HTTPS one-way authentication lets the client verify the server's identity without requiring a client certificate. You can configure this authentication method on a Classic Load Balancer (CLB) instance to encrypt traffic between clients and your backend services.
Prerequisites
-
You have created a Classic Load Balancer (CLB) instance. For more information, see Create and manage a CLB instance.
-
You have created a vServer group with two ECS instances, ECS01 and ECS02. Each instance runs a different application.
-
You have registered a domain name and completed the required ICP filing. For more information, see Register an Alibaba Cloud domain name and ICP filing process.
-
You have purchased or uploaded a certificate to SSL Certificates Service and associated it with your domain name. For more information, see Use a commercial certificate to enable HTTPS access for a web application.
Step 1: Upload a server certificate to CLB
Before configuring an HTTPS listener, upload a server certificate to the CLB Certificate Management system.
-
Log on to the Classic Load Balancer (CLB) console.
-
In the left-side navigation pane, choose .
-
On the Certificates page, click Add Certificate.
-
On the Add Certificate page, configure the following parameters and click Create. Other parameters can be left at their default values.
Parameter
Description
Select Certificate Source
Select Alibaba Cloud Certificates for this example.
Certificates
Select the certificate to upload from the drop-down list.
Region
Select the regions where the certificate will be deployed. The certificate can be used only in the selected regions.
Step 2: Add an HTTPS listener
-
Log on to the Classic Load Balancer (CLB) console.
-
In the left-side navigation pane, choose .
-
In the top navigation bar, select the region where the CLB instance is deployed.
-
On the Instances page, find the target instance and click Configure Listener in the Actions column.
-
On the Protocol & Listener page, configure the following parameters. You can use the default values for other parameters or modify them as needed. Then, click Next.
Parameter
Description
Select Listener Protocol
Select HTTPS.
Listener Port
This example uses the default HTTPS port, 443.
-
On the Certificate Management Service page, configure the following parameter. You can use the default values for other parameters or modify them as needed. Then, click Next.
Parameter
Description
Server Certificate
Select the server certificate that you uploaded in Step 1.
-
On the Backend Servers page, configure the following parameters. You can use the default values for other parameters or modify them as needed. Then, click Next.
Parameter
Description
Server Group Type
Select vServer Groups.
Server Group
Select the vServer group that you created.
-
On the Health Check page, use the default settings and click Next.
-
On the Confirm page, review your settings. If they are correct, click Submit.
Step 3: Configure DNS resolution
-
Log on to the CLB console.
In the top navigation bar, select a region.
Select the CLB instance for domain name resolution, and copy its corresponding public IP address.
To add an A record:
Log on to the Alibaba Cloud DNS console.
On the Public Zone page, click Add Zone.
In the Add Zone dialog box, enter your domain name and click OK.
ImportantVerify your domain ownership by using a TXT record.
Find the domain name that you want to manage and click Settings in the Actions column.
On the Settings page, click Add Record.
In the Add Record panel, configure the following parameters to add an A record and then click OK.
Parameter
Description
Record Type
Select A from the drop-down list.
Hostname
The prefix of your domain name.
Query Source
Select Default.
Record Value
The record value is the public IP address of the CLB instance that you copied.
TTL
Time to live (TTL). This specifies the amount of time that the DNS record is cached on a DNS server. This example uses the default value.
Step 4: Test the load balancing service
Enter the domain name associated with the CLB instance in a web browser. Refresh the page several times to verify that HTTPS is active and that requests are distributed between the two ECS instances.
If the page returns Hello World ! This is ECS01. and after several refreshes returns Hello World ! This is ECS02., requests are being distributed between the two ECS instances in round-robin mode.
Related topics
-
To use a certificate not issued by Alibaba Cloud, see Certificate requirements and format conversion for requirements and Upload a certificate not issued by Alibaba Cloud for upload instructions.
-
For detailed steps on adding an HTTPS listener, see Add an HTTPS listener.
-
For higher security requirements, see Deploy an HTTPS service with mutual authentication on a CLB instance to enable mutual authentication between the server and clients.