Add an HTTPS listener
HTTPS listeners terminate SSL/TLS at the CLB instance, decrypt incoming requests, and forward them as HTTP to backend servers. This offloads encryption from backend servers and centralizes certificate management.
Prerequisites
Ensure that you have:
-
A server certificate in PEM format. You can upload an existing certificate or create one during Step 2 of the wizard. Create a certificate.
-
(Optional) Backend servers deployed and accessible over HTTP (typically port 80) for traffic forwarding
-
(Optional) A network ACL for access control
Limitations
-
HTTPS listeners use HTTP as the backend protocol. Set backend server ports to HTTP (typically 80), not HTTPS (443).
-
HTTPS listeners do not support HTTP-to-HTTPS redirection.
-
HTTPS listeners do not support primary/secondary server groups.
-
CLB instances in the Mexico region do not support HTTPS listeners. Use Application Load Balancer (ALB) or create CLB instances in another region.
-
The TLS session ticket timeout is 300 seconds.
-
Actual data transfer exceeds the billed amount due to TLS handshake overhead. The gap increases with more new connections.
Procedure
Step 1: Configure listener protocol and settings
-
Log on to the CLB console.
-
In the top navigation bar, select the region where the CLB instance is deployed.
-
On the Instances page, find the target CLB instance and open the listener configuration using one of the following methods:
-
Click Configure Listener in the Actions column.
-
Click the instance ID, then click Add Listener on the Listener tab.
-
-
In the Protocol & Listener step, configure the following settings and click Next.
Basic settings
|
Parameter |
Description |
|
Select Listener Protocol |
Select HTTPS. |
|
Backend Protocol |
Fixed to HTTP. Cannot be changed. |
|
Listener Port |
Port for receiving and forwarding requests. Valid values: 1 to 65535. Port 443 is recommended. |
|
Tags |
Select or enter a Tag Key and a Tag Value. |
Advanced settings
Click Modify next to Advanced Settings to expand additional options.
|
Parameter |
Description |
|
Scheduling Algorithm |
The algorithm used to distribute requests to backend servers. Default: Round Robin. Options: Weighted Round-robin -- backend servers with higher weights receive more requests. Round Robin -- requests are distributed sequentially. For details, see SLB scheduling algorithms. |
|
Session Persistence |
Disabled by default. When enabled, all requests from the same client are forwarded to the same backend server. Select a Cookie Option: Insert Cookie -- CLB inserts a cookie (SERVERID) into the first response. Specify a Session Persistence Timeout Period. Rewrite Cookie -- CLB uses a cookie that you define. Specify a Cookie Name. Configure the timeout period and lifetime on the backend server. |
|
Enable HTTP/2 |
Enabled by default. HTTP/2 multiplexes requests over a single TCP connection, reducing latency. |
|
Idle Connection Timeout Period |
Maximum idle time for the connection between CLB and the client. Valid values: 1 to 60 seconds. Default: 15 seconds. CLB closes idle connections after this period. Note
This timeout applies to all server groups associated with the listener. To set a different timeout for a specific backend server, create a separate listener. |
|
Connection Request Timeout |
Maximum wait time for a backend response. CLB returns HTTP 504 if no response is received. Valid values: 1 to 180 seconds. Default: 60 seconds. For longer timeouts (up to 3,600 seconds), use ALB. |
|
GZIP Compression |
Enabled by default. Compresses responses for these content types: |
|
Automatically Enable Listener |
Enabled by default. The listener starts processing traffic immediately. |
Access control settings
|
Parameter |
Description |
|
Access Control |
Disabled by default. When enabled, select an access control method and ACL: Whitelist: Allows Specified IP Addresses to Access the SLB Instance -- only requests from IP addresses or CIDR blocks in the ACL are forwarded. An empty whitelist forwards all requests. Caution: incorrect whitelist entries may block legitimate traffic. Blacklist: Forbids Specified IP Addresses to Access the SLB Instance -- requests from IP addresses or CIDR blocks in the ACL are denied. An empty blacklist forwards all requests. Note
IPv6 instances support only IPv6 ACLs; IPv4 instances support only IPv4 ACLs. Create a network ACL. |
|
Bandwidth Throttling for Listeners |
Disabled by default. For pay-by-bandwidth CLB instances, set a maximum bandwidth per listener. Total allocated bandwidth cannot exceed the instance bandwidth. Important
Allocating full bandwidth to one listener makes other listeners inaccessible. The same applies to internal-facing CLB instances. Pay-by-data-transfer instances have no bandwidth limit by default. Enable bandwidth sharing among listeners of a CLB instance. |
Custom HTTP headers
|
Parameter |
Description |
|
Custom HTTP Header |
Select headers to add to forwarded requests: Add the Add the |
|
Obtain Client Source IP Address |
Enabled by default. Preserves client IP addresses in forwarded requests. |
Step 2: Configure the SSL certificate
-
In the Certificate Management Service step, select an uploaded Server Certificate or click Create Server Certificate to upload one. Certificates can also be purchased. Create a certificate.
