If you want to encrypt data transmission for your application, you can create an HTTPS listener to forward HTTPS requests. HTTPS listeners support encrypted data transmission between Application Load Balancer (ALB) and clients that have SSL or TLS enabled.
Prerequisites
An ALB instance is created. For more information, see Create an ALB instance.
TLS security policies and at least one SSL server certificate are deployed on the ALB instance. For more information, see TLS security policies.
A backend server group is created. For more information, see Create and manage a server group.
Procedures
This topic describes two procedures that can be used to create an HTTPS listener. You can choose a method as needed.
Manual creation: You can create an HTTP listener and configure advanced features, such as mutual authentication.
Quick creation: You can use a template to quickly create an HTTP listener. You only need to specify a listener protocol, a listener port, a server certificate, and a backend server group.
Manual creation
Step 1: Create a listener
- Log on to the ALB console.
In the top navigation bar, select the region in which the ALB instance resides.
Use one of the following methods to open the listener configuration wizard:
On the Instances page, find the ALB instance that you want to manage and click Create Listener in the Actions column.
On the Instances page, click the ID of the ALB instance that you want to manage. On the Listener tab, click Create Listener.
On the Configure Listener wizard page, set the following parameters and click Next.
Parameter
Description
Listener Protocol
Select a listener protocol.
In this example, HTTPS is selected.
Listener Port
Enter the port on which the ALB instance listens. The ALB instance listens on the port and forwards requests to backend servers. In this example, port 443 is used. In most cases, port 80 is used for HTTP and port 443 is used for HTTPS.
Valid values: 1 to 65535.
NoteOn the same ALB instance, the ports of listeners that use the same protocol must be unique. HTTP listeners and HTTPS listeners must use different ports.
Listener Name
Enter a name for the listener.
Tag
Configure the Tag Key and Tag Value parameters to add a tag. You can add one or more tags.
After you specify tags, you can filter listeners by tag on the Listener tab.
Advanced Settings
You can click Modify to configure the advanced settings.
Enable HTTP/2
Specify whether to enable HTTP/2 for the listener.
Idle Connection Timeout Period
Specify a timeout period for idle connections. Unit: seconds. Valid values: 1 to 60. To specify a longer timeout period,
go to the Quota Center console.
If no request is received within the specified timeout period, CLB closes the connection. When a request is received, CLB establishes a new connection.
NoteThis feature is unavailable for HTTP/2 requests.
Connection Request Timeout
Specify a request timeout period. Unit: seconds. Valid values: 1 to 180. To specify a longer timeout period, go to the Quota Center console.
If no response is received from the backend server within the request timeout period, ALB returns the HTTP 504 error code to the client.
Compression
If you enable compression, specific types of files are compressed. If you disable compression, no file is compressed.
Brotli supports all file types. GZIP supports the following file types:
text/xml
,text/plain
,text/css
,application/javascript
,application/x-javascript
,application/rss+xml
,application/atom+xml
,application/xml
, andapplication/json
.Retrieve Client IP
Specify whether to enable the ALB instance to retrieve client IP addresses from the X-Forwarded-For header. If you enable this feature, you must specify trusted IP addresses.
If you set the trusted IP address list to
0.0.0.0/0
, the ALB instance retrieves the leftmost IP address in the X-Forwarded-For header. The IP address is the source client IP address.If you set the trusted IP address list in the format of
proxy1 IP;proxy2 IP;..
, the ALB instance compares the IP addresses in the X-Forwarded-For header from right to left against the trusted IP address list. The first IP address that is not on the trusted IP address list is considered the source client IP address.
Usage notes
If the X-Forwarded-For header contains multiple IP addresses, such as
X-Forwarded-For: <client-ip-address>, <proxy1>, <proxy2>, …
, the leftmost IP address is the source client IP address. If you want to enable the matching based on source IP addresses and throttling based on QPS per client IP address features in ALB forwarding rules, you must turn on the Retrieve Client IP switch to allow the ALB instance to retrieve source client IP addresses from the X-Forwarded-For header. For more information, see Create a forwarding rule.Add HTTP Header
If you select
Add X-Forwarded-For to preserve client IP addresses
, ALB can add anX-Forwarded-For
header to or remove theX-Forwarded-For
header from the request before forwarding the request to a backend server.Add (default)
If you choose Add, ALB adds the IP address of the last hop to the X-Forwarded-For header in the request before forwarding the request to a backend server. If the request does not contain the X-Forwarded-For header, ALB creates an X-Forwarded-For header whose value is the IP address of the last hop and adds the header to the request. The X-Forwarded-For header in the request may contain multiple IP addresses which are separated by commas (,).
Remove
If you choose Remove, ALB removes the
X-Forwarded-For
header from the request before forwarding the request to a backend server.
If you do not select
Add X-Forwarded-For to preserve client IP addresses
, ALB does nothing about theX-Forwarded-For
header in the request before forwarding the request to a backend server.
