Add an HTTPS listener

Updated at:
Copy as MD

HTTPS listeners terminate SSL/TLS at the CLB instance, decrypt incoming requests, and forward them as HTTP to backend servers. This offloads encryption from backend servers and centralizes certificate management.

Prerequisites

Ensure that you have:

  • A CLB instance

  • A server certificate in PEM format. You can upload an existing certificate or create one during Step 2 of the wizard. Create a certificate.

  • (Optional) Backend servers deployed and accessible over HTTP (typically port 80) for traffic forwarding

  • (Optional) A network ACL for access control

Limitations

  • HTTPS listeners use HTTP as the backend protocol. Set backend server ports to HTTP (typically 80), not HTTPS (443).

  • HTTPS listeners do not support HTTP-to-HTTPS redirection.

  • HTTPS listeners do not support primary/secondary server groups.

  • CLB instances in the Mexico region do not support HTTPS listeners. Use Application Load Balancer (ALB) or create CLB instances in another region.

  • The TLS session ticket timeout is 300 seconds.

  • Actual data transfer exceeds the billed amount due to TLS handshake overhead. The gap increases with more new connections.

Procedure

Step 1: Configure listener protocol and settings

  1. Log on to the CLB console.

  2. In the top navigation bar, select the region where the CLB instance is deployed.

  3. On the Instances page, find the target CLB instance and open the listener configuration using one of the following methods:

    • Click Configure Listener in the Actions column.

    • Click the instance ID, then click Add Listener on the Listener tab.

  4. In the Protocol & Listener step, configure the following settings and click Next.

Basic settings

Parameter

Description

Select Listener Protocol

Select HTTPS.

Backend Protocol

Fixed to HTTP. Cannot be changed.

Listener Port

Port for receiving and forwarding requests. Valid values: 1 to 65535. Port 443 is recommended.

Tags

Select or enter a Tag Key and a Tag Value.

Advanced settings

Click Modify next to Advanced Settings to expand additional options.

Parameter

Description

Scheduling Algorithm

The algorithm used to distribute requests to backend servers. Default: Round Robin. Options: Weighted Round-robin -- backend servers with higher weights receive more requests. Round Robin -- requests are distributed sequentially. For details, see SLB scheduling algorithms.

Session Persistence

Disabled by default. When enabled, all requests from the same client are forwarded to the same backend server. Select a Cookie Option: Insert Cookie -- CLB inserts a cookie (SERVERID) into the first response. Specify a Session Persistence Timeout Period. Rewrite Cookie -- CLB uses a cookie that you define. Specify a Cookie Name. Configure the timeout period and lifetime on the backend server.

Enable HTTP/2

Enabled by default. HTTP/2 multiplexes requests over a single TCP connection, reducing latency.

Idle Connection Timeout Period

Maximum idle time for the connection between CLB and the client. Valid values: 1 to 60 seconds. Default: 15 seconds. CLB closes idle connections after this period.

Note

This timeout applies to all server groups associated with the listener. To set a different timeout for a specific backend server, create a separate listener.

Connection Request Timeout

Maximum wait time for a backend response. CLB returns HTTP 504 if no response is received. Valid values: 1 to 180 seconds. Default: 60 seconds. For longer timeouts (up to 3,600 seconds), use ALB.

GZIP Compression

Enabled by default. Compresses responses for these content types: text/xml, text/plain, text/css, application/javascript, application/x-javascript, application/rss+xml, application/atom+xml, application/xml.

Automatically Enable Listener

Enabled by default. The listener starts processing traffic immediately.

Access control settings

Parameter

Description

Access Control

Disabled by default. When enabled, select an access control method and ACL: Whitelist: Allows Specified IP Addresses to Access the SLB Instance -- only requests from IP addresses or CIDR blocks in the ACL are forwarded. An empty whitelist forwards all requests. Caution: incorrect whitelist entries may block legitimate traffic. Blacklist: Forbids Specified IP Addresses to Access the SLB Instance -- requests from IP addresses or CIDR blocks in the ACL are denied. An empty blacklist forwards all requests.

Note

IPv6 instances support only IPv6 ACLs; IPv4 instances support only IPv4 ACLs. Create a network ACL.

Bandwidth Throttling for Listeners

Disabled by default. For pay-by-bandwidth CLB instances, set a maximum bandwidth per listener. Total allocated bandwidth cannot exceed the instance bandwidth.

Important

Allocating full bandwidth to one listener makes other listeners inaccessible. The same applies to internal-facing CLB instances. Pay-by-data-transfer instances have no bandwidth limit by default. Enable bandwidth sharing among listeners of a CLB instance.

