Server Load Balancer:Add an HTTPS listener

Step 1: Create a listener

1. Log on to the ALB console.

2. In the top navigation bar, select the region in which the ALB instance resides.

3. Use one of the following methods to open the listener configuration wizard:

   • On the Instances page, find the ALB instance that you want to manage and click Create Listener in the Actions column.

   • On the Instances page, click the ID of the ALB instance that you want to manage. On the Listener tab, click Create Listener.

4. On the Configure Listener wizard page, set the following parameters and click Next.

   Parameter	Description
   Listener Protocol	Select a listener protocol. In this example, HTTPS is selected.
   Listener Port	Enter the port on which the ALB instance listens. The ALB instance listens on the port and forwards requests to backend servers. In this example, port 443 is used. In most cases, port 80 is used for HTTP and port 443 is used for HTTPS. Valid values: 1 to 65535. Note On the same ALB instance, the ports of listeners that use the same protocol must be unique. HTTP listeners and HTTPS listeners must use different ports.
   Listener Name	Enter a name for the listener.
   Tag	Configure the Tag Key and Tag Value parameters to add a tag. You can add one or more tags. After you specify tags, you can filter listeners by tag on the Listener tab.
   Advanced Settings	You can click Modify to configure the advanced settings.
   Enable HTTP/2	Specify whether to enable HTTP/2 for the listener.
   Idle Connection Timeout Period	Specify a timeout period for idle connections. Unit: seconds. Valid values: 1 to 60. To specify a longer timeout period, go to the Quota Center console. If no request is received within the specified timeout period, CLB closes the connection. When a request is received, CLB establishes a new connection. Note This feature is unavailable for HTTP/2 requests.
   Connection Request Timeout	Specify a request timeout period. Unit: seconds. Valid values: 1 to 180. To specify a longer timeout period, go to the Quota Center console. If no response is received from the backend server within the request timeout period, ALB returns the HTTP 504 error code to the client.
   Compression	If you enable compression, specific types of files are compressed. If you disable compression, no file is compressed. Brotli supports all file types. GZIP supports the following file types: text/xml, text/plain, text/css, application/javascript, application/x-javascript, application/rss+xml, application/atom+xml, application/xml, and application/json.
   Retrieve Client IP	Specify whether to enable the ALB instance to retrieve client IP addresses from the X-Forwarded-For header. If you enable this feature, you must specify trusted IP addresses. If you set the trusted IP address list to 0.0.0.0/0, the ALB instance retrieves the leftmost IP address in the X-Forwarded-For header. The IP address is the source client IP address. If you set the trusted IP address list in the format of proxy1 IP, proxy2 IP,.., the ALB instance compares the IP addresses in the X-Forwarded-For header from right to left against the trusted IP address list. The first IP address that is not on the trusted IP address list is considered the source client IP address. Usage notes If the X-Forwarded-For header contains multiple IP addresses, such as X-Forwarded-For: <client-ip-address>, <proxy1>, <proxy2>, …, the leftmost IP address is the source client IP address. If you want to enable the matching based on source IP addresses and throttling based on QPS per client IP address features in ALB forwarding rules, you must turn on the Retrieve Client IP switch to allow the ALB instance to retrieve source client IP addresses from the X-Forwarded-For header. For more information, see Create a forwarding rule.
   Add HTTP Header	The X-Forwarded-For header is selected by default. The header is used to retrieve source client IP addresses. ALB inserts source client IP addresses into the header and passes the header to backend servers. For more information, see Enable ALB to preserve client IP addresses. Select the HTTP headers that you want to add. Valid values: Add SLB-ID to Retrieve ALB ID: Add the SLB-ID header to store the ID of the ALB instance. Add X-Forwarded-Proto to Retrieve Listening Protocol: Add the X-Forwarded-Proto header to store the listener protocol. Add X-Forwarded-Clientcert-subjectdn to Retrieve Client Server Certificate Owner Info: Add the X-Forwarded-Clientcert-subjectdn header to store the owner information about the client certificate. Add X-Forwarded-Clientcert-issuerdn to Retrieve Client Certificate Issuer Info: Add the X-Forwarded-Clientcert-issuerdn header to store information about the authority that issues the client certificate. Add X-Forwarded-Clientcert-fingerprint to Retrieve Fingerprint of Client Certificate: Add the X-Forwarded-Clientcert-fingerprint header to store the fingerprint of the client certificate. Add X-Forwarded-Clientcert-clientverify to Retrieve Verification Result of Client Certificate: Add the X-Forwarded-Clientcert-clientverify header to store the verification result of the client certificate. Add X-Forwarded-Port to Retrieve Listening Port: Add the X-Forwarded-Port header to store the listener port. Add X-Forwarded-Client-srcport to Retrieve Client Port: Add the X-Forwarded-Client-srcport header to store the client port.
   QUIC Update	Specify whether to enable Quick UDP Internet Connections (QUIC) upgrade. To use this feature, you must select a QUIC listener from the Associated QUIC Listeners drop-down list. If no QUIC listener is created, click Create Listener to create one. For more information, see Add a QUIC listener. ALB supports iQUIC and gQUIC. For more information, see Use QUIC to accelerate the delivery of video and audio content.

Step 2: Add an SSL certificate

To create an HTTPS listener, you must configure an SSL certificate for identity authentication to secure data transmission. The following table describes the certificates that are supported by ALB.

1. In the SSL Certificate step, select a server certificate.

   If no server certificate is available, click Create SSL Certificate in the drop-down list to go to the Certificate Management Service console. Then, you can purchase or upload a server certificate. For more information, see Purchase an SSL certificate and Upload an SSL certificate.

2. To enable mutual authentication or configure a TLS security policy, click Modify next to Advanced Settings.

3. Turn on Enable Mutual Authentication in the Advanced Settings section. Select Alibaba Cloud from the CA Certificate Source drop-down list and select a CA certificate from the Default CA Certificate drop-down list.

   If no CA certificate is available, click Purchase CA Certificate to create one. For more information, see Purchase and enable a private CA.

   Note

   • Only standard and WAF-enabled ALB instances support mutual authentication. Basic ALB instances do not support mutual authentication.

   • If you want to disable mutual authentication after you enable this feature, perform the following operations:

     1. On the Instances page, click the ID of the NLB instance that you want to manage.

     2. On the Listener tab, click the ID of the HTTPS listener that you want to manage.

     3. On the Listener Details tab, disable mutual authentication in the SSL Certificate section.

4. Select a TLS security policy and click Next.

   If no TLS security policy is available, click Create TLS Security Policy to create one.

   A TLS security policy contains TLS protocol versions and cipher suites that are available for HTTPS listeners. For more information, see TLS security policies.

Step 3: Select a server group

In the Server Group step, select a server group, view the backend servers, and then click Next.

Step 4: Review the configurations

In the Confirm step, confirm the configurations and click Submit.