Format:
X-Forwarded-For: <client-ip-address>, <proxy1>, <proxy2>, …
The
X-Forwarded-For
header in the request that is received by the backend server is described as follows. In this example, the IP address of the last hop is127.0.0.1
.Request description
Sample request
Select
Add X-Forwarded-For to preserve client IP addresses
Not select
Add X-Forwarded-For to preserve client IP addresses
Add
Remove
The request received by ALB does not contain the
X-Forwarded-For
header.GET /index.html HTTP/1.1
Host: example.com
X-Forwarded-For: 127.0.0.1
The X-Forwarded-For header does not exist.
The X-Forwarded-For header does not exist.
The request received by ALB contains the
X-Forwarded-For
header and a client IP address.GET /index.html HTTP/1.1
Host: example.com
X-Forwarded-For: 127.0.0.2
X-Forwarded-For: 127.0.0.2, 127.0.0.1
The X-Forwarded-For header does not exist.
X-Forwarded-For: 127.0.0.2
The request received by ALB contains the
X-Forwarded-For
header and multiple client IP addresses.GET /index.html HTTP/1.1
Host: example.com
X-Forwarded-For: 127.0.0.2, 127.0.0.3
X-Forwarded-For: 127.0.0.2, 127.0.0.3, 127.0.0.1
The X-Forwarded-For header does not exist.
X-Forwarded-For: 127.0.0.2, 127.0.0.3
For more information about how to enable ALB to preserve client IP addresses, see Enable ALB to preserve client IP addresses.
Select the HTTP headers that you want to add. Valid values:
Add SLB-ID to preserve SLB instance IDs
: Add the SLB-ID header to store the ID of the ALB instance.Add X-Forwarded-Proto to preserve listener protocols
: Add the X-Forwarded-Proto header to store the listener protocol.Add X-Forwarded-Port to preserve SLB listener ports
: Add the X-Forwarded-Port header to store the listener port.Add X-Forwarded-Host to preserve client domain names
: Add the X-Forwarded-Host header to store the domain name of the client.Add X-Forwarded-Client-srcport to preserve client ports
: Add the X-Forwarded-Client-srcport header to store the client port.Add X-Forwarded-Clientcert-subjectdn to preserve owner information about client certificates
: Add the X-Forwarded-Clientcert-subjectdn header to store the owner information about the client certificate.Add X-Forwarded-Clientcert-issuerdn to preserve information about client certificate issuers
: Add the X-Forwarded-Clientcert-issuerdn header to store information about the authority that issues the client certificate.Add X-Forwarded-Clientcert-fingerprint to preserve client certificate fingerprints
: Add the X-Forwarded-Clientcert-fingerprint header to store the fingerprint of the client certificate.Add X-Forwarded-Clientcert-clientverify to preserve client certificate verification results
: Add the X-Forwarded-Clientcert-clientverify header to store the verification result of the client certificate.
NoteWe recommend that you configure your backend servers to follow the HTTP standard – be case-insensitive when processing the request headers.
The X-Forwarded-For header that is created and added to the request by ALB always starts with an uppercase "X."
Except for X-Forwarded-For, for the headers mentioned above, ALB processes them following the rules described above. For other headers, ALB keeps them in their original form in the request.
You cannot specify the custom header keys of X-Forwarded-Clientcert-subjectdn, X-Forwarded-Clientcert-issuerdn, X-Forwarded-Clientcert-fingerprint, and X-Forwarded-Clientcert-clientverify as follows:
slb-id
,slb-ip
,x-forwarded-for
,x-forwarded-proto
,x-forwarded-eip
,x-forwarded-port
,x-forwarded-client-srcport
,x-forwarded-host
,connection
,upgrade
,content-length
,transfer-encoding
,keep-alive
,te
,host
,cookie
,remoteip
, andauthority
QUIC Update
Specify whether to enable Quick UDP Internet Connections (QUIC) upgrade. To use this feature, you must select a QUIC listener from the Associated QUIC Listeners drop-down list.
If no QUIC listener is created, click Create Listener to create one. For more information, see Add a QUIC listener.
ALB supports iQUIC and gQUIC. For more information, see Use QUIC to accelerate the delivery of video and audio content.
Step 2: Add an SSL certificate
To create an HTTPS listener, you must configure an SSL certificate for identity authentication to secure data transmission. The following table describes the certificates that are supported by ALB.
Certificate | Description | Required for one-way authentication | Required for mutual authentication |
Server certificate | A server certificate is used to authenticate the identity of a server. Your browser checks whether the certificate sent by the server is signed and issued by a trusted certificate authority (CA). For more information, see What is an SSL certificate? | Yes You can purchase or upload a server certificate in the Certificate Management Service console. ALB obtains the certificate from Certificate Management Service and uses the certificate. | Yes You can purchase or upload a server certificate in the Certificate Management Service console. ALB obtains the certificate from Certificate Management Service and uses the certificate. |
CA certificate | A CA certificate is used by a server to verify the signature on a client certificate. If the signature is invalid, the connection request is denied. Note A client certificate is used to authenticate the identity of the client when the client communicates with the server. You need to install a client certificate only on the client. | No | Yes You can purchase or upload a CA certificate in the Certificate Management Service console. ALB obtains the certificate from Certificate Management Service and uses the certificate. |
If you want to access multiple domain names or add multiple server certificates, you can add additional certificates to the HTTPS listener. For more information, see Add an additional certificate.
