You can enable SSL encryption over HTTPS to encrypt transmitted data. This topic describes how to enable HTTPS. After you enable HTTPS, you can connect to ApsaraDB ClickHouse clusters over HTTPS.

Background information

SSL is developed by Netscape to allow encrypted communication between a web server and a client. SSL supports various encryption algorithms, such as RC4, MD5, and RSA. The Internet Engineering Task Force (IETF) upgraded SSL 3.0 to transport layer security (TLS). The term "SSL encryption" is commonly used in the industry. In this topic, SSL encryption refers to TLS encryption.

ApsaraDB ClickHouse supports SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2.

Limits

HTTPS can be enabled only for ApsaraDB ClickHouse clusters whose version is 20.8 or later.

Precautions

  • ApsaraDB ClickHouse clusters need to be restarted after HTTPS is enabled. Exercise caution when you enable HTTPS.
  • The response time of network connections increases when ApsaraDB ClickHouse clusters are connected over HTTPS.
  • The CPU utilization increases when ApsaraDB ClickHouse clusters are connected over HTTPS. If you use the Internet and your business requires data encryption, we recommend that you use HTTPS to connect to ApsaraDB ClickHouse. A virtual private cloud (VPC) is secure. In most cases, you do not need to use HTTPS to connect to ApsaraDB ClickHouse if a VPC is used.
  • If you use a public endpoint or a VPC endpoint to connect to the same ApsaraDB ClickHouse cluster, the SSL CA certificate is the same. You are not charged when you download the SSL CA certificate. The validity period of the certificate elapses after December 25, 2031.
  • The public endpoint and the VPC endpoint can be used to connect to your cluster over HTTPS. The HTTPS port number is 8443.
  • After you enable HTTPS, you can also connect to ApsaraDB ClickHouse clusters over other protocols.

Procedure

  1. Log on to the ApsaraDB for ClickHouse console.
  2. On the Clusters page, find the cluster that you want to manage and click the cluster ID.
  3. On the Cluster Information page, click Enable HTTPS Protocol.
  4. In the Note message that appears, click OK.
    After you enable HTTPS, the status of the cluster changes to Restarting. The cluster remains in this state for approximately one minute. Wait until the status of the cluster changes to Running. When the status of the cluster becomes Running, HTTPS is enabled.
  5. Click Download CA Certificate to download the SSL CA certificate files as a compressed package.
    The downloaded file is ClickHouse-CA-Chain.pem and is used to import CA certificates to other systems or applications.

Reference

Connect to ApsaraDB for ClickHouse clusters over HTTPS