When you configure one-way authentication on an HTTP listener, you need to only upload a server certificate.

Prerequisites

  • A certificate is purchased.
  • Two Elastic Compute Service (ECS) instances that host different application services are created. In this example, the ECS instances are referred to as ECS01 and ECS02. For more information, see Create an instance by using the wizard.

Step 1: Upload a server certificate

Before you configure one-way authentication on an HTTPS listener, you must purchase a server certificate and upload the server certificate to the certificate management system of Classic Load Balancer (CLB). You do not need to configure the backend ECS instances.

  1. Log on to the CLB console.
  2. In the left-side navigation pane, click Certificates.
  3. On the Certificates page, click Create Certificate.
  4. In the Create Certificate panel, set the following parameters and click Create.
    Parameter Description
    Select Certificate Source In this example, Alibaba Cloud Certificates is selected.
    Certificates Select an area and a certificate from the drop-down lists.
    Resource Group Select a resource group from the drop-down list.
    Region Select the region where you want to deploy the certificate.

Step 2: Create a CLB instance

  1. Log on to the CLB console.
  2. On the Instances page, click Create CLB.
  3. Set the following parameters to create a CLB instance.
    Parameter Description
    Region

    Select the region where you want to create the CLB instance.

    Note Make sure that the CLB instance and the Elastic Compute Service (ECS) instances that you want to specify as backend servers belong to the same region.
    Zone Type Specify whether you want to deploy the CLB instance in one zone or across multiple zones. A zone represents an Alibaba Cloud data center that contains a set of independent infrastructure resources. The infrastructure resources such as networks, power supply, and air-conditioning in different zones are independent of each other. Therefore, when the infrastructure resources in one zone are down, the other zones can still serve your workloads. Each zone belongs to a specific region. A region may contain one or more zones. Multi-zone Classic Load Balancer (CLB) instances are available in most regions.
    • Single zone: The CLB instance is deployed in only one zone.
    • Multi-zone: The CLB instance is deployed across two zones. The primary zone is used to distribute network traffic by default. When the primary zone is down, the system automatically switches to the secondary zone and continues to provide load balancing services. This ensures high service availability.
    Primary Zone Select the primary zone for the CLB instance to distribute network traffic.
    Backup Zone Select the secondary zone for the CLB instance. The secondary zone distributes network traffic only when the primary zone is down.
    Instance Name Enter a name for the CLB instance.

    The name must be 1 to 80 characters in length, and can contain characters such as letters, digits, hyphens (-), forward slashes (/), periods (.), and underscores (_).

    Instance Spec

    Select a specification for the CLB instance.

    The performance of the CLB instance varies based on the specification. For more information, see Overview.

    Instance Type You can create an Internet-facing CLB instance or an internal-facing CLB instance based on your business requirements. The system allocates a public or private IP address to the CLB instance based on the specified instance type. Internet is selected in this example.
    • If you create an Internet-facing CLB instance, a public IP address is allocated to the CLB instance. In this case, the CLB instance can provide services over the Internet.
    • If you create an internal-facing CLB instance, a private IP address is allocated to the CLB instance. You can access the CLB instance only within the networks of Alibaba Cloud. You cannot access the CLB instance over the Internet.

    For more information, see Overview.

    IP Version Select the protocol that is used by the CLB instance. You can select IPv4 or IPv6.

    For more information about the regions and zones that support IPv6 CLB instances, see Overview of IPv6 CLB instances.

    Internet Charge Type Select a billing method.
    Quantity Specify the number of CLB instances that you want to purchase.
    Resource Group Select the resource group to which the CLB instance belongs.
  4. Click Buy Now and complete the payment.

Step 3: Create an HTTPS listener

  1. Log on to the CLB console.
  2. In the top navigation bar, select the region where the CLB instance is deployed.
  3. Use one of the following methods to open the listener configuration wizard:
    • On the Instances page, find the CLB instance that you want to manage and click Configure Listener in the Actions column.
    • On the Instances page, click the ID of the CLB instance that you want to manage. On the Listener tab, click Add Listener.
  4. Set the following parameters and click Next.
    Parameter Description
    Select Listener Protocol Select the protocol of the listener.

    HTTPS is selected in this example.

    Backend Protocol In this topic, HTTPS is used, and Backend Protocol is set to HTTPS.
    Listening Port Specify the listener port that is used to receive requests and forward them to backend servers. Valid values: 1 to 65535. HTTPS uses port 443.
    Listener Name Specify a name for the custom listener. The description must be 1 to 256 characters in length, and can contain letters, digits, hyphens (-), forward slashes (/), periods (.),and underscores (_).
    Advanced Click Modify to configure advanced settings.
    Scheduling Algorithm Select a scheduling algorithm.
    • Weighted Round-Robin (WRR): Backend servers that have higher weights receive more requests than backend servers that have lower weights.
    • Round-Robin (RR): Requests are distributed to backend servers in sequence.
    Enable Session Persistence

    Specify whether to enable session persistence.

