This topic describes how to add an HTTPS listener to a Classic Load Balancer (CLB) instance. HTTPS is intended for applications that require encrypted data transmission. You can add an HTTPS listener to forward HTTPS requests.
Prerequisites
A Classic Load Balancer (CLB) instance is created. For more information, see Create and manage a CLB instance.
Step 1: Configure an HTTPS listener
Step 2: Configure an SSL certificate
When you add an HTTPS listener, you must upload a server certificate or certificate authority (CA) certificate and select a TLS security policy, as shown in the following table.
Certificate | Description | Required for one-way authentication | Required for mutual authentication |
---|---|---|---|
Server certificate | A server certificate is used to authenticate the identity of a server.
A browser authenticates the identity of a server by checking whether the certificate sent by the server is issued by a trusted CA. |
Yes
You must upload the server certificate to the certificate management system of CLB. |
Yes
You must upload the server certificate to the certificate management system of CLB. |
Client certificate | A client certificate is used to authenticate the identity of a client.
A server authenticates the identity of a client by verifying the certificate sent by the client. You can sign a client certificate with a self-signed CA certificate. |
No | Yes
You must install the client certificate on the client. |
CA certificate | A CA certificate is used by a server to verify the signature of a client certificate. If the signature is invalid, the connection request is denied. | No | Yes
You must upload the CA certificate to the certificate management system of CLB. |
TLS security policy | TLS security policies are supported only by high-performance CLB instances.
A TLS security policy contains TLS protocol versions and cipher suites that are available for HTTPS. For more information, see TLS security policies. |
Yes | Yes |
- CLB supports the following public key algorithms: RSA 1024, RSA 2048, RSA 4096, ECDSA P-256, ECDSA P-384, and ECDSA P-521.
- The certificate that you want to upload must be in the PEM format.
- After you upload a certificate to CLB, CLB can manage the certificate. You do not need to associate the certificate with backend servers.
- It may take a few minutes to upload, load, and verify the certificate. Therefore, an HTTPS listener is not available immediately after it is created. It requires about 1 to 3 minutes to enable an HTTPS listener.
- The ECDHE cipher suite used by HTTPS listeners supports forward secrecy. It does not
support the security enhancement parameters that are required by the DHE cipher suite.
Therefore, you cannot upload certificates (PEM files) that contain the
BEGIN DH PARAMETERS
field. For more information,see Certificate requirements - By default, the timeout period of session tickets for HTTPS listeners is 300 seconds.
- The actual amount of data transfer on an HTTPS listener is larger than the billed amount because a portion of data is used for handshaking.
- Therefore, the amount of data transfer greatly increases when a large number of connections are established.
- On the SSL Certificates wizard page, select the server certificate that you uploaded. You can also click Create Server Certificate to upload a server certificate.
- Optional:Click Modify next to Advanced to enable mutual authentication or configure a TLS security policy.
- Enable mutual authentication and select an existing CA certificate. You can also upload a CA certificate. For more information, see Create a private CA.
- For more information about TLS security policies, see TLS security policies.
Step 3: Add backend servers
After the listener is created, you must add backend servers to process client requests. You can add backend servers to the default server group, or create vServer groups or primary/secondary server groups and then add servers to the server groups. For more information, see Backend server overview.
In this example, backend servers are added to the default server group.
Step 4: Configure health checks
CLB checks the availability of backend ECS instances by performing health checks. The health check feature improves service availability and prevents service interruptions caused by single points of failure.