you want to allow access from specified IP addresses.

      Enabling the whitelist feature may pose risks to services. After whitelist is enabled, only the IP addresses in the access control list can access the SLB listener. If whitelist is enabled while the corresponding access control list does not contain any IP addresses, the SLB listener will forward all access requests.

    • Blacklist: Requests from IP addresses or CIDR blocks in the specified access control list are not forwarded. The blacklist feature is applicable to scenarios where you want to deny access from specified IP addresses.

      If blacklist is enabled while the corresponding access control list does not contain any IP addresses, the SLB listener will forward all access requests.

    Access Control List The access control list that functions as the whitelist or blacklist of the listener.
    Note IPv6 instances can only be associated with IPv6 access control lists, while IPv4 instances can only be associated with IPv4 access control lists. For more information, see Configure an access control list.
    Enable Peak Bandwidth Limit

    Specifies whether to configure the bandwidth limit for the listener.

    If an SLB instance is billed based on bandwidth, you can set different peak bandwidth values for different listeners to limit the amount of traffic passing through each listener. The sum of the peak bandwidth values of all listeners for an SLB instance cannot exceed the bandwidth value of that SLB instance.

    By default, this feature is disabled, and all listeners share the bandwidth of the SLB instance.

    Note If an SLB instance is billed by data transfer, there is no peak bandwidth limit.
    Idle Timeout The idle timeout period of connections. Unit: seconds. Valid values: 1 to 60.

    If no request is received within the specified timeout period, SLB will temporarily terminate the connection and restart the connection when the next request is received.

    This feature is available in all regions.

    Request Timeout The request timeout period. Unit: seconds. Valid values: 1 to 180.

    If no response is received from the backend server within the specified timeout period, SLB will send an HTTP 504 error code to the client.

    This feature is available in all regions.

    Enable Gzip Compression Specifies whether to enable compression for a specific file type.

    Gzip supports the following file types: text/xml, text/plain, text/css, application/javascript, application/x-javascript, application/rss+xml, application/atom+xml, and application/xml.

    Add HTTP Header Fields Select the custom HTTP header fields that you want to add:
    • Use the X-Forwarded-For header field to retrieve the IP addresses of clients.
    • Use the X-Forwarded-Proto header field to retrieve the listener protocol used by the SLB instance.
    • Use the SLB-IP header field to retrieve the public IP address of the SLB instance.
    • Use the SLB-ID header field to retrieve the ID of the SLB instance.
    Obtain Client Source IP Address HTTP listeners use the X-Forwarded-For header field to obtain the actual IP addresses of clients.
    Automatically Enable Listener After Creation Specifies whether to start the listener after the listener is configured. By default, the listener is started after configuration.
  2. Click Next.

Step 3 Configure an SSL certificate

To add an HTTPS listener, you must upload a server certificate or CA certificate and select a TLS security policy.

Notice SLB supports the following public key algorithms:
  • RSA 1024
  • RSA 2048
  • RSA 4096
  • ECDSA P-256
  • ECDSA P-384
  • ECDSA P-521
Certificate Description Required for one-way authentication Required for mutual authentication
Server certificate The certificate used to identify the server.

The client checks whether the certificate sent by the server is issued by a trusted center.

Yes.

You must upload the server certificate to the certificate management system of SLB.

Yes.

You must upload the server certificate to the certificate management system of SLB.

Client certificate The certificate that is used to identify the client.

The server identifies the client by checking the certificate sent by the client. You can sign a client certificate with a self-signed CA certificate.

No. Yes.

You must install the client certificate on the client.

CA certificate The server uses a CA certificate to verify the signature on the client certificate. If the certificate cannot be verified, the connection request is rejected. No. Yes.

You must upload the CA certificate to the certificate management system of SLB.

TLS security policy Only guaranteed-performance instances support TLS security policies.

A TLS security policy specifies the TLS protocol version that supports HTTPS communication and the matching encryption algorithm suite. For more information, see Manage TLS security policies.

Yes. Yes.
Before you upload a certificate, take note of the following items:
  • The uploaded certificate must be in the PEM format.
  • After you upload the certificate to SLB, SLB can manage the certificate and you do not need to bind the certificate to backend servers.
  • It may take some time to activate an HTTPS listener because the certificate must be uploaded, loaded, and verified. It can take up to three minutes for an HTTPS listener to be activated.
  • The ECDHE cipher suites used by HTTPS listeners support forward secrecy but do not support the security enhancement parameters required by DHE cipher suites. As a result, strings that contain the BEGIN DH PARAMETERS field in a PEM certificate file cannot be uploaded. For more information, see Certificate requirements.
  • HTTPS listeners do not support Server Name Indication (SNI). You can use TCP listeners instead, and then configure SNI on backend servers.
  • The session ticket timeout period of HTTPS listeners is 300 seconds.
  • The actual amount of traffic generated on an HTTPS listener is larger than the billed traffic amount because some traffic is used for handshaking.
  • If a large number of new connections are established, a large amount of traffic will be generated.
  1. Select an uploaded server certificate, or click Create Server Certificate to upload a server certificate.
    For more information, see Certificate overview.
  2. To enable HTTPS mutual authentication or configure a TLS security policy, click Modify next to Advanced.
  3. Turn on Enable Mutual Authentication, and select an uploaded CA certificate or click Create CA Certificate to upload a CA certificate.
    You can use a self-signed CA certificate. For more information, see Certificate overview.
  4. Select a TLS security policy. For more information, see Manage TLS security policies.

Step 4 Add backend servers

After configuring the listener, you must add backend servers to process client requests. You can use the default server group configured for the SLB instance, or configure a VServer group or a primary/secondary server group. For more information, see Backend server overview.

This example uses the default server group.

  1. Select Default Server Group and click Add More.
    Add backend servers to the default server group
  2. Select ECS instances (backend servers) that you want to add, and then click Next.
    Configure weights
  3. Configure weights for the added backend servers.
    A backend server with a higher weight receives more requests.
    Note If the weight of a backend server is set to 0, the backend server does not receive new requests.
  4. Click Add. On the Default Server Group tab, configure ports for the backend servers.
    Set a port for each backend server to receive requests. Valid values: 1 to 65535. You can specify the same port for multiple backend servers of an SLB instance.
  5. Click Next.

Step 5 Configure health checks

SLB checks the availability of backend servers by performing the health check. The health check feature improves the availability of frontend services by minimizing downtime caused by health issues of backend servers. Click Modify to configure advanced health check settings. For more information, see Health check overview.

Step 6 Submit the configurations

Submit the configurations by performing the following operations:

  1. In the Submit step, check the configuration. You can click Modify to modify configuration settings.
  2. Click Submit.
  3. In the Configure Successful dialog box, click OK.

    You can check the created listener on the Listener tab.