This topic describes how to configure multiple certificates for an HTTPS Classic Load Balancer (CLB) listener to forward requests destined for different domain names to different vServer groups.

Scenarios

A CLB instance named CLB 1 deployed in the China (Hangzhou) region is used as an example. An HTTPS listener is added to the CLB instance and one-way authentication is enabled for the listener. The listener is configured to forward requests destined for *.example.com to the vServer group named test1 and forward requests destined for www.aliyundoc.com to the vServer group named test2.

Prerequisites

  • A CLB instance is created in the China (Hangzhou) region. The CLB instance is named CLB 1. For more information, see Create a CLB instance.
  • The certificates that you want to use must be uploaded. For more information, see Certificate overview.
    • The default certificate used by the listener is named default.
    • The certificate named example1 is associated with the domain name *.example.com.
    • The certificate named example2 is associated with the domain name www.aliyundoc.com.

Step 1: Create an HTTPS listener

To create an HTTPS listener, perform the following operations:

  1. Log on to the CLB console.
  2. In the top navigation bar, select the region where the CLB instance is deployed.
  3. On the Instances page, find the CLB instance that you want to manage and click Configure Listener in the Actions column.
  4. Configure the listener.
    In this example, the listener is configured based on the following information. For more information about other parameters, see Add an HTTPS listener.
    • Mutual Authentication: Specify whether to enable mutual authentication. In this example, mutual authentication is disabled for the listener.
    • SSL Certificates: Select a certificate. In this example, the server certificate named default is selected.
    • Backend Servers: Select a vServer group. In this example, the vServer groups named tst1 and test2 are added to the listener.

Step 2: Configure forwarding rules

To configure forwarding rules for the listener, perform the following operations:

  1. On the Instance page, click the ID of CLB 1.
  2. On the Listener tab, find the HTTPS listener that you created and click Set Forwarding Rule in the Actions column.
  3. In the Add Forwarding Rules panel, set the parameters to create a forwarding rule. For more information, see Forward requests based on domain names or URLs.
    In this example, a forwarding rule is created for each domain name. URLs are not specified in the forwarding rules.
    • To create a forwarding rule for the domain name *.example.com, perform the operations: Enter a rule name. Enter *.example.com in the Domain Name field, select the vServer group named test1, and then click Add Forwarding Rules.
    • To create a forwarding rule for the domain name www.aliyundoc.com, perform the operations: Enter a rule name. Enter www.aliyundoc.com in the Domain Name field, select the vServer group named test2, and then click Add Forwarding Rules.
    Note The domain names specified in the forwarding rules must be the same as those of the certificates in Step 3: Add an additional certificate.

Step 3: Add an additional certificate

To add an additional certificate, perform the following operations:

  1. On the Instance page, click CLB 1.
  2. On the Listener tab, find the HTTPS listener that you created and choose More > Manage Additional Certificate in the Actions column.
  3. In the Manage Additional Certificate panel, click Add Additional Certificate, set the parameters, and click OK.
    • Enter a domain name. The domain name can contain only letters, digits, hyphens (-), and periods (.).
      Domain name-based forwarding rules support exact matching and wildcard matching.
      • Exact-match domain name: www.aliyun.com
      • Wildcard domain name: *.aliyun.com and *.market.aliyun.com

        If a request matches multiple forwarding rules, exact matching has a higher priority than wildcard matching, and exact wildcard matching has a higher priority than less exact wildcard matching. The following table describes the priorities.

        Note In the following table, Y indicates that the feature is supported and N indicates that the feature is not supported.
        Type Request URL Domain name-based forwarding rule
        www.aliyun.com *.aliyun.com *.market.aliyun.com
        Exact matching www.aliyun.com × ×
        Wildcard matching market.aliyun.com × ×
        Wildcard matching info.market.aliyun.com × ×
    • Select the certificate that is associated with the domain name.
      Note The domain name of the certificate must be the same as that of the additional certificate.
Notice If you cannot access the website, restart your browser to clear the cache.