This topic describes how to configure multiple certificates for an HTTPS Classic Load Balancer (CLB) listener to forward requests from different domain names to different vServer groups.

Scenario

A CLB instance deployed in the China (Hangzhou) region is used as an example in this topic. An HTTPS listener is added to the CLB instance and one-way authentication is enabled for the listener. The listener is configured to forward requests destined for example.com to the vServer group named RS1 and forward requests destined for example.org to the vServer group named RS2.
  • The default certificate of the listener is associated with the domain name aliyundoc.com. The default certificate is enabled, and requests destined for the domain name associated with the default certificate are forwarded to RS1.
  • The domain name example.com is associated with the additional certificate example1, and client requests destined for example.com are forwarded to RS1.
  • The domain name example.org is associated with the additional certificate example2, and client requests destined for example.org are forwarded to RS2.

Prerequisites

  • A CLB instance is deployed in the China (Hangzhou) region. For more information, see Create and manage a CLB instance.
  • A vServer group named RS1 and another vServer group named RS2 are created on the CLB instance. For more information, see Create and manage a vServer group.
  • An Elastic Compute Service (ECS) instance named ECS01 is added to RS1, and another ECS instance named ECS02 is added to RS2.
  • Required certificates are deployed. If the certificates are purchased from a third-party service provider, you must upload them to Certificate Management Service. In addition, make sure that the certificates are associated with your domain name. For more information about how to obtain a certificate, see Use a certificate from Alibaba Cloud SSL Certificates Service. The following certificates are used in this example:
    • The default certificate that is associated with the domain name aliyundoc.com.
    • The additional certificate example1 that is associated with the domain name example.com.
    • The additional certificate example2 that is associated with the domain name example.org.

Step 1: Create an HTTPS listener

  1. Log on to the CLB console.
  2. In the top navigation bar, select the region where the CLB instance is deployed. In this example, China (Hangzhou) is selected.
  3. On the Instances page, find the CLB instance that you want to manage and click Configure Listener in the Actions column.
  4. On the Protocol and Listener wizard page, set the parameters of the listener and click Next.
    The following section describes the parameters that are relevant to this topic. For more information about the other parameters, see Add an HTTPS listener.
    • Select Listener Protocol: select HTTPS.
    • Listening Port: enter 443.
  5. On the SSL Certificates wizard page, select the server certificate that you uploaded. Click Next. The default certificate is selected in this example.
  6. On the Backend Servers wizard page, select VServer Group and select RS1 from the Server Group drop-down list.
  7. Keep the default values for other parameters and click Next to go to the Submit wizard page.

Step 2: Create forwarding rules

  1. On the Instances page, find the CLB instance that you want to manage and click the ID of the instance.
  2. On the Listener tab, find the Layer 7 listener that you want to manage and click Set Forwarding Rule in the Actions column.
  3. In the Add Forwarding Rules panel, set the parameters to create a forwarding rule.
    In this example, a forwarding rule is created for each domain name. URLs are not specified in the forwarding rules.
    1. Set Domain Name to example.com, select the RS1 vServer group, and then click Add Forwarding Rules.
    2. Set Domain Name to example.org, select the RS2 vServer group, and then click Add Forwarding Rules.
    For more information, see Forward requests based on domain names or URLs.
    Note The domain names specified in the forwarding rules must be the same as those of the certificates added in Step 3: Add an additional certificate.
  4. After you create the forwarding rules, close the Add Forwarding Rules panel.

Step 3: Add an additional certificate

  1. On the Instances page, find the CLB instance that you want to manage and click the ID of the instance.
  2. On the Listener tab, find the HTTPS listener that you created and choose What to do next > Manage Additional Certificate in the Actions column.
  3. On the Manage Additional Certificate page, click Add Additional Certificate to add an additional certificate.
    1. Set Additional Certificate to example.com, select example.com from the Select Server Certificate drop-down list, and then click OK.
    2. Set Additional Certificate to example.org, select example.org from the Select Server Certificate drop-down list, and then click OK.
    The domain name can contain only letters, digits, hyphens (-), and periods (.). For more information, see Add an additional certificate.
    Note The domain name of the certificate must be the same as that of the additional certificate.

Step 4: Configure domain name resolution

Add an A record to map the domain names example.com and example.org to the public IP address of the CLB instance.

  1. Log on to the CLB console.
  2. In the top navigation bar, select the region where the CLB instance is deployed.
  3. Find the CLB instance that you want to manage and copy the domain name. In this example, the service IP address of the CLB instance is copied.
  4. Perform the following steps to add an A record:
    1. Log on to the Alibaba Cloud DNS console.
    2. On the Manage DNS page, click Add Domain Name.
    3. In the Add Domain Name dialog box, enter the domain name of your host and click OK.
      Important Before you add the A record, you must use a TXT record to verify the ownership of the domain name.
    4. Find the domain names that you want to manage and click Configure in the Actions column.
    5. On the DNS Settings page, click Add Record.
    6. In the Add Record panel, set the following parameters and click Confirm.
      Parameter Description
      Type Select A from the drop-down list.
      Host Enter the prefix of your domain name. www is entered in this example.
      ISP Line Select Default.
      Value Enter the IP address that you copied, which is the IP address the CLB instance uses to provide services.
      TTL Select a time-to-live (TTL) value for the A record to be cached on the DNS server. The default value is used in this example.

Step 5: Verify the result

After you complete the preceding steps, you can access the CLB instance at https://www.example.com and https://www.example.org. The CLB instance forwards requests that are destined for different domain names to different vServer groups. In this example, a static web page is created on each of ECS01 and ECS02 by using NGINX. ECS01 is a backend server in RS1 and ECS02 is a backend server in RS2.

  1. Use a browser to access example.com, which is associated with the additional certificate example1. Based on the forwarding rules created for the CLB instance, the request is forwarded to a backend server in RS1.
    Response from RS1
  2. Use a browser to access example.org, which is associated with the additional certificate example2. Based on the forwarding rules created for the CLB instance, the request is forwarded to a backend server in RS2.
    Response from RS2
    Important If you cannot access the website, restart your browser to clear the cache and try again.