Server Load Balancer:Add HTTPS listener

Step 1: configure the listener

1. Log on to the Classic Load Balancer (CLB) console.

2. In the top menu bar, select the region where the instance is located.

3. On the Instance Management page, find the destination instance and choose one of the following methods to configure the listener.

   • In the Actions column, click Listener Configuration Wizard.

   • Click the instance ID. On the instance product page, select the Listener tab and click Add Listener.

4. In the Protocol & Listener configuration wizard, complete the following parameter configurations, and then click Next.

   Listener Configuration	Description
   Select Listener Protocol	Select a protocol for the listener. In this topic, select HTTPS.
   Backend Protocol	When the listener protocol is the HTTPS protocol, the Backend Protocol is the HTTP protocol.
   Listener Port	Specify the listener port that is used to receive requests and forward them to backend servers. The port range is 1 to 65535.
   Tags	Select or enter the Tag Key and Tag Value.
   Advanced Configuration	Click Modify to expand the advanced configuration.
   Scheduling Algorithm	You can select the following scheduling algorithms. The default algorithm is Round Robin (RR). Weighted Round Robin (WRR): The higher the weight of a backend server, the more frequently it is polled (probability). Round Robin (RR): External requests are distributed to backend servers in the order they are received. For more information about scheduling algorithms and applicable scenarios, see introduction to server load balancing scheduling algorithms.
   Enable Session Persistence	By default, session persistence is disabled. After session persistence is enabled, SLB forwards all requests from the same client to the same backend server for processing. Cookie Processing Method: Insert Cookie: You only need to specify the expiration time of the cookie. When a client accesses for the first time, SLB inserts a cookie (SERVERID) into the HTTP or HTTPS response message. The next time the client accesses with this cookie, the SLB service forwards the request to the previously recorded backend server. Session Persistence Timeout: When Insert Cookie is selected, enter the session persistence timeout. Rewrite Cookie: You can specify the cookie to be inserted in the HTTPS or HTTP response as needed. You must specify the expiration time and lifetime of the cookie on the backend server. When the SLB service detects that a user-defined cookie is specified, it overwrites the original cookie. The next time the client accesses with the new cookie, the SLB service forwards the request to the previously recorded backend server. Cookie Name: When Rewrite Cookie is selected, enter the cookie name.
   Enable HTTP 2.0	HTTP 2.0 is enabled by default. HTTP 2.0 introduces multiplexing. After the frontend protocol version of CLB is set to HTTP 2.0, the CLB instance transmits multiple HTTP requests and responses over a single TCP connection to improve transmission performance.
   Enable Access Control	Access control is disabled by default. After access control is enabled, select an access control method and set an access control policy group as the whitelist or blacklist of the listener. Whitelist: Allows Specified IP Addresses to Access the SLB Instance. Only requests from the IP addresses or CIDR blocks specified in the network ACL are forwarded. Whitelists apply to scenarios in which you want to allow access only from specific IP addresses. Your service may be adversely affected if the whitelist is not properly configured. After a whitelist is configured, only requests from IP addresses that are added to the whitelist are forwarded by the listener. If a whitelist is configured but no IP address is added to the whitelist, the listener forwards all requests. Blacklist: Forbids Specified IP Addresses to Access the SLB Instance. Requests from the IP addresses or CIDR blocks specified in the network ACL are denied. Blacklists apply to scenarios in which you want to deny access from specific IP addresses. If a blacklist is configured but no IP address is added to the blacklist, the listener forwards all requests. Whitelist: Only requests from the IP addresses or CIDR blocks specified in the network ACL are forwarded. Whitelists apply to scenarios in which you want to allow access only from specific IP addresses. Your service may be adversely affected if the whitelist is not properly configured. After a whitelist is configured, only requests from IP addresses that are added to the whitelist are forwarded by the listener. If a whitelist is configured but no IP address is added to the whitelist, the listener forwards all requests. Blacklist: Requests from the IP addresses or CIDR blocks specified in the network ACL are denied. Blacklists apply to scenarios in which you want to deny access from specific IP addresses. If a blacklist is configured but no IP address is added to the blacklist, the listener forwards all requests. Note IPv6 instances can be associated only with IPv6 access control policy groups, and IPv4 instances can be associated only with IPv4 access control policy groups. For more information about configuring access control policies, see create access control policy groups.
   Enable Listener Bandwidth Throttling	If a pay-by-bandwidth SLB instance is used, you can set different maximum bandwidth values for different listeners to limit the amount of traffic that can be forwarded by each listener. The sum of the maximum bandwidth of all listeners that are added to an SLB instance cannot exceed the maximum bandwidth of the SLB instance. By default, bandwidth throttling is disabled. All listeners share the total bandwidth of the instance. For more information about how to share the total bandwidth, see CLB listener sharing instance bandwidth. Important For example, the maximum bandwidth of an Internet-facing CLB instance is 5 Mbit/s, and you configure two listeners. You allocate 5 Mbit/s of bandwidth to Listener A, and do not allocate bandwidth to Listener B. In this case, Listener B is inaccessible. Exercise caution when you allocate bandwidth. If three listeners are configured for an internal-facing CLB instance, and the total bandwidth allocated to Listener A and Listener B is 5,120 Mbit/s, Listener C is inaccessible. Exercise caution when you allocate bandwidth. If a pay-by-data-transfer CLB instance is used, the bandwidth of listeners is unlimited by default.
   Connection Idle Timeout	The maximum time that a TCP connection between a CLB instance and a client remains open when no data is transmitted. The default range is 1 to 60 seconds. If no request is received within the specified timeout period, SLB closes the connection. When another request is received, SLB establishes a new connection. Note After you set the connection timeout, the setting applies to the entire listener. If you want to set a connection timeout for a specific backend server, you must configure a separate listener for the backend server and set the connection timeout in the new listener.
   Connection Request Timeout	If no response is received from the backend server within the timeout period, SLB returns an HTTP 504 error code to the client. The default range is 1 to 180 seconds.
   Gzip Data Compression	If you enable Gzip compression, files of specific types are compressed. If you disable Gzip compression, no file is compressed. By default, Gzip data compression is enabled. Currently, Gzip supports the following types: text/xml, text/plain, text/css, application/javascript, application/x-javascript, application/rss+xml, application/atom+xml, and application/xml.
   Additional HTTP Headers	Select the HTTP headers that you want to add: Add the X-Forwarded-For header to obtain the originating IP address. Note By default, Layer 7 listeners of CLB use the X-Forwarded-For header to preserve client IP addresses. The header cannot be disabled. Add the SLB-ID header to obtain the ID of the SLB instance. Add the SLB-IP header to obtain the IP address of the SLB instance. Add the X-Forwarded-Proto header to obtain the protocol of the SLB listener.
   Obtain The Originating IP Address	This feature preserves client IP addresses. By default, this feature is enabled.
   Automatically Start The Listener After Creation	Specify whether to immediately enable the listener after it is created. By default, listeners are enabled after they are created.

Step 2: Configure the SSL certificate

1. In the SSL Certificate configuration wizard, select the uploaded server certificate, or when Selecting A Server Certificate, click Create A New Server Certificate to upload a server certificate. You can also purchase a certificate. For certificate-related information, see create a certificate.

2. Optional:Click Modify on the right side of Advanced Configuration to enable HTTPS mutual authentication or set the TLS security policy.

   1. Turn on the Enable Mutual Authentication switch, and select an uploaded CA certificate or create a new CA certificate. For more information, see purchase and enable a private CA.

   2. Select TLS Security Policy.

   Note

   • Only guaranteed-performance instances support TLS security policies.

   • A TLS security policy includes optional TLS protocol versions and associated encryption algorithm suites for HTTPS. For more information, see TLS security policy.

Step 3: add backend servers

Add backend servers to process client requests. You can use the default server group configured for the instance or configure a vServer group for the listener. For more information, see CLB server group. This topic uses the default backend server group as an example to describe the configuration.

1. In the Backend Server configuration wizard, select Default Server Group and click Continue To Add.

2. In the Select Server configuration wizard, select the backend server to add and click Next.

3. In the Configure Port And Weight configuration wizard, set the weight and click Add.

   Note

   • The default weight is 100. A server with a higher weight receives more requests.

   • If the weight of a backend server is set to 0, it will not receive any requests.

4. Configure the port on the backend server (ECS instance) to receive requests and click Next. The port range is 1 to 65535.

   Note

   You can specify the same port for backend servers that are added to the same CLB instance.

Step 4: configure health check

CLB employs health checks to assess the availability of backend servers, enhancing the reliability of frontend services and shielding them from potential backend server faults.

1. Optional:In the Health Check configuration wizard, click Edit to change the health check configuration, and click Next. Formore information, see the referenced document.

2. In the Configuration Review configuration wizard, check the listener configuration and click Modify to change the configuration.

3. After confirming that the configuration is correct, click Submit. After the configuration is successful, click Got It.

   After the configuration is successful, you can view the created listener on the page.

Does Server Load Balancer (CLB) support configuring HTTPS listeners to achieve full-link HTTPS access?

No. Because the backend protocol supports only the HTTP protocol when an HTTPS listener is configured, when the Server Load Balancer (CLB) receives an HTTPS request from a client, it first decrypts the request and forwards the decrypted data to the backend server in the form of the HTTP protocol. This simplifies the configuration of the backend server and avoids the performance consumption of the TLS handshake for HTTPS.

You can achieve full-link HTTPS access for your business in the following two ways:

• Create an Application Load Balancer (ALB) instance and configure an HTTPS listener to achieve full-link HTTPS access for your business. For more information, see configure full-link HTTPS access for encrypted communication.

• Configure a TCP listener for a Classic Load Balancer (CLB) instance and configure an SSL certificate on the corresponding backend server.

What port does an HTTPS listener use?

HTTPS listeners have no special requirements for ports. However, we recommend that you specify port 443 for HTTPS listeners.

What types of certificates are supported by Server Load Balancer?

Server Load Balancer supports server certificates and CA certificates in PEM format.

For server certificates, you must upload both the certificate content and the private key. For CA certificates, you need to upload only the certificate content.

Does Server Load Balancer support certificates created by keytool?

Yes.

However, before you upload the certificate, you must convert the certificate to PEM format. For more information, see convert certificate format.

Can i use a certificate in PKCS#12 (PFX) format?

Yes.

However, before you upload the certificate, you must convert the certificate to PEM format. For more information, see convert certificate format.

Why does a KeyEncryption error occur when adding a certificate?

This error is caused by incorrect private key content. For more information, see certificate requirements and convert certificate format.

What SSL protocol versions are supported by Server Load Balancer HTTPS?

TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3 versions are supported.

How long is the retention time of an HTTPS session ticket?

The retention time of an HTTPS session ticket is 300 seconds by default.

Can i upload a certificate that contains the DH PARAMETERS field?

The ECDHE cipher suites used by HTTPS listeners support forward secrecy but do not support the security enhancement parameters required by DHE cipher suites. As a result, strings that contain the BEGIN DH PARAMETERS field in a PEM certificate file cannot be uploaded.

Does HTTPS listener support SNI?

Server Name Indication (SNI) is an SSL/TLS extension that allows multiple domain names and certificates to be used on a single server. Server Load Balancer HTTPS listeners support SNI. For more information, see add and manage CLB additional domain.