Server Load Balancer:Add an HTTPS listener

Step 1: Configure listener

1. Log on to the Classic Load Balancer (CLB) console.

2. In the top navigation bar, select the region where the instance is deployed.

3. On the Instances page, find the target instance and choose one of the following methods to configure the listener:

   • In the Actions column, click Configure Listener.

   • Click the instance ID. On the instance details page, click the Listener tab and then click Add Listener.

4. In the Protocol & Listener wizard, configure the following parameters and click Next.

   Configuration	Description
   Select Listener Protocol	Select the protocol for the listener. In this example, HTTPS is selected. CLB instances in the Mexico region do not support HTTPS listeners. We recommend that you use an Application Load Balancer (ALB) instance or a CLB instance in another region.
   Backend Protocol	If the listener protocol is HTTPS, the Backend Protocol is HTTP.
   Listener Port	The port that receives requests and forwards them to backend servers. Valid values: 1 to 65535.
   Tags	Select or enter a Tag Key and a Tag Value.
   Advanced Settings	Click Modify to expand the advanced settings.
   Scheduling Algorithm	Select a scheduling algorithm. The default is Round Robin (RR). Weighted Round-robin: Backend servers with higher weights receive more requests. Round Robin: Requests are distributed to backend servers in sequence. For more information about scheduling algorithms and their use cases, see Scheduling algorithms.
   Session Persistence	Session persistence is disabled by default. After you enable session persistence, the load balancer forwards requests from the same client to the same backend server. Cookie Option: Insert Cookie: You need to specify only the cookie timeout period. Subsequent requests from the client that contain this cookie are forwarded to the same backend server. Session Persistence Timeout Period: If you select Insert Cookie, enter a timeout period for session persistence. Rewrite Cookie: You can specify a cookie to be inserted into the HTTP or HTTPS response. You must manage the cookie's expiration on your backend server. If the load balancer detects a custom cookie, it rewrites the original cookie. The next time the client sends a request that contains the new cookie, the load balancer forwards the request to the previously recorded backend server. Cookie Name: If you select Rewrite Cookie, enter the cookie name.
   Enable HTTP/2	HTTP/2 is enabled by default. HTTP/2 introduces a feature named multiplexing. If you enable HTTP/2 for the frontend protocol of a CLB instance, the CLB instance can use a single TCP connection to transmit multiple HTTP requests and responses at the same time. This improves transmission performance.
   Access Control	Access control is disabled by default. After you enable access control, select an access control method and an access control list (ACL) to serve as a whitelist or blacklist for the listener. Whitelist: Allows Specified IP Addresses to Access the SLB Instance. Only requests from IP addresses or CIDR blocks in the selected ACL are forwarded. Whitelists are suitable for scenarios in which you want to allow access only from specific IP addresses. Configuring a whitelist may pose risks to your services. If you enable a whitelist but do not add any IP address to the ACL, the listener forwards all requests. Blacklist: Forbids Specified IP Addresses to Access the SLB Instance. Requests from IP addresses or CIDR blocks in the selected ACL are not forwarded. Blacklists are suitable for scenarios in which you want to deny access only from specific IP addresses. If you enable a blacklist but do not add any IP address to the ACL, the listener forwards all requests. Note IPv6 instances can be associated only with IPv6 access control lists (ACLs), and IPv4 instances can be associated only with IPv4 ACLs. For more information about how to configure an ACL, see Create an access control list.
   Bandwidth Throttling for Listeners	For pay-by-bandwidth load balancer instances, you can set a maximum bandwidth for each listener to limit traffic. The total bandwidth of all listeners cannot exceed the bandwidth of the instance. This feature is disabled by default. By default, listeners share the instance's total bandwidth. For more information about how listeners share bandwidth, see Share the bandwidth of a CLB instance. Important If you have a public-facing CLB instance with a total bandwidth of 5 Mbit/s and two listeners, and you allocate the full 5 Mbit/s to Listener A while leaving Listener B unconfigured, Listener B becomes inaccessible. Allocate bandwidth with caution. If you have a private-facing CLB instance with three listeners, and you allocate a total of 5,120 Mbit/s to Listeners A and B, Listener C becomes inaccessible. Allocate bandwidth with caution. For pay-by-traffic instances, the listener bandwidth is not limited by default.
   Idle Connection Timeout Period	The maximum amount of time that a TCP connection can remain open between a CLB instance and a client when no data is transferred. Valid values: 1 to 60 seconds. Default value: 15 seconds. If no request is received within the timeout period, the load balancer closes the current connection. A new connection is established when the next request arrives. Note This setting applies to the entire listener. To set a different connection timeout for a specific backend server, you must configure a separate listener for that server and set the desired timeout in the new listener.
   Connection Request Timeout	If a backend server does not respond within the timeout period, the load balancer returns an HTTP 504 error to the client. Valid values: 1 to 180 seconds. Default value: 60 seconds. If you require a longer request timeout, we recommend that you use ALB, which supports a maximum timeout period of 3,600 seconds.
   GZIP Compression	Enable this feature to compress files of specific types. Gzip compression is enabled by default. Gzip supports the following file types: text/xml, text/plain, text/css, application/javascript, application/x-javascript, application/rss+xml, application/atom+xml, and application/xml.
   Custom HTTP Header	Select the custom HTTP header fields that you want to add: Add the X-Forwarded-For header to obtain the real IP address of the client. Note By default, Layer 7 listeners of CLB use the X-Forwarded-For header to preserve client IP addresses. The header cannot be disabled. If more than one IP address is preserved, the first one is the client IP address. For detailed configuration, see Enable Layer 7 listeners to preserve client IP addresses and pass them to backend servers. Add the SLB-ID header to obtain the load balancer instance ID. Add the SLB-IP header to obtain the load balancer instance's IP address. Add the X-Forwarded-Proto header to obtain the load balancer's listener protocol.
   Obtain Client Source IP Address	This feature is enabled by default to obtain the real IP address of a client.
   Automatically Enable Listener	Enabled by default, this starts the listener automatically after it is configured.

Step 2: Configure SSL certificate

1. In the Certificate Management Service step, select an uploaded server certificate from the Server Certificate drop-down list. You can also click Create Server Certificate to upload or purchase a new one. For more information about certificates, see Create a certificate.

2. Optional: Click Modify next to Advanced Settings to enable mutual authentication or set a TLS security policy.

   1. Enable Mutual Authentication and select an uploaded CA certificate, or create a CA certificate. For more information, see Purchase and enable a private CA.

   2. Select a TLS Security Policy.

   Note

   • Only high-performance instances support TLS security policies.

   • A TLS security policy contains the supported TLS protocol versions and cipher suites for HTTPS. For more information, see TLS security policies.

Step 3: Add backend servers

Add backend servers to process client requests. You can use the default server group of the instance or add a vServer group to the listener. For more information, see CLB server groups. This topic uses the default server group as an example.

1. In the Backend Servers step, select Default Server Group and click Add More.

2. In the Select Servers step, select the backend servers that you want to add and click Next.

3. In the Ports/Weights step, set the weight for each server, and click Add.

   Note

   • The default weight is 100. A backend server with a higher weight receives more requests.

   • A server with a weight of 0 does not receive new requests.

4. Configure the port on which each backend server (ECS instance) receives requests, and then click Next. The port number must be between 1 and 65535.

   Note

   Backend servers of the same CLB instance can use the same port.

Step 4: Configure health check

CLB uses health checks to determine the availability of backend servers, which improves the overall availability of frontend services and prevents abnormal backend servers from affecting the service.

1. Optional: In the Health Check step, click Modify to change the health check configuration, and then click Next. For more information, see Configure and manage CLB health checks.

2. In the Configuration Review step, review the listener configuration and click Modify if you need to make changes.

3. After you confirm the settings, click Submit. After the listener is created, click OK.

   After the configuration is complete, the new listener appears on the Listeners tab.

End-to-end HTTPS encryption support

No. When you configure an HTTPS listener, the backend protocol supports only HTTP. After a CLB instance receives an HTTPS request, it decrypts the request and forwards the data to the backend server over HTTP. This simplifies the backend server configuration and avoids the performance overhead of TLS handshakes on the backend servers.

You can implement end-to-end HTTPS for your services in one of the following ways:

• Create an Application Load Balancer (ALB) instance and configure an HTTPS listener to implement end-to-end HTTPS. For more information, see Configure end-to-end HTTPS encryption.

• Configure a TCP listener for a CLB instance and configure SSL certificates on the backend servers.

Recommended port for HTTPS

An HTTPS listener can use any port, but we recommend the standard port 443.

Supported certificate types

You can upload server certificates and CA certificates in the PEM format.

Uploading a server certificate requires both the certificate content and the private key. For a CA certificate, only the certificate content is required.

Support for Keytool certificates

Yes.

Before you upload a certificate, you must convert the certificate to the PEM format. For more information, see Convert certificate formats.

Support for PKCS#12 (PFX) certificates

Yes.

Before you upload a certificate, you must convert the certificate to the PEM format. For more information, see Convert certificate formats.

Cause of KeyEncryption errors

This error occurs because the private key is invalid. For more information, see Certificate requirements and format conversion.

Supported SSL protocol versions

TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3.

HTTPS session ticket lifetime

The lifetime of an HTTPS session ticket is 300 seconds.

Support for certificates with DH PARAMETERS

Because HTTPS listeners use ECDHE cipher suites for forward secrecy, they do not support DHE cipher suites. Therefore, you cannot upload PEM certificates that contain the BEGIN DH PARAMETERS field.

SNI support

Yes. CLB HTTPS listeners support SNI. For more information, see Add and manage additional domain names for a CLB instance.

WebSocket Secure (WSS) support

Yes. CLB HTTPS listeners support the WebSocket Secure (WSS) protocol by default. For more information, see the Use CLB to enable real-time messaging over WebSocket tutorial.

HTTP-to-HTTPS redirection

Create an HTTPS listener first. Then, when you create an HTTP listener, enable Redirection by Listener. For more information, see Use CLB to redirect HTTP requests to HTTPS.