All Products
Search

This Product

    Server Load Balancer:Add an HTTPS listener

    Document Center

    Server Load Balancer:Add an HTTPS listener

    Last Updated:Aug 18, 2023

    This topic describes how to add an HTTPS listener to an Application Load Balancer (ALB) instance. HTTPS is intended for applications that require encrypted data transmission. You can create HTTPS listeners to distribute HTTPS requests. HTTPS listeners enable traffic encryption between an ALB instance and clients that initiate SSL or TLS sessions.

    Prerequisites

    • An ALB instance is created. For more information, see Create an ALB instance.

    • At least one SSL server certificate and one TLS security policy are deployed on the ALB instance. For more information, see TLS security policies.

    • A group of backend servers is specified in the default forwarding rule of the listener to receive requests. For more information, see Create and manage server groups.

    Step 1: Configure a listener

    1. Log on to the ALB console.

    2. In the top navigation bar, select the region where the ALB instance resides.

    3. Use one of the following methods to open the listener configuration wizard:

      • On the Instances page, find the ALB instance, and click Create Listener in the Actions column.

      • On the Instances page, click the ID of the ALB instance that you want to manage. On the Listener tab, click Create Listener.

    4. In the Configure Listener step, set the following parameters and click Next.

      Parameter

      Description

      Listening Protocol

      Select the protocol of the listener.

      HTTPS is selected in this example.

      Listener Port

      Enter the port on which the ALB instance listens. The ALB instance listens on the port and forwards requests to backend servers. 443 is entered in this example. In most cases, port 80 is used for HTTP and port 443 is used for HTTPS.

      Valid values: 1 to 65535.

      Note

      The ports on which an ALB instance listens must be unique.

      Listener Name

      Enter a name for the listener. The name must be 2 to 256 characters in length and can contain letters, digits, periods (.), underscores (_), hyphens (-), commas (,), semicolons (;), forward slashes (/), and at signs (@).

      Advanced Settings

      Click Modify to configure advanced settings.

      Enable HTTP/2

      Specify whether to enable HTTP/2.

      Idle Connection Timeout Period

      Specify a timeout period for idle connections. Unit: seconds. Valid values: 1 to 60.

      If no request is received within the specified timeout period, ALB closes the connection. When another request is received, ALB establishes a new connection.

      Note

      This feature is unavailable for HTTP/2 requests.

      Connection Request Timeout Period

      Specify a request timeout period. Unit: seconds. Valid values: 1 to 180.

      If no response is received from the backend server within the request timeout period, ALB returns the HTTP 504 error code to the client.

      Compression

      If you enable compression, files of specific types are compressed. If you disable compression, no file is compressed.

      Brotli supports all file types. GZIP supports the following file types: text/xml, text/plain, text/css, application/javascript, application/x-javascript, application/rss+xml, application/atom+xml, application/xml, and application/json.

      Add HTTP Header Fields

      Select the HTTP headers that you want to add. Valid values:

      • Add X-Forwarded-For to Retrieve Client IP: obtains client IP addresses.

      • Add SLB-ID to Retrieve ALB ID: obtains the ID of the ALB instance.

      • Add X-Forwarded-Proto to Retrieve Listening Protocol: obtains the listener protocol.

      • Add X-Forwarded-Clientcert-subjectdn to Retrieve Client Server Certificate Owner Info: obtains the owner information about the client certificate.

      • Add X-Forwarded-Clientcert-issuerdn to Retrieve Client Certificate Issuer Info: obtains information about the authority that issues the client certificate.

      • Add X-Forwarded-Clientcert-fingerprint to Retrieve Fingerprint of Client Certificate: obtains the fingerprint of the client certificate.

      • Add X-Forwarded-Clientcert-clientverify to Retrieve Verification Result of Client Certificate: obtains the verification result of the client certificate.

      • Add X-Forwarded-Port to Retrieve Listening Port: obtains the listener port.

