Add an HTTP Listener to ALB for Web Traffic Routing - Application Load Balancer

HTTP listeners forward incoming HTTP traffic to your backend servers. Create an HTTP listener when your application — such as a web app or mobile game — needs to inspect and route HTTP requests.

Prerequisites

Before you begin, ensure that you have:

An Application Load Balancer (ALB) instance. For more information, see Create and manage ALB instances.
A backend server group. For more information, see Create and manage a server group.

Choose a creation method

Method	When to use
Manual creation	Configure advanced settings — timeouts, compression, header passthrough — based on your business requirements.
Quick creation	Get a listener running fast. Specify only the listener protocol, port, and server group.

Manual creation

Log on to the ALB console.
In the top navigation bar, select the region where your ALB instance resides.
Open the listener configuration wizard using one of the following methods:
- On the Instances page, find your ALB instance and click Create Listener in the Actions column.
- On the Instances page, click the ALB instance ID. On the Listener tab, click Create Listener.

In the Configure Listener step, configure the parameters and click Next.

Parameter	Description
Listener protocol	The protocol for incoming requests. Select HTTP.
Listener port	The port on which the ALB instance listens and forwards requests to backend servers. Valid values: 1–65535. Port 80 is standard for HTTP. On the same ALB instance, listeners using the same protocol must use unique ports, and HTTP listeners must use a different port than HTTPS listeners.
Listener name	A name for the listener.
Tag	Key-value pairs for filtering listeners. Add one or more tags.
Advanced settings	Click Modify to configure the settings described below.

Advanced settings

Setting	Description
Idle connection timeout period	How long ALB waits before closing a connection with no activity. Unit: seconds. Valid values: 1–600. Default: 15. ALB closes the connection when the timeout expires and opens a new connection when the next request arrives. To set a longer timeout, go to the Quota Center console. Note Not available for HTTP/2 requests.
Connection request timeout	How long ALB waits for a backend server response before returning an HTTP 504 error to the client. Unit: seconds. Valid values: 1–600. Default: 60. To set a longer timeout, go to the Quota Center console.
Compression	When enabled, ALB compresses responses where `Content-Length` exceeds 1,024 bytes. Brotli compresses all file types. GZIP compresses: `text/xml`, `text/plain`, `text/css`, `application/javascript`, `application/x-javascript`, `application/rss+xml`, `application/atom+xml`, `application/xml`, and `application/json`. When a client accepts both algorithms, ALB uses Brotli. When a client accepts only GZIP and any file type in the response is unsupported by GZIP, ALB skips compression entirely.
Retrieve client IP	Retrieve the source client IP address from the `X-Forwarded-For` header. Requires specifying trusted IP addresses. Set to `0.0.0.0/0` to treat the leftmost IP in the header as the client IP. Use the `proxy1 IP;proxy2 IP;...` format to compare IPs right-to-left — the first IP not on the trusted list is the client IP. Required for source IP matching and QPS-based throttling in forwarding rules. Available on standard and WAF-enabled ALB instances only.
Add HTTP header	Configure which headers ALB adds, preserves, or removes before forwarding requests. See the HTTP header reference below.

In the Select server group step, select a server group, verify the backend servers, and click Next.
In the Confirm step, review your configuration and click Submit.

HTTP header reference

X-Forwarded-For

Important

Use X-Forwarded-For with caution. Entries in this header are only trustworthy if they were added by properly secured systems. For guidance on preventing spoofing, see FAQ.

When you select Add X-Forwarded-For to preserve client IP addresses, ALB can add or remove the header before forwarding requests. If you do not select this option, ALB passes the header through unchanged.

The table below shows the X-Forwarded-For value that reaches your backend server for each scenario (example: last hop IP = 127.0.0.1).

Incoming request	Add (default)	Remove	Not selected
No `X-Forwarded-For` header	`X-Forwarded-For: 127.0.0.1`	Header not present	Header not present
`X-Forwarded-For: 127.0.0.2`	`X-Forwarded-For: 127.0.0.2, 127.0.0.1`	Header not present	`X-Forwarded-For: 127.0.0.2`
`X-Forwarded-For: 127.0.0.2, 127.0.0.3`	`X-Forwarded-For: 127.0.0.2, 127.0.0.3, 127.0.0.1`	Header not present	`X-Forwarded-For: 127.0.0.2, 127.0.0.3`

Add (default): ALB appends the last hop's IP to the header. If the request has no X-Forwarded-For header, ALB creates one with the last hop IP.
Remove: ALB strips the X-Forwarded-For header before forwarding.

The header format is: X-Forwarded-For: <client-ip-address>, <proxy1>, <proxy2>, ...

For a full guide on retrieving client IPs on backend servers, see Obtain client originating IP addresses on backend servers through an Application Load Balancer.

Other headers

Header	What it stores
`SLB-ID`	The ID of the ALB instance
`X-Forwarded-Proto`	The listener protocol
`X-Forwarded-Port`	The listener port
`X-Forwarded-Host`	The domain name of the client accessing ALB
`X-Forwarded-Client-srcport`	The client port

Note

Configure your backend servers to process request headers case-insensitively, as required by the HTTP standard. ALB always creates X-Forwarded-For headers with an uppercase "X." For all other headers listed above, ALB follows the behavior described in this section. Any headers not listed here are forwarded in their original form.

Quick creation

Log on to the ALB console.
In the top navigation bar, select the region where your ALB instance resides.
On the Instances page, click your ALB instance ID.
On the Listener tab, click Quick Create Listener.

In the Quick Create Listener dialog box, configure the parameters and click OK.

Parameter	Description
Listener protocol	The protocol for incoming requests. Select HTTP.
Listener port	The frontend port that receives and forwards requests to backend servers. Valid values: 1–65535.
Resource group	The resource group for the server group.
Server group	Select a backend server group type, then choose an existing server group with backend servers added, or create a new one.

FAQ

How can I prevent `X-Forwarded-For` header spoofing?

The X-Forwarded-For header is easy to forge because clients control its initial value. Two approaches reduce this risk:

Use an upstream header for the real client IP. In a Client → CDN → WAF → SLB → ECS architecture, CDN records the real client IP in the Ali-Cdn-Real-Ip header. Configure WAF to use Ali-Cdn-Real-Ip as the client IP detection field. On your backend Nginx server, log $http_Ali_Cdn_Real_Ip as the real client IP.
Switch to a layer 4 listener (NLB or CLB). Layer 4 listeners pass the real client IP directly to backend servers without relying on X-Forwarded-For. See Enable layer 4 listeners to preserve client IP addresses and pass them to backend servers.

Does ALB support the WebSocket protocol?

ALB HTTP listeners support WebSocket by default. See Use WebSocket to enable real-time messaging.

What's next

Set up routing logic for your listener: Manage forwarding rules for a listener
Redirect HTTP to HTTPS: Redirect HTTP requests to an HTTPS listener
Mirror production traffic for testing: Use the traffic mirroring feature to mirror production traffic to a staging environment
Test a new app version with canary releases: Use ALB to implement canary release
Diagnose ALB errors: ALB error status codes and Troubleshoot ALB health check issues