    After session persistence is enabled, CLB forwards all requests from a client to the same backend server.

    CLB persists HTTP sessions based on cookies. CLB allows you to use the following methods to process cookies:

    • Insert cookie: If you select this option, you only need to specify the timeout period of the cookie.

      CLB inserts a cookie (SERVERID) into the first HTTP or HTTPS response that is sent to a client. The next request from the client will contain this cookie, and the listener will forward this request to the recorded backend server.

    • Rewrite cookie: If you select this option, you can specify the cookie that you want to insert into an HTTP or HTTPS response. You must specify the timeout period and the lifetime of a cookie on a backend server.

      After you specify a cookie, CLB overwrites the original cookie with the specified cookie. The next time CLB receives a client request that carries the specified cookie, the listener distributes the request to the recorded backend server.

    Enable HTTP/2 Select whether to enable HTTP/2 for the frontend protocol of the CLB instance.
    Enable Access Control Specify whether to enable access control.

    Select an access control method after you enable access control. Then, select an access control list (ACL) that is used as the whitelist or blacklist of the listener.

    • Whitelist: Only requests from the IP addresses or CIDR blocks in the specified ACL are forwarded. Whitelists apply to scenarios in which you want to allow only specific IP addresses to access an application.

      Your business may be adversely affected if the whitelist is not set properly. After a whitelist is configured, only IP addresses in the whitelist can access the CLB listener. If you enable a whitelist but the whitelist does not contain an IP address, the listener forwards all requests.

    • Blacklist: Requests from the IP addresses or CIDR blocks in the specified ACL are blocked. You can choose this option if you want to block requests from specified IP addresses.

      If you enable a blacklist but the blacklist does not contain an IP address, the CLB listener forwards all requests.

    Note IPv6 instances can be associated only with IPv6 network ACLs, and IPv4 instances can be associated only with IPv4 network ACLs. For more information, see Create an access control list.
    Enable Peak Bandwidth Limit

    Specify whether to set the bandwidth limit of the listener.

    If a CLB instance is billed based on bandwidth usage, you can set different maximum bandwidth values for different listeners. This limits the amount of traffic that flows through each listener. The sum of the maximum bandwidth values of all listeners that are added to a CLB instance cannot exceed the maximum bandwidth value of the CLB instance. By default, this feature is disabled and all listeners share the bandwidth of the CLB instance.

    Note If a CLB instance is billed based on data transfer, the bandwidth of its listeners is not limited by default.
    Idle Timeout Specify the timeout period of idle connections. Unit: seconds. Valid values: 1 to 60.

    If no request is received within the specified timeout period, SLB closes the connection. SLB recreates the connection when a new connection request is received.

    Request Timeout Specify the request timeout period. Unit: seconds. Valid values: 1 to 180.

    If no response is received from the backend server within the request timeout period, SLB returns an HTTP 504 error code to the client.

    Enable Gzip Compression If you enable Gzip compression, files of specific types are compressed. If you disable Gzip compression, no file is compressed.

    Gzip supports the following file types: text/xml, text/plain, text/css, application/javascript, application/x-javascript, application/rss+xml, application/atom+xml, and application/xml.

    Add HTTP Header Fields You can add the following HTTP header fields:
    • X-Forwarded-For: Add the header field to retrieve the real IP address of the client.
    • SLB-ID: Add the header field to retrieve the ID of the CLB instance.
    • SLB-IP: Add the header field to retrieve the IP address of the CLB instance.
    • X-Forwarded-Proto: Add the header field to retrieve the listener protocol used by the CLB instance.
    • X-Forwarded-Port: Add the header field to retrieve the listener ports of the CLB instance.
    • X-Forwarded-Client-srcport: Add the header field to retrieve the port over which a client communicates with the CLB instance.
    Obtain Client Source IP Address Specify whether to retrieve the client IP address. By default, this feature is enabled.
    Automatically Enable Listener After Creation Specify whether to immediately enable the listener after it is created. By default, listeners are enabled after they are created.
    WAF Protection Specify whether to immediately enable the listener after it is created. By default, listeners are enabled after they are created.

Step 4: Check network connectivity

  1. Return to the Instances page and view the health check status.

    If Normal is displayed, this indicates that the backend servers can receive requests from the listener.

  2. Enter the public IP address of the CLB instance in the browser.
    ECS01ECS02