This topic describes how to add an HTTPS listener to an Application Load Balancer (ALB) instance. HTTPS is used for applications that require encrypted data transmission. You can create HTTPS listeners that use encrypted connections to distribute HTTPS requests. HTTPS listeners enable traffic encryption between an ALB instance and clients that initiate SSL or TLS sessions.

Prerequisites

  • An ALB instance is created. For more information, see Create an ALB instance.
  • At least one SSL server certificate and one TLS security policy are deployed on the ALB instance. For more information, see TLS security policies.
  • The forwarding actions in the default forwarding rule are configured and the destination backend servers are specified. For more information, see Manage server groups.

Step 1: Configure an HTTPS listener

To configure an HTTPS listener, perform the following steps:

  1. Log on to the ALB console.
  2. Use one of the following methods to open the listener configuration wizard:
    • On the Instances page, find the ALB instance that you want to manage and click Create Listener in the Actions column.
    • On the Instances page, click the ID of the ALB instance that you want to manage. On the Listeners tab, click Create Listener.
  3. On the Configure Listener wizard page, set the following parameters and click Next.
    Parameter Description
    Listener Protocol Select the protocol of the listener.

    HTTPS is selected in this example.

    Listener Port Enter the port on which the ALB instance listens. The ALB instance listens on the port and forwards requests to backend servers. 443 is entered in this example. In most cases, port 80 is used for HTTP and port 443 is used for HTTPS.

    Valid values: 1 to 65535.

    Note The ports on which an ALB instance listens must be unique.
    Listener Name Enter a name for the listener. The name must be 2 to 256 characters in length. The name can contain only Chinese characters and the characters in the following string: /^([^\x00-\xff]|[\w.,;/@-]){2,256}$/.
    Advanced Settings Click Modify to configure advanced settings.
    Enable HTTP/2 Specify whether to enable HTTP/2.
    Idle Connection Timeout Period Specify the timeout period of idle connections. Unit: seconds. Valid values: 1 to 60.
    If no request is received within the specified timeout period, ALB closes the current connection. ALB creates a new connection when a new connection request is received.
    Note This feature is unavailable for HTTP/2 requests.
    Connection Request Timeout Period Specify the request timeout period. Unit: seconds. Valid values: 1 to 180.

    If no response is received from the backend server within the request timeout period, ALB returns an HTTP 504 error to the client.

    Enable Gzip Compression Specify whether to enable Gzip compression for specific file types.

    Gzip supports the following file types: text/xml, text/plain, text/css, application/javascript, application/x-javascript, application/rss+xml, application/atom+xml, application/xml, and application/json.

    Add HTTP Header Fields You can add the following HTTP header fields:
    • X-Forwarded-For: obtains the real IP address of the client.
    • SLB-ID: obtains the ID of the ALB instance.
    • X-Forwarded-Proto: obtains the listener protocol of the ALB instance.
    • X-Forwarded-Clientcert-subjectdn: obtains information about the owner of the client certificate.
    • X-Forwarded-Clientcert-issuerdn: obtains information about the authority that issues the client certificate.
    • X-Forwarded-Clientcert-fingerprint: obtains the fingerprint of the client certificate.
    • X-Forwarded-Clientcert-clientverify: obtains the verification result of the client certificate.
    • X-Forwarded-Port: obtains the port on which the ALB instance listens.
    • X-Forwarded-Client-Port: obtains the port over which a client communicates with the ALB instance.
    QUIC Update Select whether to enable the QUIC update feature. If you enable QUIC update, select a QUIC listener and associate the listener with the ALB instance.

Step 2: Configure an SSL certificate

To create an HTTPS listener, you must configure an SSL certificate to ensure that data transmission is encrypted and the identities of users are verified by a trusted authority.

For more information about regions that support mutual authentication for ALB, see Release notes.

Certificate Description Required for one-way authentication Required for mutual authentication
Server certificate The certificate that is used to identify the server.

Your browser uses the server certificate to check whether the certificate sent by the server is signed and issued by a trusted certification authority (CA). For more information, see Alibaba Cloud SSL Certificates Service.

Yes

You must upload the server certificate to the ALB system.

Yes

You must upload the server certificate to the ALB system.

Client certificate The certificate that is used to identify the client.

The server identifies the client by checking the certificate sent by the client.

No Yes

You must install the client certificate on the client.

CA certificate The server uses a CA certificate to verify the signature on the client certificate. If the signature is invalid, the connection request is denied. No Yes

You must upload the CA certificate to the ALB system.

TLS security policy A TLS security policy contains TLS protocol versions and cipher suites that are available for HTTPS listeners. For more information, see TLS security policies. Yes Yes
  1. On the Configure SSL Certificate wizard page, select a server certificate or click Buy Certificate in the Server Certificate drop-down list to purchase a new certificate.
  2. To enable mutual authentication or configure a TLS security policy, click Modify next to Advanced Settings.
  3. Enable mutual authentication. Then, select an uploaded CA certificate, or click Purchase a CA certificate to purchase a CA certificate.
    Note If you want to disable mutual authentication, perform the following operations:
    1. On the Instances page, click the ID of the ALB instance that you want to manage.
    2. On the Listeners tab, click the ID of the HTTPS listener that you want to manage.
    3. On the Listener Details tab, disable mutual authentication.
  4. For more information about TLS security policies, see TLS security policies.
  5. Click Next.

Step 3: Select a server group

On the Select Server Group wizard page, select a server group from the Server Group drop-down list, confirm the information about the backend servers, and click Next.

Step 4: Review the configuration

On the Configuration Review wizard page, confirm the configuration and then click Submit.

FAQ

  • What are the SSL protocol versions supported by HTTPS listeners?

    HTTPS listeners support TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3. For more information, see TLS security policies.

  • Can backend servers obtain the protocol version used by the associated HTTPS listener?

    Yes, backend servers can obtain the protocol version used by the associated HTTPS listener.

  • Which HTTP version is used by HTTPS listeners to distribute network traffic to backend servers?
    • If client requests use HTTP/1.1 or HTTP/2, Layer 7 listeners use HTTP/1.1 to distribute network traffic to backend servers.
    • If client requests do not use HTTP/1.1 or HTTP/2, Layer 7 listeners use HTTP/1.0 to distribute network traffic to backend servers.