Create an HTTPS listener by using CreateLoadBalancerHTTPSListener - Server Load Balancer

Creates an HTTPS listener.

Operation description

A newly created listener is in the stopped state. After a listener is created, you can call the StartLoadBalancerListener operation to start the listener. After the listener is started, the listener can forward traffic to backend servers.

Prerequisites

A Classic Load Balancer (CLB) instance is created. For more information, see CreateLoadBalancer.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

slb:CreateLoadBalancerHTTPSListener

create

*acl

acs:slb:{#regionId}:{#accountId}:acl/{#aclId}

*certificate

acs:slb:{#regionId}:{#accountId}:certificate/{#certificateId}

*loadbalancer

acs:slb:{#regionId}:{#accountId}:loadbalancer/{#loadbalancerId}

slb:tag
slb:tag
slb:tag

None

Request parameters

Parameter	Type	Required	Description	Example
RegionId	string	No	The region ID of the CLB instance. You can query the region ID from the Regions and zones list or by calling the DescribeRegions operation.	cn-hangzhou
LoadBalancerId	string	Yes	The ID of the CLB instance.	lb-bp1o94dp5i6earr****
Bandwidth	integer	Yes	The maximum bandwidth of the listener. Unit: Mbit/s. The URL must meet the following requirements: -1: For a pay-by-data-transfer Internet-facing CLB instance, this parameter is set to -1. This indicates that the bandwidth of the listener is unlimited.	-1
ListenerPort	integer	Yes	The frontend port that is used by the CLB instance. Valid values: 1 to 65535.	80
BackendServerPort	integer	No	The backend port that is used by the CLB instance. Valid values: 1 to 65535. If the VServerGroupId parameter is not set, this parameter is required.	80
Tag	array<object>	No	The tags.
	object	No	The tags.
Key	string	No	The tag key of the resource. You can specify up to 20 tag keys. The tag key cannot be an empty string. The tag key must be 1 to 64 characters in length and cannot start with `aliyun` or `acs:`. The tag key cannot contain `http://` or `https://`.	TestKey
Value	string	No	The tag value of the resource. You can specify up to 20 tag values. The tag value cannot be an empty string. The tag value can be up to 128 characters in length and cannot start with `acs:` or `aliyun`. The tag value cannot contain `http://` or `https://`.	TestValue
XForwardedFor	string	No	Specifies whether to use the `X-Forwarded-For` header to retrieve client IP addresses. Valid values: on off	on
Scheduler	string	No	The scheduling algorithm. Valid values: wrr: Backend servers with higher weights receive more requests than those with lower weights. rr: Requests are distributed to backend servers in sequence.	wrr
StickySession	string	No	Specifies whether to enable session persistence. Valid values: on off	on
StickySessionType	string	No	The method that is used to handle a cookie. Valid values: insert and server. insert: inserts a cookie. CLB inserts a cookie (SERVERID) into the first HTTP or HTTPS response packet that is sent to a client. The next request from the client will contain this cookie, and the listener will distribute this request to the recorded backend server. server: rewrites a cookie. When CLB detects a user-defined cookie, it overwrites the original cookie with the user-defined cookie. The next request from the client carries the user-defined cookie, and the listener will distribute the request to the recorded backend server. Note This parameter is required if the StickySession parameter is set to on.	insert
CookieTimeout	integer	No	The timeout period of a cookie. Unit: seconds. Valid values: 1 to 86400. Note If StickySession is set to on and StickySessionType is set to insert, this parameter is required.	500
Cookie	string	No	The cookie that you configure for the server. The cookie must be 1 to 200 characters in length, and can contain only ASCII letters and digits. It cannot contain commas (,), semicolons (;), spaces, or start with a dollar sign ($). Note This parameter is required when the StickySession parameter is set to on and the StickySessionType parameter is set to server.	testCookie
HealthCheck	string	Yes	Specifies whether to enable the health check feature. Valid values: on: yes off: no	on
HealthCheckMethod	string	No	The health check method used in HTTP health checks. Valid values: head and get. Note This parameter takes effect only if the HealthCheck parameter is set to on.	get
HealthCheckDomain	string	No	The domain name that is used for health checks. Valid values: $_ip: the private IP address of a backend server. If you do not set the HealthCheckDomain parameter or set the parameter to $_ip, the CLB instance uses the private IP address of each backend server for health checks. domain: The domain name must be 1 to 80 characters in length and can contain letters, digits, periods (.), and hyphens (-). Note This parameter takes effect only if the HealthCheck parameter is set to on.	172.XX.XX.16
HealthCheckURI	string	No	The URI that is used for health checks. The URI must be 1 to 80 characters in length, and can contain letters, digits, and the following special characters: `-/.%?#&`. The URI must start with a forward slash (`/`), but cannot be a single forward slash (`/`). Note This parameter takes effect only if the HealthCheck parameter is set to on.	/test/index.html
HealthyThreshold	integer	No	The number of times that an unhealthy backend server must consecutively pass health checks before it is declared healthy. In this case, the health status is changed from fail to success. Valid values: 2 to 10. Note This parameter takes effect only if the HealthCheck parameter is set to on.	4
UnhealthyThreshold	integer	No	The number of times that a healthy backend server must consecutively fail health checks before it is declared unhealthy. In this case, the health status is changed from success to fail. Valid values: 2 to 10. Note This parameter takes effect only if the HealthCheck parameter is set to on.	4