-
(Optional) Click Modify next to Advanced Settings to configure mutual authentication or a TLS security policy.
-
Turn on Mutual Authentication and select an uploaded CA certificate, or create one. Purchase and enable a private CA.
-
Select a TLS Security Policy.
NoteTLS security policies are supported only by high-performance CLB instances and specify the allowed TLS versions and cipher suites. TLS security policies.
-
Step 3: Add backend servers
After creating the listener, add backend servers to handle requests. Use the default server group or create a vServer group. CLB server groups.
HTTPS listeners do not support primary/secondary server groups.
-
In the Backend Servers step, select Default Server Group and click Add More.
-
In the Servers step, select the backend servers to add and click Next.
-
In the Ports/Weights step, configure the weight for each backend server.
The default weight is 100. Servers with higher weights receive more requests. Setting the weight to 0 stops all traffic to that server.
-
Click Add. Specify the port used by each backend server to receive requests. Valid values: 1 to 65535.
Multiple backend servers in the same CLB instance can use the same port.
Step 4: Configure health checks and confirm
CLB health checks monitor backend server availability and route traffic away from unhealthy servers.
Health checks cannot be disabled for listeners associated with primary/secondary server groups.
-
(Optional) In the Health Check step, click Modify to adjust health check settings, then click Next. Configure and manage CLB health checks.
-
In the Confirm step, review the listener configuration. Click Modify to change any settings.
-
Click Submit. In the Configuration Successful message, click OK.
The new listener appears on the Listener tab of the instance details page.
Verify the HTTPS listener
After creating the listener, verify that HTTPS traffic is handled correctly:
-
On the Listener tab, confirm that the listener status is Running.
-
Open a browser and navigate to
https://<CLB-instance-IP>:<listener-port>. If you used port 443, navigate tohttps://<CLB-instance-IP>. -
Verify that the expected content is returned from your backend servers. If you used a self-signed certificate, accept the browser security warning to proceed.
-
If the page does not load, check the following:
-
The backend server is running and listening on the configured HTTP port.
-
Security group rules allow inbound traffic on the listener port.
-
The server certificate is valid and matches the domain name.
-
Health checks are passing for at least one backend server.
-
FAQ
Does CLB support end-to-end HTTPS?
No. CLB decrypts HTTPS at the listener and forwards requests to backend servers over HTTP, simplifying backend configuration and eliminating TLS overhead.
For end-to-end HTTPS, use one of these alternatives:
-
Create an ALB instance with an HTTPS listener. Configure end-to-end HTTPS encryption.
-
Configure a TCP listener on the CLB instance and install SSL certificates directly on your backend servers.
Which port should HTTPS listeners use?
There are no port restrictions, but port 443 is recommended as the standard HTTPS port.
What certificate formats does CLB support?
CLB supports PEM-format server certificates and CA certificates. Server certificates require both the certificate and private key. CA certificates require only the certificate.
Does CLB support keytool-created certificates?
Yes, but convert to PEM format before uploading. Convert certificate formats.
Can I use PKCS#12 (PFX) certificates?
Yes. Convert to PEM format before uploading. Convert certificate formats.
Why does the KeyEncryption error occur when uploading certificates?
The private key contains invalid content. Certificate requirements and format conversion.
What TLS protocol versions do HTTPS listeners support?
HTTPS listeners support TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3.
What is the TTL of an HTTPS session ticket?
300 seconds.
Can I upload a certificate with DH PARAMETERS?
No. CLB HTTPS listeners use ECDHE cipher suites and do not support DHE parameters. Certificates containing the BEGIN DH PARAMETERS field cannot be uploaded.
Do HTTPS listeners support SNI?
Yes. SNI allows multiple SSL certificates on the same IP address. Add and manage additional domain names.
Does CLB support WebSocket Secure?
Yes. CLB HTTPS listeners support WSS by default. Use WebSocket to enable real-time messaging.
How do I configure HTTP-to-HTTPS redirection?
Create an HTTPS listener first. Then create an HTTP listener and enable Redirection by Listener on the HTTP listener. Redirect HTTP requests to HTTPS using CLB.
References
-
For non-encrypted traffic (internal networks, staging, or development), use HTTP listeners. Use HTTPS in production environments that transmit sensitive data.
-
Backend server management:
-
Health checks: CLB health checks overview | Configure and manage CLB health checks
-
Scheduling algorithms: SLB scheduling algorithms
-
Forwarding rules: Forward requests based on domain names or URLs
-
HTTP-to-HTTPS redirection: Redirect HTTP requests to HTTPS using CLB
-
One-way authentication: Configure one-way authentication for HTTPS requests
-
Mutual authentication: Configure mutual authentication on an HTTPS listener
-
Multiple HTTPS domains: Configure a CLB instance to serve multiple domain names over HTTPS
-
Client IP preservation: Preserve client IP addresses for Layer 7 listeners