      • Add X-Forwarded-Client-srcport to Retrieve Client Port: obtains the client port.

      QUIC Upgrade

      Select whether to enable QUIC upgrade. To use this feature, you must select a QUIC listener from the Associate QUIC Listener drop-down list.

    Step 2: Configure an SSL certificate

    To create an HTTPS listener, you must configure an SSL certificate for identity authentication to ensure secure data transfer.

    Certificate

    Description

    Required for one-way authentication

    Required for mutual authentication

    Server certificate

    A server certificate is used to authenticate the identity of a server.

    Your browser uses the server certificate to check whether the certificate sent by the server is signed and issued by a trusted certificate authority (CA). For more information, see What is an SSL certificate?

    Yes

    You can purchase or upload a server certificate in the Certificate Management Service console. ALB obtains the certificate from Certificate Management Service and uses the certificate.

    Yes

    You can purchase or upload a server certificate in the Certificate Management Service console. ALB obtains the certificate from Certificate Management Service and uses the certificate.

    Client certificate

    A client certificate is used to authenticate the identity of a client.

    A server authenticates the identity of a client by verifying the certificate sent by the client.

    No

    Yes

    You must install the client certificate on the client.

    CA certificate

    A CA certificate is used by a server to verify the signature on a client certificate. If the signature is invalid, the connection request is denied.

    No

    Yes

    You can purchase or upload a CA certificate in the Certificate Management Service console. ALB obtains the certificate from Certificate Management Service and uses the certificate.

    TLS security policy

    A TLS security policy contains TLS protocol versions and cipher suites that are available for HTTPS listeners. For more information, see TLS security policies.

    Yes

    Yes

    Note

    If you want to access multiple domain names or add multiple server certificates, you can add additional certificates to the HTTPS listener. For more information, see Add an additional certificate.

    1. In the Configure SSL Certificates step, select a server certificate.

      If no server certificate is available, click Create SSL Certificate in the drop-down list to go to the Certificate Management Service console. Then, you can purchase or upload a server certificate. For more information, see Purchase an SSL certificate and Upload an SSL certificate.

    2. To enable mutual authentication or configure a TLS security policy, click Modify next to Advanced Settings.

    3. Turn on Enable Mutual Authentication in the Advanced Settings section. Select Alibaba Cloud from the CA Certificate Source drop-down list and select a CA certificate from the Default CA Certificate drop-down list.

      If no CA certificate is available, click Purchase CA Certificate to create one. For more information, see Purchase and enable a private CA.

      Note

      • Only standard and WAF-enabled ALB instances support mutual authentication. Basic ALB instances do not support mutual authentication.

      • If you want to disable mutual authentication after you enable this feature, perform the following operations:

        1. On the Instances page, click the ID of the ALB instance that you want to manage.

        2. On the Listener tab, click the ID of the HTTPS listener that you want to manage.

        3. On the Listener Details tab, disable mutual authentication in the SSL Certificate section.

    4. Select a TLS security policy and click Next.

      If no TLS security policy is available, click Create TLS Security Policy to create one. For more information, see TLS security policies.

    Step 3: Select a server group

    In the Server Group step, select a server group, view the backend servers, and then click Next.

    Step 4: Confirm configurations

    In the Confirm step, confirm the configurations and click Submit.

    FAQ

    • What are the TLS versions supported by HTTPS listeners?

      HTTPS listeners support TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3. For more information, see TLS security policies.

    • Can backend servers retrieve the TLS version used by the associated HTTPS listener?

      Yes, backend servers can retrieve the TLS version used by the associated HTTPS listener.

    • Which HTTP version is used by HTTPS listeners to distribute network traffic to backend servers?

      • If client requests use HTTP/1.1 or HTTP/2, Layer 7 listeners use HTTP/1.1 to distribute network traffic to backend servers.

      • If client requests use protocols other than HTTP/1.1 and HTTP/2, Layer 7 listeners use HTTP/1.0 to distribute network traffic to backend servers.