Server Load Balancer:CLB additional domain names

Terms

Server Name Indication (SNI) is an extension to SSL and TLS and allows a server to install multiple SSL certificates on the same IP address. When a client accesses CLB, the certificate configured for the requested domain name is used by default. If the request does not match the certificate configured for the domain name, the certificate configured for the HTTPS listener is used.

Limits

• SNI is supported only by high-performance CLB instances.

• CLB supports the following algorithms for public keys:

  • RSA 1024

  • RSA 2048

  • RSA 4096

Usage notes

• When you add an additional domain name, the domain name you specify must be the same as the domain name of the server certificate you use.

• If you add multiple wildcard domain certificates, the system automatically applies forwarding rules only to the first wildcard domain certificate you add, but it does not do so for the subsequent certificates. For the subsequent certificates, you must add each subdomain in use as an additional domain name and specify the appropriate wildcard domain certificate.

  For example, if you first add the server certificate associated with *.example.com, then add the server certificate associated with *.test.com, CLB automatically applies forwarding rules to all requests destined for abc.example.com. However, it does not apply rules to requests destined for abc.test.com. To make the rules effective for requests destined for abc.test.com, you need to add that domain name as an additional domain name and specify the server certificate associated with *.test.com for it.

Prerequisites

• A CLB instance is created and an HTTPS listener is configured for the instance. For more information, see Add an HTTPS listener.

Add an additional domain name

1. Log on to the CLB console.

2. On the Instances page, click the ID of the CLB instance that you want to manage.

3. Click the Listener tab and find the HTTPS listener that you want to manage. In the Actions column, choose > Manage Additional Certificate.

4. In the Manage Additional Certificate panel, click Add Additional Certificate.

   1. Enter an additional domain name.

      To check whether the domain name is valid, use the Alibaba Cloud Network Detect Tool.

      Domain name-based forwarding rules support exact matching and wildcard matching:

      • You can specify a specific domain name such as www.alibabacloud.com in a forwarding rule.

      • You can also specify a wildcard domain name such as *.aliyun.com or *.market.aliyun.com in a forwarding rule.

        If a request matches multiple domain-based forwarding rules, exact matching prevails over wildcard matching. If a request matches multiple wildcard domain names, a higher-level wildcard domain name prevails over a lower-level wildcard domain name.

        Note

        In the following table, "✓" indicates that the domain name of the request matches the domain name specified in the forwarding rule. "×" indicates that the domain name of the request does not match the domain name specified in the forwarding rule.

        Type	Request URL	Request URL
        		www.aliyun.com	*.aliyun.com	*.market.aliyun.com
        Exact match	www.aliyun.com	✓	×	×
        Wildcard match	market.aliyun.com	×	✓	×
        	info.market.aliyun.com	×	×	✓

   2. Select the server certificate associated with the domain name.

   3. Click OK.

      After you add an additional domain name, you must create a forwarding rule based on the domain name for the domain name to take effect.

5. Optional. Perform the following steps to configure a forwarding rule:

   1. On the Note page, click Configure Rule. You can also click the ID of the CLB instance on the Instances page and click the Listener tab. Find the HTTPS listener that you created and click Set Forwarding Rule in the Actions column.

   2. In the Add Forwarding Rules panel, enter a domain name and a URL, configure a forwarding rule, and then click Add Forwarding Policy.

   For more information, see Configure a CLB instance to serve multiple domain names over HTTPS.

   Note

   Make sure that the domain name configured in the forwarding rule is the same as the additional domain name that you added.

Modify an additional domain name

You can replace the certificate that is used by an additional domain name.

1. Log on to the CLB console.

2. On the Instances page, click the ID of the CLB instance that you want to manage. On the instance details page, click the Listener tab and find the HTTPS listener that you created. In the Actions column, choose > Manage Additional Certificate.

3. On the Manage Additional Certificate page, find the additional domain name that you want to manage, and in the Actions column, click Modify.

4. In the Modify Additional Domain Name dialog box, select a new certificate, then click OK.

Delete an additional domain name

You can delete additional domain names that you no longer use.

1. Log on to the CLB console.

2. On the Instances page, click the ID of the CLB instance that you want to manage.

3. Click the Listener tab, find the HTTPS listener that you created, and in the Actions column, choose > Manage Additional Certificate.

4. On the Manage Additional Certificate page, find the additional domain name that you want to manage, and in the Actions column, click Delete.

5. In the message appears, click OK.

FAQ

What do I do if the server certificate I purchased cannot be viewed or selected in the Manage Additional Certificate panel?

• If the server certificate you want to use is an Alibaba Cloud SSL certificate, deploy the certificate on the Certificates page in the CLB console, selecting Alibaba Cloud Certificates as the certificate source.

• If the server certificate you want to use is a third-party certificate, deploy the certificate on the Certificates page in the CLB console, selecting Third-party Certificates as the certificate source.

References

• You can configure a CLB instance to serve multiple domain names over HTTPS. For more information, see Configure a CLB instance to serve multiple domain names over HTTPS.

• You can configure rules to forward requests destined for the same domain name but different URLs to different backend server groups. For more information, see Configure rules to forward requests destined for the same domain name but different URLs to implement precise traffic forwarding.