Server Load Balancer:Configure an ALB instance to serve multiple domain names over HTTPS

How it works

When ALB receives an HTTPS request, it uses SNI to match the hostname in the TLS handshake against the certificates attached to the listener. It then returns the matching certificate to the client and forwards the request to the backend server group defined by the matching forwarding rule.

Each listener has one default certificate. The default certificate handles requests in two cases: when the client does not support SNI and therefore does not send a hostname during the TLS handshake, and when no additional certificate matches the requested hostname.

Example configuration

This tutorial uses the following setup:

ECS01 is added to RS1 and ECS02 is added to RS2, with applications deployed on both.

Prerequisites

Before you begin, ensure that you have:

• An ALB instance. See Create and manage ALB instances

• Backend server groups RS1 and RS2, with ECS01 added to RS1 and ECS02 added to RS2. See Create and manage a server group

• Registered domain names with an Internet Content Provider (ICP) filing. See Register a domain name on Alibaba Cloud and ICP filing process

• Three certificates uploaded to Certificate Management Service and associated with their respective domain names. If you purchased certificates from a third-party provider, upload them to Certificate Management Service first. See Secure your website with HTTPS:

  • Default certificate default for aliyundoc.com

  • Additional certificate example1 for www.example.com

  • Additional certificate example2 for www.example.org

Step 1: Create an HTTPS listener

1. Log on to the ALB console.

2. In the top navigation bar, select the region where your ALB instance is deployed.

3. In the left-side navigation pane, click Instances.

4. On the Instances page, find the ALB instance and click Create Listener in the Actions column.

5. In the Configure Listener step, set the following parameters, then click Next.

   Parameter	Value
   Listener protocol	HTTPS
   Listener port	443

6. In the Configure SSL Certificate step, set the following parameter, then click Next.

   Parameter	Value
   Server certificate	Default certificate default

7. In the Select Server Group step, set the following parameter, then click Next.

   Parameter	Value
   Server group	RS1

8. In the Configuration Review step, verify the settings and click Submit.

Step 2: Add additional certificates

Additional certificates let a single HTTPS listener serve multiple domain names. The listener matches each incoming hostname against the additional certificate list and returns the matching certificate. The default certificate continues to handle requests when no additional certificate matches — for example, from clients that do not send a hostname during the TLS handshake.

1. On the Instances page, click the ID of your ALB instance.

2. On the Listener tab, find the HTTPS listener and click Manage Certificate in the Actions column.

3. On the Certificates > Server Certificates tab, click Add EV Certificate.

4. In the Add Additional Certificate dialog box, select example1 and click OK.

5. Repeat steps 3–4 to add the additional certificate example2.

Step 3: Create forwarding rules

Forwarding rules determine which backend server group receives traffic for each domain name.

1. On the Instances page, click the ID of your ALB instance.

2. On the Listener tab, find the HTTPS listener and click View/Modify Forwarding Rule in the Actions column.

3. On the Forwarding Rules tab, click Add New Rule to create a forwarding rule in the inbound direction.

4. Configure the two rules as follows, then click OK.

   Domain name	Forward to	Weight
   www.example.com	RS1	100
   www.example.org	RS2	100

Step 4: Configure domain name resolution

Create a CNAME record for each domain name that points to the DNS name of your ALB instance. Repeat this process for both www.example.com and www.example.org.

1. Go to the ALB console, find your ALB instance, and copy its DNS name from the Domain Name column.

2. Add CNAME records with your DNS hosting provider. This example uses Alibaba Cloud DNS.

   1. Go to the Public Zone page in the Alibaba Cloud DNS console. Click the target domain name to open the Settings page, then click Add Record.

   2. Configure the CNAME record with the following settings, then click OK.

      Field	Value
      Record type	CNAME
      Hostname	The prefix of your domain name. For www.example.com, enter www.
      Query source	Default
      TTL	Use a lower Time-to-Live (TTL) value to make changes propagate faster.
      Record value	The DNS name of the ALB instance you copied in step 1.

   Note

   To manage a domain not registered with Alibaba Cloud, add it to the Alibaba Cloud DNS console first.

   Note

   To resolve a DNS record conflict, delete the conflicting record or use a different hostname.

3. Verify that the domain name points to the ALB instance. Run ping <custom_domain_name> or dig <custom_domain_name> on your local machine. If the output includes the ALB DNS name (for example, alb-xxxx.<region-id>.alb.aliyuncsslb.com), the CNAME record is active.

   Note

   New CNAME records take effect almost immediately. Changes to existing records take longer because DNS resolvers cache the record until its TTL expires.

Step 5: Verify the result

Access each domain from a browser to confirm that requests reach the correct backend server group.

• Open www.example.com. The request is forwarded to ECS01 in RS1 based on the forwarding rule.

• Open www.example.org. The request is forwarded to ECS02 in RS2 based on the forwarding rule.

What's next

• Create a domain name-based or URL-based forwarding rule