In the Configure SSL Certificate step, select a server certificate.
If no server certificate is available, click Create SSL Certificate in the drop-down list to go to the Certificate Management Service console. Then, you can purchase or upload a server certificate. For more information, see Purchase an SSL certificate and Upload an SSL certificate.
To enable mutual authentication or configure a TLS security policy, click Modify next to Advanced Settings.
Turn on Enable Mutual Authentication in the Advanced Settings section. Select Alibaba Cloud from the CA Certificate Source drop-down list and select a CA certificate from the Default CA Certificate drop-down list.
If no CA certificate is available, click Purchase CA Certificate to create one. For more information, see Purchase and enable a private CA.
NoteOnly standard and WAF-enabled ALB instances support mutual authentication. Basic ALB instances do not support mutual authentication.
If you want to disable mutual authentication after you enable this feature, perform the following operations:
On the Instances page, click the ID of the NLB instance that you want to manage.
On the Listener tab, click the ID of the HTTPS listener that you want to manage.
On the Listener Details tab, disable mutual authentication in the SSL Certificate section.
Select a TLS security policy and click Next.
If no TLS security policy is available, click Create TLS Security Policy to create one.
A TLS security policy contains TLS protocol versions and cipher suites that are available for HTTPS listeners. For more information, see TLS security policies.
Step 3: Select a server group
In the Server Group step, select a server group, view the backend servers, and then click Next.
Step 4: Review the configurations
In the Confirm step, confirm the configurations and click Submit.
Quick creation
If you select this method, you only need to specify a listener protocol, a listener port, a server certificate, a TLS security policy, and a server group.
- Log on to the ALB console.
In the top navigation bar, select the region where the ALB instance resides.
On the Instances page, find the NLB instance that you want to manage and click its ID.
Click the Listener tab. On the Listener tab, click Quick Create Listener.
In the Quick Create Listener dialog box, configure the following parameters and click OK.
Parameter
Description
Listener Protocol
Select a listener protocol. In this example, HTTPS is selected.
Listener Port
The frontend port that is used to receive and forward requests to backend servers.
You can select a commonly used port, or enter a port number. Valid values: 1 to 65535.
Server Certificate
Select a server certificate from the drop-down list.
If no server certificate is available, click Create SSL Certificate to create one. For more information, see Purchase an SSL certificate and Upload an SSL certificate.
Resource Group
Select a resource group for the server group.
TLS Security Policy
If no TLS security policy is available, click Create TLS Security Policy to create one. For more information, see TLS security policies.
Server Group
Configure the Server Type parameter and select a server group based on the specified server type.
FAQ
What are the TLS versions supported by HTTPS listeners?
HTTPS listeners support TLS 1.0, 1.1, 1.2, and 1.3. For more information, see TLS security policies.
Can backend servers retrieve the TLS version used by the associated HTTPS listener?
Yes, backend servers can retrieve the TLS version used by the associated HTTPS listener.
Which HTTP version is used by HTTPS listeners to distribute network traffic to backend servers?
If client requests use HTTP/1.1 or HTTP/2, Layer 7 listeners use HTTP/1.1 to distribute network traffic to backend servers.
If client requests use protocols other than HTTP/1.1 and HTTP/2, Layer 7 listeners use HTTP/1.0 to distribute network traffic to backend servers.
What requirements does a wildcard listener certificate need to meet?
When you configure a wildcard certificate for an HTTPS listener, take note of the following limits:
When you select a wildcard certificate, ALB can identify certificates that contain only one wildcard (
*
), which must be on the leftmost side of the domain name. For example, ALB can identify*.example.com
and*test.example.com
, but cannot identifytest*.example.com
.Requirements for wildcard certificates:
Levels of wildcard domain names: A wildcard domain name can match specific domain names that are of the same level as the wildcard domain name. For example,
*.example.com
can matchtest.example.com
but cannot matchtest.test.example.com
, which is one level lower than the wildcard domain name.Internationalized domain names (IDNAs):
If the wildcard character is the only wildcard character and on the leftmost side of the wildcard domain name, IDNAs can match the wildcard domain name. For example,
xn--fsqu00a.example.com
can match*.example.com
.If the wildcard character is not on the leftmost side of the wildcard domain name, IDNAs cannot match the wildcard domain name. For example,
xn--fsqu00atest.example.com
cannot math*test.example.com
.
Match scope: The wildcard character (
*
) can match digits, letters, and hyphens (-). For example,*.example.com
can matchtest.example.com
but cannot matchtest_test.example.com
.
References
ALB supports various advanced routing features. For more information, see Manage forwarding rules for a listener.
HTTPS listeners are ideal for various use scenarios. For more information, see the following topics: