Configure an ALB instance to serve multiple domain names over HTTPS - Server Load Balancer

This topic describes how to enable an HTTPS listener of an Application Load Balancer (ALB) instance to forward HTTPS requests destined for different domain names to different backend servers.

Scenario

After ALB receives an HTTPS request, ALB matches the requested domain name against the certificates that you uploaded. If the request matches one of the certificates, ALB returns the certificate to the client for authentication and forwards the request to a backend server based on the forwarding rule that you configured for the domain name.

The following configurations are used in this example:

The default certificate of the listener is associated with the domain name aliyundoc.com. The default backend server group is RS1.
The additional certificate example1 of the listener is associated with the domain name www.example.com. Requests that are destined for https://www.example.com are forwarded to the backend server group RS1.
The additional certificate example2 of the listener is associated with the domain name www.example.org. Requests that are destined for https://www.example.org are forwarded to the backend server RS2.

Prerequisites

An ALB instance is created. For more information, see Create an ALB instance.
Server groups RS1 and RS2 are created. For more information, see Create and manage a server group.
ECS01 is added to RS1 and ECS02 is added to RS2. Applications are deployed on ECS01 and ECS02.
The domain name is registered and an Internet content provider (ICP) number is obtained for the domain name. For more information, see Register a domain name on Alibaba Cloud and ICP filing application overview.
Required certificates are deployed. If the certificates are purchased from a third-party service provider, you must upload them to Certificate Management Service. In addition, make sure that the certificates are associated with your domain name. For more information about how to create a certificate, see Get started with SSL Certificates Service. The following certificates are used in this example:
- The default certificate that is associated with the domain name aliyundoc.com.
- The additional certificate example1 that is associated with the domain name www.example.com.
- The additional certificate example2 that is associated with the domain name www.example.org.

Step 1: Create an HTTPS listener

Log on to the ALB console.
In the top navigation bar, select the region in which the ALB instance is deployed.
In the left-side navigation pane, click Instances.
On the Instances page, find the ALB instance, and click Create Listener in the Actions column.
In the Configure Listener step, set the parameters. The following table describes some of the parameters. Set the other parameters based on your business requirements, or use the default values. After you set the parameters, click Next.
Parameter
Description
Listener Protocol
In this example, HTTPS is selected.
Listener Port
In this example, port 443 is selected.
In the Configure SSL Certificate step, set the parameters. The following table describes some of the parameters. Set the other parameters based on your business requirements, or use the default values. After you set the parameters, click Next.
Parameter
Description
Server Certificate
In this example, the default certificate named default is selected.
In the Select Server Group step, set the parameters. The following table describes some of the parameters. Set the other parameters based on your business requirements, or use the default values. After you set the parameters, click Next.
Parameter
Description
Server Group
In this example, the server group RS1 is selected.
In the Configuration Review step, check the parameter settings and click Submit.

Step 2: Add additional certificates

On the Instances page, click the ID of the ALB instance that you want to manage.
On the Listener tab, find the HTTPS listener that you created, and click Manage Certificate in the Actions column.
On the Certificates > Server Certificates tab, click Add EV Certificate.
In the Add Additional Certificate dialog box, select the certificate example1, and click OK. Repeat this step to add the additional certificate example2.

Step 3: Create forwarding rules

On the Instances page, click the ID of the ALB instance that you want to manage.
On the Listener tab, find the HTTPS listener that you created and click View/Modify Forwarding Rule in the Actions column.
On the Forwarding Rules tab, click Add New Rule to add a forwarding rule in the inbound direction.
Add one more forwarding rule and click OK.
- If Domain Name is set to www.example.com, set Forward to RS1 and the weight of RS1 to 100.
- If Domain Name is set to www.example.org, set Forward to RS2 and the weight of RS2 to 100.
Note
- The server group with a higher weight receives more requests. In this example, the weights of the server groups are set to 100.
- Valid values for the weight are 1 to 100.

Step 4: Configure domain name resolution

Configure a CNAME record for www.example.com and www.example.org to map them to the public domain name of the ALB instance.

Log on to the ALB console.
In the top navigation bar, select the region where the ALB instance is deployed.
Find the ALB instance that you want to manage and copy its domain name.

To create a CNAME record, perform the following operations:

Log on to the Alibaba Cloud DNS console.
On the Manage DNS page, click Add Domain Name.
In the Add Domain Name dialog box, enter the domain name of your host and click OK.
Important
Before you create the CNAME record, you must use a TXT record to verify the ownership of the domain name.
Find the domain name that you want to manage and click DNS Settings in the Actions column.
On the DNS Settings page, click Add Record.

In the Add DNS Record panel, configure the following parameters and click OK.

Parameter	Description
Record Type	Select CNAME from the drop-down list.
Hostname	Enter the prefix of your domain name.
DNS Request Source	Select Default.
Record Value	Enter the CNAME, which is the domain name of the ALB instance.
TTL	Select a time-to-live (TTL) value for the CNAME record to be cached on the DNS server. The default value is used in this example.

Note

After you create a CNAME record, it immediately takes effect. After you modify a record, the record takes effect based on the TTL of the record. By default, the TTL is 10 minutes.
If the CNAME record that you want to create conflicts with an existing record, we recommend that you specify another domain name. For more information, see Rules for conflicting DNS records.

Step 5: Verify the result

Access www.example.com and www.example.org from a browser to test whether you can access ALB. In this example, a static webpage is created on each of the backend servers in RS1 and RS2.

Use a browser to access the domain name www.example.com, which is associated with the additional certificate example1. The request is forwarded to ECS01 in RS1 based on the forwarding rule. The following figure shows the test result.
Access the domain name www.example.org, which is associated with the additional certificate example2, from a browser. The request is forwarded to ECS02 in RS2 based on the forwarding rule. The following figure shows the test result.

Note

If you cannot access the domain names, restart your browser to clear the cache and try again.

References

Create a domain name-based or URL-based forwarding rule

Parameter	Description
Listener Protocol	In this example, HTTPS is selected.
Listener Port	In this example, port 443 is selected.

Parameter	Description
Server Certificate	In this example, the default certificate named default is selected.

Parameter	Description
Server Group	In this example, the server group RS1 is selected.