This topic describes how to configure multiple certificates for an HTTPS Classic Load Balancer (CLB) listener to forward requests destined for different domain names to different vServer groups.
Scenarios
A CLB instance named CLB 1 deployed in the China (Hangzhou) region is used as an example.
An HTTPS listener is added to the CLB instance and one-way authentication is enabled
for the listener. The listener is configured to forward requests destined for *.example.com
to the vServer group named test1 and forward requests destined for www.aliyundoc.com
to the vServer group named test2.
Prerequisites
- A CLB instance is created in the China (Hangzhou) region. The CLB instance is named CLB 1. For more information, see Create a CLB instance.
- The certificates that you want to use must be uploaded. For more information, see
Certificate overview.
- The default certificate used by the listener is named default.
- The certificate named example1 is associated with the domain name
*.example.com
. - The certificate named example2 is associated with the domain name
www.aliyundoc.com
.
Step 1: Create an HTTPS listener
To create an HTTPS listener, perform the following operations:
- Log on to the CLB console.
- In the top navigation bar, select the region where the CLB instance is deployed.
- On the Instances page, find the CLB instance that you want to manage and click Configure Listener in the Actions column.
- Configure the listener.
In this example, the listener is configured based on the following information. For more information about other parameters, see Add an HTTPS listener.
- Mutual Authentication: Specify whether to enable mutual authentication. In this example, mutual authentication is disabled for the listener.
- SSL Certificates: Select a certificate. In this example, the server certificate named default is selected.
- Backend Servers: Select a vServer group. In this example, the vServer groups named tst1 and test2 are added to the listener.
Step 2: Configure forwarding rules
To configure forwarding rules for the listener, perform the following operations:
- On the Instance page, click the ID of CLB 1.
- On the Listener tab, find the HTTPS listener that you created and click in the Actions column.
- In the Add Forwarding Rules panel, set the parameters to create a forwarding rule. For more information, see
Forward requests based on domain names or URLs.
In this example, a forwarding rule is created for each domain name. URLs are not specified in the forwarding rules.
- To create a forwarding rule for the domain name *.example.com, perform the operations:
Enter a rule name. Enter
*.example.com
in the Domain Name field, select the vServer group named test1, and then click Add Forwarding Rules. - To create a forwarding rule for the domain name www.aliyundoc.com, perform the operations:
Enter a rule name. Enter
www.aliyundoc.com
in the Domain Name field, select the vServer group named test2, and then click Add Forwarding Rules.
Note The domain names specified in the forwarding rules must be the same as those of the certificates in Step 3: Add an additional certificate. - To create a forwarding rule for the domain name *.example.com, perform the operations:
Enter a rule name. Enter
Step 3: Add an additional certificate
To add an additional certificate, perform the following operations:
- On the Instance page, click CLB 1.
- On the Listener tab, find the HTTPS listener that you created and choose in the Actions column.
- In the Manage Additional Certificate panel, click Add Additional Certificate, set the parameters, and click OK.
- Enter a domain name. The domain name can contain only letters, digits, hyphens (-),
and periods (.).
Domain name-based forwarding rules support exact matching and wildcard matching.
- Exact-match domain name: www.aliyun.com
- Wildcard domain name: *.aliyun.com and *.market.aliyun.com
If a request matches multiple forwarding rules, exact matching has a higher priority than wildcard matching, and exact wildcard matching has a higher priority than less exact wildcard matching. The following table describes the priorities.
Note In the following table, Y indicates that the feature is supported and N indicates that the feature is not supported.Type Request URL Domain name-based forwarding rule www.aliyun.com *.aliyun.com *.market.aliyun.com Exact matching www.aliyun.com √ × × Wildcard matching market.aliyun.com × √ × Wildcard matching info.market.aliyun.com × × √
- Select the certificate that is associated with the domain name.
Note The domain name of the certificate must be the same as that of the additional certificate.
- Enter a domain name. The domain name can contain only letters, digits, hyphens (-),
and periods (.).