This topic describes how to configure multiple certificates for an HTTPS Classic Load Balancer (CLB) listener to forward requests from different domain names to different vServer groups.
Scenario
A
CLB instance deployed in the China (Hangzhou) region is used as an example in this topic.
An HTTPS listener is added to the CLB instance and one-way authentication is enabled
for the listener. The listener is configured to forward requests destined for
example.com
to the vServer group named RS1 and forward requests destined for
example.org
to the vServer group named RS2.
- The default certificate of the listener is associated with the domain name
aliyundoc.com
. The default certificate is enabled, and requests destined for the domain name associated
with the default certificate are forwarded to RS1.
- The domain name
example.com
is associated with the additional certificate example1, and client requests destined
for example.com
are forwarded to RS1.
- The domain name
example.org
is associated with the additional certificate example2, and client requests destined
for example.org
are forwarded to RS2.
Prerequisites
- A CLB instance is deployed in the China (Hangzhou) region. For more information, see Create and manage a CLB instance.
- A vServer group named RS1 and another vServer group named RS2 are created on the CLB instance. For more information, see Create and manage a vServer group.
- An Elastic Compute Service (ECS) instance named ECS01 is added to RS1, and another
ECS instance named ECS02 is added to RS2.
- Required certificates are deployed. If the certificates are purchased from a third-party
service provider, you must upload them to Certificate Management Service. In addition,
make sure that the certificates are associated with your domain name. For more information
about how to obtain a certificate, see Use a certificate from Alibaba Cloud SSL Certificates Service. The following certificates are used in this example:
- The default certificate that is associated with the domain name
aliyundoc.com
.
- The additional certificate example1 that is associated with the domain name
example.com
.
- The additional certificate example2 that is associated with the domain name
example.org
.
Step 1: Create an HTTPS listener
- Log on to the CLB console.
- In the top navigation bar, select the region where the CLB instance is deployed. In this example, China (Hangzhou) is selected.
- On the Instances page, find the CLB instance that you want to manage and click Configure Listener in the Actions column.
- On the Protocol and Listener wizard page, set the parameters of the listener and click Next.
The following section describes the parameters that are relevant to this topic. For
more information about the other parameters, see
Add an HTTPS listener.
- Select Listener Protocol: select HTTPS.
- Listening Port: enter 443.
- On the SSL Certificates wizard page, select the server certificate that you uploaded. Click Next. The default certificate is selected in this example.
- On the Backend Servers wizard page, select VServer Group and select RS1 from the Server Group drop-down list.
- Keep the default values for other parameters and click Next to go to the Submit wizard page.
Step 2: Create forwarding rules
- On the Instances page, find the CLB instance that you want to manage and click the ID of the instance.
- On the Listener tab, find the Layer 7 listener that you want to manage and click Set Forwarding Rule in the Actions column.
- In the Add Forwarding Rules panel, set the parameters to create a forwarding rule.
In this example, a forwarding rule is created for each domain name. URLs are not specified
in the forwarding rules.
- Set Domain Name to
example.com
, select the RS1 vServer group, and then click Add Forwarding Rules.
- Set Domain Name to
example.org
, select the RS2 vServer group, and then click Add Forwarding Rules.
For more information, see
Forward requests based on domain names or URLs.
- After you create the forwarding rules, close the Add Forwarding Rules panel.
Step 3: Add an additional certificate
- On the Instances page, find the CLB instance that you want to manage and click the ID of the instance.
- On the Listener tab, find the HTTPS listener that you created and choose in the Actions column.
- On the Manage Additional Certificate page, click Add Additional Certificate to add an additional certificate.
- Set Additional Certificate to
example.com
, select example.com
from the Select Server Certificate drop-down list, and then click OK.
- Set Additional Certificate to
example.org
, select example.org
from the Select Server Certificate drop-down list, and then click OK.
Note The domain name of the certificate must be the same as that of the additional certificate.
Step 4: Configure domain name resolution
Add an A record to map the domain names example.com
and example.org
to the public IP address of the CLB instance.
- Log on to the CLB console.
- In the top navigation bar, select the region where the CLB instance is deployed.
- Find the CLB instance that you want to manage and copy the domain name. In this example, the service
IP address of the CLB instance is copied.
- Perform the following steps to add an A record:
- Log on to the Alibaba Cloud DNS console.
- On the Manage DNS page, click Add Domain Name.
- In the Add Domain Name dialog box, enter the domain name of your host and click OK.
Important Before you add the A record, you must use a TXT record to verify the ownership of
the domain name.
- Find the domain names that you want to manage and click Configure in the Actions column.
- On the DNS Settings page, click Add Record.
- In the Add Record panel, set the following parameters and click Confirm.
Parameter |
Description |
Type |
Select A from the drop-down list.
|
Host |
Enter the prefix of your domain name. www is entered in this example.
|
ISP Line |
Select Default. |
Value |
Enter the IP address that you copied, which is the IP address the CLB instance uses to provide services.
|
TTL |
Select a time-to-live (TTL) value for the A record to be cached on the DNS server.
The default value is used in this example.
|
Step 5: Verify the result
After you complete the preceding steps, you can access the CLB instance at https://www.example.com
and https://www.example.org
. The CLB instance forwards requests that are destined for different domain names to different
vServer groups. In this example, a static web page is created on each of ECS01 and
ECS02 by using NGINX. ECS01 is a backend server in RS1 and ECS02 is a backend server
in RS2.
- Use a browser to access
example.com
, which is associated with the additional certificate example1. Based on the forwarding
rules created for the CLB instance, the request is forwarded to a backend server in RS1.
- Use a browser to access
example.org
, which is associated with the additional certificate example2. Based on the forwarding
rules created for the CLB instance, the request is forwarded to a backend server in RS2.
Important If you cannot access the website, restart your browser to clear the cache and try
again.