You can enable SSL encryption over HTTPS to encrypt transmitted data. This topic describes how to enable HTTPS. After you enable HTTPS, you can connect to ApsaraDB for ClickHouse clusters over HTTPS.
SSL is developed by Netscape to allow encrypted communication between a web server and a client. SSL supports various encryption algorithms, such as Rivest Cipher 4 (RC4), Message Digest algorithm 5 (MD5), and Rivest-Shamir-Adleman (RSA). The Internet Engineering Task Force (IETF) upgraded SSL 3.0 to Transport Layer Security (TLS). The term "SSL encryption" is commonly used in the industry. In this topic, SSL encryption refers to TLS encryption.
ApsaraDB for ClickHouse supports SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2.
Only ApsaraDB for ClickHouse clusters of version 20.8 or later support HTTPS.
HTTPS is automatically enabled for ApsaraDB for ClickHouse clusters of version 20.8 or later created after December 1, 2021. You must manually enable HTTPS for ApsaraDB for ClickHouse clusters of version 20.8 or later created before December 1, 2021 if HTTPS is required.
ApsaraDB for ClickHouse clusters are restarted after HTTPS is enabled. Exercise caution when you enable HTTPS.
The response time for network connectivity increases when ApsaraDB for ClickHouse clusters are connected over HTTPS.
The CPU utilization increases when ApsaraDB for ClickHouse clusters are connected over HTTPS. If you use the Internet and your business requires data encryption, we recommend that you use HTTPS to connect to ApsaraDB for ClickHouse. A virtual private cloud (VPC) is secure. In most cases, you do not need to use HTTPS to connect to ApsaraDB for ClickHouse if a VPC is used.
If you use a public endpoint or a VPC endpoint to connect to the same ApsaraDB for ClickHouse cluster, the SSL certificate authority (CA) certificate is the same. You are not charged for the use of the SSL CA certificate after you download the certificate. The certificate is valid until December 25, 2031.
The public endpoint and the VPC endpoint can be used to connect to your cluster over HTTPS. The HTTPS port number is 8443.
After you enable HTTPS, you can also connect to ApsaraDB for ClickHouse clusters over other protocols.
Log on to the ApsaraDB for ClickHouse console.
On the Clusters page, click the Default Instances tab, find the cluster that you want to manage, and then click the ID of the cluster.
On the Cluster Information page, click Enable HTTPS Protocol.
In the Note message, click OK.
After you enable HTTPS, the state of the cluster changes to Restarting. The cluster remains in the Restarting state for approximately 1 minute. Wait until the state of the cluster changes to Running. When the state of the cluster becomes Running, HTTPS is enabled.
Click Download CA Certificate to download the compressed package of the SSL CA certificate files.
The downloaded file is ClickHouse-CA-Chain.pem and is used to import CA certificates to other systems or applications.