Use a custom TLS security policy for ALB
When you deploy internet-facing websites or applications on Alibaba Cloud, you typically configure HTTPS to ensure secure data transmission. For HTTPS scenarios, ALB provides predefined TLS security policies to meet common requirements. If you have specific security or compliance needs, such as restricting TLS protocol versions or disabling certain cipher suites, create a custom TLS security policy and apply it to an ALB listener for enhanced security.
Limitations
-
Custom TLS security policies are not supported on Basic ALB instances. This feature is available only for Standard and WAF-enabled ALB instances. To use this feature on a Basic instance, you must upgrade the instance. For more information, see Upgrade an ALB instance.
-
When you create a custom TLS security policy, ensure that the specified TLS protocol versions and cipher suites are also supported by your clients, such as web browsers. Otherwise, clients may fail to connect to the server, disrupting user access.
Prerequisites
-
You have created an ALB instance. For more information, see Create and manage ALB instances.
-
You have created a server group. For more information, see Create and manage server groups.
-
You have added the ECS01 and ECS02 instances to the server group and deployed applications on both.
-
You have registered a domain name and completed its ICP filing. For more information, see Register a domain name on Alibaba Cloud and ICP filing process.
-
You have purchased a certificate or uploaded a third-party certificate to Certificate Management Service and associated it with your domain name. For more information about how to create a certificate, see Enable HTTPS access for a web application by using a formal certificate.
Step 1: Create a custom TLS security policy
-
Log on to the ALB console.
-
In the top navigation bar, select the region where the instance is deployed.
-
In the left-side navigation pane, choose TLS Security Policies.
-
On the Custom Policy tab, click Create Custom Policy.
-
Enter a name for the security policy, and select the minimum TLS protocol version and required cipher suites. For more information about the parameters, see TLS security policy. Then, click Create.
Step 2: Apply the custom TLS policy
Create an HTTPS listener
-
Log on to the ALB console.
-
In the top navigation bar, select the region where the instance is deployed.
-
In the left-side navigation pane, choose Instances.
-
On the Instances page, find the target instance, and then click Create Listener in the Actions column.
-
On the Configure Listener page, configure the following parameters. Keep the default values for other parameters or modify them as needed. Then, click Next.
Parameter
Description
Select Listener Protocol
Select HTTPS.
Listener Port
This example uses port 443.
-
On the SSL Certificate page, configure the following parameters. Keep the default values for other parameters or modify them as needed. Then, click Next.
Parameter
Description
Server Certificate
Select your server certificate.
TLS Security Policies
Select the custom policy created in Step 1.
-
On the Server Group page, configure the following parameters. Keep the default values for other parameters or modify them as needed. Then, click Next.
Parameter
Description
Server Group
Select the server group that you created.
-
On the Confirm page, confirm the settings and click Submit. Then, wait for the listener to be created.
Modify an HTTPS listener
-
Log on to the ALB console.
-
In the top navigation bar, select the region where the instance is deployed.
-
In the left-side navigation pane, choose Instances.
-
On the Instances page, find the target instance and click the instance ID.
-
On the Listener tab, find the target HTTPS listener and click the listener ID.
-
In the Certificate Management Service section, click the
icon next to TLS Security Policies. -
In the Modify TLS Security Policy dialog box, select the custom TLS security policy that you created, and then click Save.
Step 3: Configure DNS resolution
-
Log on to the ALB console.
-
In the top navigation bar, select a region.
-
Find the ALB instance for which you want to configure DNS resolution and copy its DNS name.
-
To add a CNAME record, follow these steps.
-
Log on to the Alibaba Cloud DNS console.
-
On the DNS Resolution page, click Add Zone.
-
In the Add Zone dialog box, enter your domain name and click OK.
ImportantYou must verify your domain name ownership with a TXT record.
-
Find the target domain name and click Settings in the Actions column.
-
On the Settings page, click Add Record.
-
In the Add Record panel, set the following parameters and click OK.
Parameter
Description
Record Type
Select CNAME.
Hostname
Enter the prefix of your domain name. Example:
www.Query Source
Select Default.
Record Value
Enter the DNS name of your ALB instance that you copied.
TTL
Time to Live (TTL). The duration that a DNS record is cached on DNS servers. This example uses the default value.
-
Step 4: Verify the result
In a web browser, enter the domain name for your ALB instance. Refresh the page multiple times to verify that requests are sent over HTTPS and distributed between the two backend servers.
If the page displays Hello World ! This is ECS01., the request is forwarded to the ECS01 backend server. If the page displays Hello World ! This is ECS02., the request is forwarded to the ECS02 backend server.
References
-
For more information about how to add an HTTPS listener and related considerations, see Add an HTTPS listener.
-
For more information about TLS security policies, including system-defined policies and the differences between them, see TLS security policy.
-
If you need to forward HTTPS requests for different domain names to different backend servers within the same listener, see Host multiple HTTPS websites on a single ALB instance.
-
To implement end-to-end encryption for sensitive services, see Configure end-to-end HTTPS.
-
To use mutual authentication for critical services that require a higher level of security, see Deploy an HTTPS service that uses mutual authentication on an ALB instance.