Custom HTTP headers

Parameter

Description

Custom HTTP Header

Select headers to add to forwarded requests: X-Forwarded-For: Retrieve Client IP -- obtains client IP addresses. Enabled by default on Layer 7 listeners and cannot be disabled. The first IP in the list is the client IP. Preserve client IP addresses for Layer 7 listeners. SLB-ID: Retrieve SLB ID -- obtains the CLB instance ID. SLB-IP: Retrieve SLB IP -- obtains the CLB instance IP address. X-Forwarded-Proto: Retrieve Listener Protocol -- obtains the listener protocol.

Add the X-Forwarded-Port header to obtain the listening port of the CLB instance.

Add the X-Forwarded-Client-srcport header to obtain the client port.

Obtain Client Source IP Address

Enabled by default. Preserves client IP addresses in forwarded requests.

Step 2: Configure the SSL certificate

  1. In the Certificate Management Service step, select an uploaded Server Certificate or click Create Server Certificate to upload one. Certificates can also be purchased. Create a certificate.

  2. (Optional) Click Modify next to Advanced Settings to configure mutual authentication or a TLS security policy.

    1. Turn on Mutual Authentication and select an uploaded CA certificate, or create one. Purchase and enable a private CA.

    2. Select a TLS Security Policy.

      Note

      TLS security policies are supported only by high-performance CLB instances and specify the allowed TLS versions and cipher suites. TLS security policies.

Step 3: Add backend servers

After creating the listener, add backend servers to handle requests. Use the default server group or create a vServer group. CLB server groups.

Important

HTTPS listeners do not support primary/secondary server groups.

  1. In the Backend Servers step, select Default Server Group and click Add More.

  2. In the Servers step, select the backend servers to add and click Next.

  3. In the Ports/Weights step, configure the weight for each backend server.

    The default weight is 100. Servers with higher weights receive more requests. Setting the weight to 0 stops all traffic to that server.
  4. Click Add. Specify the port used by each backend server to receive requests. Valid values: 1 to 65535.

    Multiple backend servers in the same CLB instance can use the same port.

Step 4: Configure health checks and confirm

CLB health checks monitor backend server availability and route traffic away from unhealthy servers.

Health checks cannot be disabled for listeners associated with primary/secondary server groups.
  1. (Optional) In the Health Check step, click Modify to adjust health check settings, then click Next. Configure and manage CLB health checks.

  2. In the Confirm step, review the listener configuration. Click Modify to change any settings.

  3. Click Submit. In the Configuration Successful message, click OK.

The new listener appears on the Listener tab of the instance details page.

Verify the HTTPS listener

After creating the listener, verify that HTTPS traffic is handled correctly:

  1. On the Listener tab, confirm that the listener status is Running.

  2. Open a browser and navigate to https://<CLB-instance-IP>:<listener-port>. If you used port 443, navigate to https://<CLB-instance-IP>.

  3. Verify that the expected content is returned from your backend servers. If you used a self-signed certificate, accept the browser security warning to proceed.

  4. If the page does not load, check the following:

    • The backend server is running and listening on the configured HTTP port.

    • Security group rules allow inbound traffic on the listener port.

    • The server certificate is valid and matches the domain name.

    • Health checks are passing for at least one backend server.

FAQ

Does CLB support end-to-end HTTPS?

No. CLB decrypts HTTPS at the listener and forwards requests to backend servers over HTTP, simplifying backend configuration and eliminating TLS overhead.

For end-to-end HTTPS, use one of these alternatives:

  1. Create an ALB instance with an HTTPS listener. Configure end-to-end HTTPS encryption.

  2. Configure a TCP listener on the CLB instance and install SSL certificates directly on your backend servers.

Which port should HTTPS listeners use?

There are no port restrictions, but port 443 is recommended as the standard HTTPS port.

What certificate formats does CLB support?

CLB supports PEM-format server certificates and CA certificates. Server certificates require both the certificate and private key. CA certificates require only the certificate.

Does CLB support keytool-created certificates?

Yes, but convert to PEM format before uploading. Convert certificate formats.

Can I use PKCS#12 (PFX) certificates?

Yes. Convert to PEM format before uploading. Convert certificate formats.

Why does the KeyEncryption error occur when uploading certificates?

The private key contains invalid content. Certificate requirements and format conversion.

What TLS protocol versions do HTTPS listeners support?

HTTPS listeners support TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3.

What is the TTL of an HTTPS session ticket?

300 seconds.

Can I upload a certificate with DH PARAMETERS?

No. CLB HTTPS listeners use ECDHE cipher suites and do not support DHE parameters. Certificates containing the BEGIN DH PARAMETERS field cannot be uploaded.

Do HTTPS listeners support SNI?

Yes. SNI allows multiple SSL certificates on the same IP address. Add and manage additional domain names.

Does CLB support WebSocket Secure?

Yes. CLB HTTPS listeners support WSS by default. Use WebSocket to enable real-time messaging.

How do I configure HTTP-to-HTTPS redirection?

Create an HTTPS listener first. Then create an HTTP listener and enable Redirection by Listener on the HTTP listener. Redirect HTTP requests to HTTPS using CLB.

References