This topic describes how to add an HTTPS listener to an Application Load Balancer (ALB) instance. HTTPS is intended for applications that require encrypted data transmission. You can create HTTPS listeners to distribute HTTPS requests. HTTPS listeners enable traffic encryption between an ALB instance and clients that initiate SSL or TLS sessions.

Prerequisites

  • An ALB instance is created. For more information, see Create an ALB instance.
  • At least one SSL server certificate and one TLS security policy are deployed on the ALB instance. For more information, see TLS security policies.
  • A group of backend servers is specified in the default forwarding rule of the listener to receive requests. For more information, see Manage server groups.

Step 1: Configure a listener

To configure an HTTPS listener, perform the following operations:

  1. Log on to the ALB console.
  2. Use one of the following methods to open the listener configuration wizard:
    • On the Instances page, find the ALB instance that you want to manage and click Create Listener in the Actions column.
    • On the Instances page, click the ID of the ALB instance that you want to manage. On the Listener tab, click Create Listener.
  3. On the Configure Listener wizard page, set the following parameters and click Next.
    Parameter Description
    Listener Protocol Select a listening protocol.

    HTTPS is selected in this example.

    Listener Port Enter the port on which the ALB instance listens. The ALB instance listens on the port and forwards requests to backend servers. 443 is entered in this example. In most cases, port 80 is used for HTTP and port 443 is used for HTTPS.

    Valid values: 1 to 65535.

    Note The ports on which an ALB instance listens must be unique.
    Listener Name

    Enter a name for the listener. The name must be 2 to 256 characters in length and can contain letters, digits, periods (.), underscores (_), hyphens (-), commas (,), semicolons (;), forward slashes (/), and at signs (@).

    Advanced Settings You can click Modify to configure the advanced settings.
    Enable HTTP/2 Specify whether to enable HTTP/2.
    Idle Connection Timeout Period Specify the timeout period of idle connections. Unit: seconds. Valid values: 1 to 60.
    If no request is received within the specified timeout period, ALB closes the connection. When another request is received, ALB establishes a new connection.
    Note This feature is unavailable for HTTP/2 requests.
    Connection Request Timeout Period Specify the request timeout period. Unit: seconds. Valid values: 1 to 180.

    If no response is received from the backend server within the request timeout period, ALB returns an HTTP 504 error code to the client.

    Compression If you enable compression, files of specific types are compressed. If you disable compression, no file is compressed.

    All file types support Brotli compression. File types that support Gzip compression: text/xml, text/plain, text/css, application/javascript, application/x-javascript, application/rss+xml, application/atom+xml, application/xml, and application/json.

    Add HTTP Header Fields Supported headers:
    • X-Forwarded-For: retrieves client IP addresses.
    • SLB-ID: retrieves the ID of the ALB instance.
    • X-Forwarded-Proto: retrieves the listening protocol.
    • X-Forwarded-Clientcert-subjectdn: retrieves information about the owner of the client certificate.
    • X-Forwarded-Clientcert-issuerdn: retrieves information about the authority that issues the client certificate.
    • X-Forwarded-Clientcert-fingerprint: retrieves the fingerprint of the client certificate.
    • X-Forwarded-Clientcert-clientverify: retrieves the verification result of the client certificate.
    • X-Forwarded-Port: retrieves the listening port.
    • X-Forwarded-Client-Port: retrieves the client port.
    QUIC Upgrade Select whether to enable QUIC upgrade. To use this feature, you must select a QUIC listener from the Associate QUIC Listener drop-down list.

    If no QUIC listener is created, click Create Listener to create one. For more information, see Add a QUIC listener.

    WAF Protection Specify whether to enable Web Application Firewall (WAF) protection for the listener.
    Note Only Internet-facing ALB instances support WAF.

Step 2: Configure an SSL certificate

To create an HTTPS listener, you must configure an SSL certificate for identity authentication to ensure secure data transfer.

Certificate Description Required for one-way authentication Required for mutual authentication
Server certificate A server certificate is used to authenticate the identity of a server.

Your browser uses the server certificate to check whether the certificate sent by the server is signed and issued by a trusted certificate authority (CA). For more information, see SSL Certificates.

Yes

You must upload the server certificate to the ALB system.

Yes

You must upload the server certificate to the ALB system.

Client certificate A client certificate is used to authenticate the identity of a client.

A server authenticates the identity of a client by verifying the certificate sent by the client.

No Yes

You must install the client certificate on the client.

CA certificate A CA certificate is used by a server to verify the signature on a client certificate. If the signature is invalid, the connection request is denied. No Yes

You must upload the CA certificate to the ALB system.

TLS security policy A TLS security policy contains TLS protocol versions and cipher suites that are available for HTTPS. For more information, see TLS security policies. Yes Yes
  1. On the Configure SSL Certificate wizard page, select a server certificate or click Buy Certificate in the Server Certificate drop-down list to purchase a new certificate.
  2. To enable mutual authentication or configure a TLS security policy, click Modify next to Advanced Settings.
  3. Enable mutual authentication. Then, select an uploaded CA certificate or click Purchase CA Certificate to purchase a CA certificate.
    Note
    • You can enable mutual authentication only for standard ALB instances. After mutual authentication is enabled, you can create a CA certificate. Basic ALB instances do not support mutual authentication.
    • If you want to disable mutual authentication, perform the following operations:
      1. On the Instances page, click the ID of the ALB instance that you want to manage.
      2. On the Listener tab, click the ID of the HTTPS listener that you want to manage.
      3. On the Listener Details tab, disable mutual authentication.
  4. Select a TLS security policy and click Next. For more information about TLS security policies, see TLS security policies.

Step 3: Select a server group

On the Select Server Group wizard page, specify Server Type and select a server group based on the specified Server Type, confirm the backend servers, and then click Next.

Step 4: Review the configuration

On the Confirm wizard page, confirm the configuration and click Submit.

FAQ

  • What are the TLS versions supported by HTTPS listeners?

    HTTPS listeners support TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3. For more information, see TLS security policies.

  • Can backend servers retrieve the TLS version used by the associated HTTPS listener?

    Yes, backend servers can retrieve the TLS version used by the associated HTTPS listener.

  • Which HTTP version is used by HTTPS listeners to distribute network traffic to backend servers?
    • If client requests use HTTP/1.1 or HTTP/2, Layer 7 listeners use HTTP/1.1 to distribute network traffic to backend servers.
    • If client requests use protocols other than HTTP/1.1 and HTTP/2, Layer 7 listeners use HTTP/1.0 to distribute network traffic to backend servers.