Redirect HTTP to HTTPS with CLB - Server Load Balancer - Alibaba Cloud Documentation Center

Classic Load Balancer (CLB) can automatically redirect all HTTP requests to your HTTPS listener at the listener level, keeping the upgrade transparent to users and offloading redirection logic from your backend servers. This is suitable for upgrading an entire site from HTTP to HTTPS without modifying application code.

Important

Redirection by Listener can only be enabled when creating an HTTP listener. It cannot be enabled on an existing HTTP listener. If your HTTP listener already exists, create a new one with redirection enabled.

How it works

HTTP requests arrive at the HTTP listener (port 80).
CLB issues a 302 redirect response, pointing the client to the HTTPS listener (port 443).
The client connects over HTTPS. Backend servers handle only HTTPS traffic.

Limitations

HTTP-to-HTTPS redirection is available in all regions.
The HTTP listener and HTTPS listener must belong to the same CLB instance.
Redirection by Listener can only be enabled when creating an HTTP listener — it cannot be enabled on an existing listener.

Prerequisites

Before you begin, make sure you have:

Two backend servers (ECS01 and ECS02) with applications deployed. This guide uses 64-bit Alibaba Cloud Linux 3.2104 LTS. For setup instructions, see Create an instance on the Custom Launch tab.
An Internet-facing CLB instance. See Create and manage a CLB instance.
A server certificate uploaded to Certificate Management Service and associated with your domain name. See Get started with Certificate Management Service.

Sample commands for deploying test applications

Deploy on ECS01:

yum install -y nginx
systemctl start nginx.service
cd /usr/share/nginx/html/
echo "Hello World !  This is ECS01." > index.html

Deploy on ECS02:

yum install -y nginx
systemctl start nginx.service
cd /usr/share/nginx/html/
echo "Hello World !  This is ECS02." > index.html

Step 1: Create an HTTPS listener

Log on to the CLB console.
Log on to the Classic Load Balancer (CLB) console.
In the top navigation bar, select the region where your CLB instance is deployed.
On the Instances page, find your CLB instance and click Configure Listener in the Actions column.
In the Protocol & Listener step, set the following parameters and click Next. For parameters not listed here, keep the default values. For a full parameter reference, see Add an HTTPS listener.
Parameter Value
Select Listener Protocol HTTPS
Listener Port 443
In the Certificate Management Service step, select a server certificate from the Server Certificate drop-down list, or click Create Server Certificate to create one. Keep the other parameters at their default values and click Next.
In the Backend Servers step, add ECS01 and ECS02 to the default server group:
1. Select Default Server Group and click Add More.
2. In the Servers panel, select ECS01 and ECS02, then click Next.
3. In the Ports/Weights step, set weights for ECS01 and ECS02 and click Add.
4. Set the port to 80 for both ECS01 and ECS02, then click Next.
In the Health Check step, keep the default values and click Next.
In the Confirm step, review the listener configuration and click Submit. Click OK in the confirmation message.

Parameter	Value
Select Listener Protocol	HTTPS
Listener Port	443

Step 2: Create an HTTP listener with redirection

On the Listener tab, click Add Listener.
In the Protocol & Listener step, configure the following parameters and click Next. To access Redirection by Listener, click Modify next to Advanced Settings.
Parameter Value
Select Listener Protocol HTTP
Listener Port 80
Redirection by Listener Turn on. Set Listener to the HTTPS listener created in step 1.
The HTTP redirection feature for CLB is available in all regions.
In the Confirm step, click Submit, then click OK.

Parameter	Value
Select Listener Protocol	HTTP
Listener Port	80
Redirection by Listener	Turn on. Set Listener to the HTTPS listener created in step 1.

All HTTP requests on port 80 are now redirected to port 443 and processed by the HTTPS listener.

Step 3: Configure a DNS A record

For domains not registered on Alibaba Cloud, first add the domain to Alibaba Cloud DNS before creating a DNS record. If your CLB instance is internal-facing, associate an Elastic IP address (EIP) with it first, then map the domain name to the EIP.

In the left navigation pane, choose CLB > Instances.
On the Instances page, find your CLB instance and copy its Endpoint.
Log on to the Alibaba Cloud DNS console.
On the Authoritative DNS Resolution page, find your domain name and click DNS Settings in the Actions column.
On the DNS Settings page, click Add Record.
In the Add Record panel, set the following parameters and click OK.
Parameter Value
Record Type A
Hostname The domain prefix. Enter www for a subdomain, or @ for the root domain.
Record Value The IP address of your CLB instance (the endpoint you copied in step 2).

Parameter	Value
Record Type	A
Hostname	The domain prefix. Enter `www` for a subdomain, or `@` for the root domain.
Record Value	The IP address of your CLB instance (the endpoint you copied in step 2).

Step 4: Verify the redirect

Run the following command from a machine with Internet access:

curl -v http://<Domain name of the CLB instance>

A 302 status code in the response confirms that CLB is redirecting HTTP requests to HTTPS.

HTTP redirect status codes

CLB returns a 302 (temporary redirect) status code for all HTTP-to-HTTPS redirections.

Status code	Description
302	Temporary redirect. The requested resource has temporarily moved. Clients should continue using the original URL for future requests.

FAQ

Why is Redirection by Listener not shown in the listener settings?

Redirection by Listener only appears during HTTP listener creation. It is not available on existing HTTP listeners. To enable redirection, create a new HTTP listener.

What's next

CLB redirects requests at the listener level. If you need URL-based, header-based, or permanent (301) redirection rules, use Application Load Balancer (ALB). See Redirect HTTP requests to an HTTPS listener.