HealthCheckTimeout	integer	No	The timeout period of a health check response. If a backend ECS instance does not respond within the specified timeout period, the ECS instance fails the health check. Unit: seconds Valid values: 1 to 300. Note This parameter takes effect only if the HealthCheck parameter is set to on.	3
HealthCheckConnectPort	integer	No	The port that is used for health checks. Valid values: 1 to 65535. Note This parameter takes effect only if the HealthCheck parameter is set to on.	8080
HealthCheckInterval	integer	No	The interval between two consecutive health checks. Unit: seconds. Valid values: 1 to 50. Note This parameter takes effect only if the HealthCheck parameter is set to on.	5
HealthCheckHttpCode	string	No	The HTTP status code for a successful health check. Separate multiple HTTP status codes with commas (,). Valid values: http_2xx, http_3xx, http_4xx, and http_5xx. Note This parameter takes effect only if the HealthCheck parameter is set to on.	http_2xx,http_3xx
ServerCertificateId	string	No	The ID of the server certificate.	idkp-123-cn-test-****
VServerGroupId	string	No	The ID of the server group.	rsp-cige6j5e7p****
CACertificateId	string	No	The ID of the certification authority (CA) certificate. If both the CA certificate and the server certificate are uploaded, mutual authentication is used. If you upload only the server certificate, one-way authentication is used.	139a00604ad-cn-east-hangzh****
XForwardedFor_SLBIP	string	No	Specifies whether to use the `SLB-IP` header to retrieve the virtual IP address of the client. Valid values: on off	on
XForwardedFor_SLBID	string	No	Specifies whether to use the `SLB-ID` header to retrieve the ID of the CLB instance. Valid values: on off	on
XForwardedFor_proto	string	No	Specifies whether to use the `X-Forwarded-Proto` header to retrieve the listener protocol. Valid values: on off	on
Gzip	string	No	Specifies whether to enable `GZIP` compression to compress specific types of files. Valid values: on off	on
AclId	string	No	The ID of the network access control list (ACL) that is associated with the listener. Note This parameter is required if AclStatus is set to on.	acl-a2do9e413e0spzasx****
AclType	string	No	The type of the network ACL. Valid values: white: a whitelist. Only requests from the IP addresses or CIDR blocks in the network ACL are forwarded. Whitelists apply to scenarios in which you want to allow only specific IP addresses to access an application. Your service may be adversely affected if the allowlist is not properly configured. After a whitelist is configured, only requests from IP addresses that are added to the whitelist are forwarded by the listener. If you enable a whitelist but do not add an IP address to the ACL, the listener forwards all requests. black: a blacklist. All requests from the IP addresses or CIDR blocks in the network ACL are denied. The blacklist applies to scenarios in which you want to deny access from specific IP addresses to an application. If a blacklist is configured for a listener but no IP address is added to the blacklist, the listener forwards all requests. Note If AclStatus is set to on, this parameter is required.	white
AclStatus	string	No	Specifies whether to enable access control. Valid values: on: yes off: no	off
Description	string	No	The name of the listener. The name must be 1 to 256 characters in length and can contain letters, digits, hyphens (-), forward slashes (/), periods (.), and underscores (_).	HTTPS_443
IdleTimeout	integer	No	The timeout period of an idle connection. Valid values: 1 to 60. Default value: 15. Unit: seconds. If no request is received within the specified timeout period, CLB closes the connection. When a request is received, CLB establishes a new connection.	12
RequestTimeout	integer	No	The timeout period of a request. Valid values: 1 to 180. Default value: 60. Unit: seconds. If no response is received from a backend server within the specified timeout period, CLB returns the HTTP 504 status code to the client.	23
EnableHttp2	string	No	Specifies whether to enable HTTP/2. Valid values: on: yes off: no	off
TLSCipherPolicy	string	No	The Transport Layer Security (TLS) security policy. Each security policy contains TLS protocol versions and cipher suites available for HTTPS. tls_cipher_policy_1_0: Supported TLS versions: TLS 1.0, TLS 1.1, and TLS 1.2 Supported cipher suites: ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256, AES256-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, AES128-SHA, AES256-SHA, and DES-CBC3-SHA tls_cipher_policy_1_1: Supported TLS versions: TLS 1.1 and TLS 1.2 Supported cipher suites: ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256, AES256-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, AES128-SHA, AES256-SHA, and DES-CBC3-SHA tls_cipher_policy_1_2 Supported TLS version: TLS 1.2 Supported cipher suites: ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256, AES256-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, AES128-SHA, AES256-SHA, and DES-CBC3-SHA tls_cipher_policy_1_2_strict Supported TLS version: TLS 1.2 Supported cipher suites: ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES128-SHA, and ECDHE-RSA-AES256-SHA tls_cipher_policy_1_2_strict_with_1_3 Supported TLS versions: TLS 1.2 and TLS 1.3 Supported cipher suites: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_CCM_SHA256, TLS_AES_128_CCM_8_SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES128-SHA, and ECDHE-RSA-AES256-SHA	tls_cipher_policy_1_1
XForwardedFor_SLBPORT	string	No	Specifies whether to use the `XForwardedFor_SLBPORT` header to retrieve the listener port of the CLB instance. Valid values: on off	off
XForwardedFor_ClientSrcPort	string	No	Specifies whether to use the `XForwardedFor_ClientSrcPort` header to retrieve the client port. Valid values: on off	off

