This topic describes how to add an HTTPS listener to an Application Load Balancer (ALB) instance. HTTPS is intended for applications that require encrypted data transmission. You can create HTTPS listeners to distribute HTTPS requests. HTTPS listeners enable traffic encryption between an ALB instance and clients that initiate SSL or TLS sessions.

Prerequisites

  • An ALB instance is created. For more information, see Create an ALB instance.
  • At least one SSL server certificate and one TLS security policy are deployed on the ALB instance. For more information, see TLS security policies.
  • A group of backend servers is specified in the default forwarding rule of the listener to receive requests. For more information about, see Create and manage a server group.

Step 1: Configure a listener

  1. Log on to the ALB console.
  2. In the top navigation bar, select the region where the ALB instance is deployed.
  3. Use one of the following methods to open the listener configuration wizard:
    • On the Instances page, find the ALB instance, and click Create Listener in the Actions column.
    • On the Instances page, click the ID of the ALB instance that you want to manage. On the Listener tab, click Create Listener.
  4. In the Configure Listener step, set the following parameters and click Next.
    ParameterDescription
    Listener ProtocolSelect the protocol of the listener.

    HTTPS is selected in this example.

    Listener PortEnter the port on which the ALB instance listens. The ALB instance listens on the port and forwards requests to backend servers. 443 is entered in this example. In most cases, port 80 is used for HTTP and port 443 is used for HTTPS.

    Valid values: 1 to 65535.

    Note The ports on which an ALB instance listens must be unique.
    Listener Name

    Enter a name for the listener. The name must be 2 to 256 characters in length and can contain letters, digits, periods (.), underscores (_), hyphens (-), commas (,), semicolons (;), forward slashes (/), and at signs (@).

    Advanced SettingsYou can click Modify to configure the advanced settings.
    Enable HTTP/2Specify whether to enable HTTP/2.
    Idle Connection Timeout PeriodSpecify a timeout period for idle connections. Unit: seconds. Valid values: 1 to 60.
    If no request is received within the specified timeout period, ALB closes the connection. When another request is received, ALB establishes a new connection.
    Note This feature is unavailable for HTTP/2 requests.
    Connection Request Timeout PeriodSpecify a request timeout period. Unit: seconds. Valid values: 1 to 180.

    If no response is received from the backend server within the request timeout period, ALB returns the HTTP 504 error code to the client.

    CompressionIf you enable compression, files of specific types are compressed. If you disable compression, no file is compressed.

    All file types support Brotli compression. File types that support Gzip compression: text/xml, text/plain, text/css, application/javascript, application/x-javascript, application/rss+xml, application/atom+xml, application/xml, and application/json.

    Add HTTP Header FieldsSupported headers:
    • X-Forwarded-For: retrieves client IP addresses.
    • SLB-ID: retrieves the ID of the ALB instance.
    • X-Forwarded-Proto: retrieves the listening protocol.
    • X-Forwarded-Clientcert-subjectdn: retrieves information about the owner of the client certificate.
    • X-Forwarded-Clientcert-issuerdn: retrieves information about the authority that issues the client certificate.
    • X-Forwarded-Clientcert-fingerprint: retrieves the fingerprint of the client certificate.
    • X-Forwarded-Clientcert-clientverify: retrieves the verification result of the client certificate.
    • X-Forwarded-Port: retrieves the listening port.
    • X-Forwarded-Client-srcport: retrieves the client port.
    QUIC UpgradeSelect whether to enable QUIC upgrade. To use this feature, you must select a QUIC listener from the Associate QUIC Listener drop-down list.

    If no QUIC listener is created, click Create Listener to create one. For more information, see Add a QUIC listener.

Step 2: Configure an SSL certificate

To create an HTTPS listener, you must configure an SSL certificate for identity authentication to ensure secure data transfer.

CertificateDescriptionRequired for one-way authenticationRequired for mutual authentication
Server certificateA server certificate is used to authenticate the identity of a server.

Your browser uses the server certificate to check whether the certificate sent by the server is signed and issued by a trusted certificate authority (CA). For more information, see What is an SSL certificate?.

Yes

You can purchase or upload a server certificate in the Certificate Management Service console. ALB obtains the certificate from Certificate Management Service and uses the certificate.

Yes

You can purchase or upload a server certificate in the Certificate Management Service console. ALB obtains the certificate from Certificate Management Service and uses the certificate.

Client certificateA client certificate is used to authenticate the identity of a client.

A server authenticates the identity of a client by verifying the certificate sent by the client.

NoYes

You must install the client certificate on the client.

CA certificateA CA certificate is used by a server to verify the signature on a client certificate. If the signature is invalid, the connection request is denied. NoYes

You can purchase or upload a CA certificate in the Certificate Management Service console. ALB obtains the certificate from Certificate Management Service and uses the certificate.

TLS security policyA TLS security policy contains TLS protocol versions and cipher suites that are available for HTTPS. For more information, see TLS security policies. YesYes
Note If you want to access multiple domain names or add multiple server certificates, you can add additional certificates to the HTTPS listener. For more information, see Add an additional certificate.
  1. In the Configure SSL Certificates step, select a server certificate.
    If no server certificate is available, you can click Create Certificate in the drop-down list to go to the Certificate Management Service console. Then, you can purchase or upload a server certificate. For more information, see Purchase an SSL certificate and Upload an SSL certificate.
  2. To enable mutual authentication or configure a TLS security policy, click Modify next to Advanced Settings.
  3. Turn on Enable Mutual Authentication in the Advanced Settings section. Select Alibaba Cloud as the certificate source and select a CA certificate from the Default CA Certificate drop-down list.

    If no CA certificate is available, click Purchase CA Certificate to create one. For more information, see Purchase and enable a private CA.

    Note
    • Only standard and WAF-enabled ALB instances support mutual authentication. Basic ALB instances do not support mutual authentication.
    • If you want to disable mutual authentication after you enable this feature, perform the following operations:
      1. On the Instances page, click the ID of the ALB instance that you want to manage.
      2. On the Listener tab, click the ID of the HTTPS listener that you want to manage.
      3. On the Listener Details tab, disable mutual authentication in the SSL Certificate section.
  4. Select a TLS security policy and click Next.
    If no TLS security policy is available, click Create TLS Security Policy to create one. For more information, see TLS security policies.

Step 3: Select a server group

In the Select Server Group step, select a server group, view the backend servers, and then click Next.

Step 4: Review the configuration

On the Confirm wizard page, confirm the configuration and click Submit.

FAQ

  • What are the TLS versions supported by HTTPS listeners?

    HTTPS listeners support TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3. For more information, see TLS security policies.

  • Can backend servers retrieve the TLS version used by the associated HTTPS listener?

    Yes, backend servers can retrieve the TLS version used by the associated HTTPS listener.

  • Which HTTP version is used by HTTPS listeners to distribute network traffic to backend servers?
    • If client requests use HTTP/1.1 or HTTP/2, Layer 7 listeners use HTTP/1.1 to distribute network traffic to backend servers.
    • If client requests use protocols other than HTTP/1.1 and HTTP/2, Layer 7 listeners use HTTP/1.0 to distribute network traffic to backend servers.