All Products
Search
Document Center

Server Load Balancer:Deploy an HTTPS service with one-way authentication on a CLB instance

Last Updated:Jul 10, 2026

HTTPS one-way authentication lets the client verify the server's identity without requiring a client certificate. You can configure this authentication method on a Classic Load Balancer (CLB) instance to encrypt traffic between clients and your backend services.

Prerequisites

Step 1: Upload a server certificate to CLB

Before configuring an HTTPS listener, upload a server certificate to the CLB Certificate Management system.

  1. Log on to the Classic Load Balancer (CLB) console.

  2. In the left-side navigation pane, choose CLB > Certificates.

  3. On the Certificates page, click Add Certificate.

  4. On the Add Certificate page, configure the following parameters and click Create. Other parameters can be left at their default values.

    Parameter

    Description

    Select Certificate Source

    Select Alibaba Cloud Certificates for this example.

    Certificates

    Select the certificate to upload from the drop-down list.

    Region

    Select the regions where the certificate will be deployed. The certificate can be used only in the selected regions.

Step 2: Add an HTTPS listener

  1. Log on to the Classic Load Balancer (CLB) console.

  2. In the left-side navigation pane, choose CLB > Instances.

  3. In the top navigation bar, select the region where the CLB instance is deployed.

  4. On the Instances page, find the target instance and click Configure Listener in the Actions column.

  5. On the Protocol & Listener page, configure the following parameters. You can use the default values for other parameters or modify them as needed. Then, click Next.

    Parameter

    Description

    Select Listener Protocol

    Select HTTPS.

    Listener Port

    This example uses the default HTTPS port, 443.

  6. On the Certificate Management Service page, configure the following parameter. You can use the default values for other parameters or modify them as needed. Then, click Next.

    Parameter

    Description

    Server Certificate

    Select the server certificate that you uploaded in Step 1.

  7. On the Backend Servers page, configure the following parameters. You can use the default values for other parameters or modify them as needed. Then, click Next.

    Parameter

    Description

    Server Group Type

    Select vServer Groups.

    Server Group

    Select the vServer group that you created.

  8. On the Health Check page, use the default settings and click Next.

  9. On the Confirm page, review your settings. If they are correct, click Submit.

Step 3: Configure DNS resolution

  1. Log on to the CLB console.

  2. In the top navigation bar, select a region.

  3. Select the CLB instance for domain name resolution, and copy its corresponding public IP address.

  4. To add an A record:

    1. Log on to the Alibaba Cloud DNS console.

    2. On the Public Zone page, click Add Zone.

    3. In the Add Zone dialog box, enter your domain name and click OK.

      Important

      Verify your domain ownership by using a TXT record.

    4. Find the domain name that you want to manage and click Settings in the Actions column.

    5. On the Settings page, click Add Record.

    6. In the Add Record panel, configure the following parameters to add an A record and then click OK.

      Parameter

      Description

      Record Type

      Select A from the drop-down list.

      Hostname

      The prefix of your domain name.

      Query Source

      Select Default.

      Record Value

      The record value is the public IP address of the CLB instance that you copied.

      TTL

      Time to live (TTL). This specifies the amount of time that the DNS record is cached on a DNS server. This example uses the default value.

Step 4: Test the load balancing service

Enter the domain name associated with the CLB instance in a web browser. Refresh the page several times to verify that HTTPS is active and that requests are distributed between the two ECS instances.

If the page returns Hello World ! This is ECS01. and after several refreshes returns Hello World ! This is ECS02., requests are being distributed between the two ECS instances in round-robin mode.

Related topics