Response elements

Element	Type	Description	Example
	object
RequestId	string	The ID of the request.	CEF72CEB-54B6-4AE8-B225-F876FF7BA984

Examples

Success response

JSON format

{
  "RequestId": "CEF72CEB-54B6-4AE8-B225-F876FF7BA984"
}

Error codes

HTTP status code	Error code	Error message	Description
400	ParamDuplicateError	The specified parameter value of XForwardedFor_ClientCertSubjectDNAlias is duplicate. Please change to a different one.
400	IpVersionConflict	The ip version of this LoadBalancer and the Acl is conflict.
400	InvalidParameter.IdleTimeout	The specified IdleTimeout exceeds the limit.
400	InvalidParameter.RequestTimeout	The specified RequestTimeout exceeds the limit.
400	ListenerForwardNotSupport	X-Forward-For is not supported to a ipv6 instance.
400	InvalidParameter.RegionNotSupport	The region does not support the parameter: %s.
400	InvalidParameter.SpecNotSupport	The loadBalancer of shared spec does not support the parameter: %s.
400	ListenerProcessing	A previous configuration of the listener is pending,please try again later.
400	Certkey.Forbidden	The specified certkey is not owned by the current user.
400	InvalidParameter.ListenerPortConflict	There is conflict listener port exists.
400	ResourceNotAvailible.HttpsListener	The specified Zone did not have enough resource.
400	AclNotExist	Acl does not exist.
400	OperationUnsupported.CreateLoadBalancerLayer7Listener	The slb instance does not support create HTTP or HTTPS listener.
400	InvalidParameter.VServerGroupId	The MasterSlaveServerGroup can not be attached to HTTP or HTTPS listener.
400	MissingParam.HealthCheckDomain	The HealthCheckDomain is required when HealthCheckHttpVersion is http1.1.
400	InvalidParameter.HealthCheckHttpVersion	The param HealthCheckHttpVersion is invalid.
400	Duplicated.AclEntry	%s.	%s
400	CertificateNotExist	The specified CertificateId does not exist.
400	OperationFailed.InsufficientResources	The loadbalancer does not support this operation because of insufficient resources.
400	InvalidTLSPolicyId.NotExist	The specified TLS cipher policy does not exist.
400	TLSPolicyConfiguring	The specified TLS cipher policy is configuring.
400	TLSCipherPolicyVipRelationOverLimit	The number of listeners associated with a policy has exceeded.
400	CertificateTypeMismatched	The certificate type does not match.
400	MissingParam.ServerCertificates	Server certificates are required.
400	TooManyCertificates	The number of certificates must not be greater than one.
400	CnCertificateNotSupport	The cn certificate is not support.
400	InvalidParam.CertificateBindingType	The param CertificateBindingType is invalid.
400	InvalidParamSize.ServerCertificates	The size of param ServerCertificates is invalid.
400	TooManyCertificates.ServerCertificates	The number of certificates must not be greater than one.
400	SPEC_NOT_SUPPORT_PARAMETER	Share spec does not support the feature.
400	LbNotSupportTcpssl	You cannot create a TCP SSL type listener for the specified load balancer.
400	LbSupportTcpsslOnly	The specified load balancer supports TCP SSL type listener only.
400	ListenerNotSupportRule	You cannot create a rule for the specified listener.	You cannot create a rule for the specified listener.
400	Mismatch.SlbSpecTypeAndListenerProtocol	The SlbSpecType and ListenerProtocol are mismatched.
400	InvalidParam.TagValue	%s.
400	InvalidParam.TagKey	%s.
400	SizeLimitExceeded.Tag	%s.
400	MissingParam.TagKey	The param MissingParam.TagKey is missing.
400	AclListenerOverLimit	This acl has reached the limit of binding to listeners.
400	QuotaLimitExceeds.AclAttachedToListener	The number of Acl bound listeners has reached the quota limit
400	QuotaLimitExceeds.TotalAclEntry	The number of Acl entries has reached the quota limit.
400	QuotaLimitExceeds.AclListenerOverLimit	This acl has reached the limit of binding to listeners.
404	ResourceNotFound.Certificate	The specified resource is not found.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.