This topic describes how to add an HTTPS listener to an Application Load Balancer (ALB) instance. HTTPS is used for applications that require encrypted data transmission. You can create HTTPS listeners that use encrypted connections to distribute HTTPS requests. HTTPS listeners enable traffic encryption between an ALB instance and clients that initiate SSL or TLS sessions.
Prerequisites
- An ALB instance is created. For more information, see Create an ALB instance.
- At least one SSL server certificate and one TLS security policy are deployed on the ALB instance. For more information, see TLS security policies.
- The forwarding actions in the default forwarding rule are configured and the destination backend servers are specified. For more information, see Manage server groups.
Step 1: Configure an HTTPS listener
To configure an HTTPS listener, perform the following steps:
Step 2: Configure an SSL certificate
To create an HTTPS listener, you must configure an SSL certificate to ensure that data transmission is encrypted and the identities of users are verified by a trusted authority.
For more information about regions that support mutual authentication for ALB, see Release notes.
Certificate | Description | Required for one-way authentication | Required for mutual authentication |
---|---|---|---|
Server certificate | The certificate that is used to identify the server.
Your browser uses the server certificate to check whether the certificate sent by the server is signed and issued by a trusted certification authority (CA). For more information, see Alibaba Cloud SSL Certificates Service. |
Yes
You must upload the server certificate to the ALB system. |
Yes
You must upload the server certificate to the ALB system. |
Client certificate | The certificate that is used to identify the client.
The server identifies the client by checking the certificate sent by the client. |
No | Yes
You must install the client certificate on the client. |
CA certificate | The server uses a CA certificate to verify the signature on the client certificate. If the signature is invalid, the connection request is denied. | No | Yes
You must upload the CA certificate to the ALB system. |
TLS security policy | A TLS security policy contains TLS protocol versions and cipher suites that are available for HTTPS listeners. For more information, see TLS security policies. | Yes | Yes |
Step 3: Select a server group
On the Select Server Group wizard page, select a server group from the Server Group drop-down list, confirm the information about the backend servers, and click Next.
Step 4: Review the configuration
On the Configuration Review wizard page, confirm the configuration and then click Submit.
FAQ
- What are the SSL protocol versions supported by HTTPS listeners?
HTTPS listeners support TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3. For more information, see TLS security policies.
- Can backend servers obtain the protocol version used by the associated HTTPS listener?
Yes, backend servers can obtain the protocol version used by the associated HTTPS listener.
- Which HTTP version is used by HTTPS listeners to distribute network traffic to backend
servers?
- If client requests use HTTP/1.1 or HTTP/2, Layer 7 listeners use HTTP/1.1 to distribute network traffic to backend servers.
- If client requests do not use HTTP/1.1 or HTTP/2, Layer 7 listeners use HTTP/1.0 to distribute network traffic to backend servers.