CLB additional domain names

Updated at:
Copy as MD

To forward HTTPS requests for different domain names to different backend server groups on the same listener, use the additional domain name feature of CLB. This feature lets you attach multiple SSL certificates to forward requests for each domain to its respective backend server group.

Key concepts

Server Name Indication (SNI) is an extension to the SSL/TLS protocol that allows multiple SSL certificates to be hosted on a single IP address. When a client connects to the load balancer, CLB uses the certificate configured for the requested domain name to decrypt the traffic by default. If no matching certificate is found, CLB uses the certificate configured for the listener.

Limits

  • Only performance-guaranteed CLB instances support SNI.

  • By default, you can add up to 3 additional domain names to an HTTPS listener. You can increase this limit to a maximum of 10. To request an increase, go to Quota Center.

    If the maximum limit of 10 additional domain names does not meet your needs, consider the following solutions:

    • Use multiple HTTPS listeners on different ports and configure different additional domain names for each listener.

    • Migrate to Application Load Balancer (ALB). ALB uses certificates and forwarding rules to manage multiple domain names, supports up to 300 additional certificates, and provides more advanced forwarding conditions and actions.

  • CLB supports the following public key algorithms:

    • RSA 1024

    • RSA 2048

    • RSA 4096

Usage notes

  • The additional domain name must match the domain name in the selected server certificate.

  • If you configure multiple wildcard certificates, only the first wildcard certificate automatically matches requests for all eligible subdomains. Subsequent wildcard certificates do not automatically match requests. You must configure an additional domain name for each specific subdomain and explicitly associate it with the corresponding wildcard certificate.

    For example, if you first configure a certificate for *.example.com and then a certificate for *.test.com, requests for abc.example.com are automatically matched. However, requests for abc.test.com are not automatically matched by default. You must configure a new additional domain name for abc.test.com and specify that it uses the *.test.com certificate.

Prerequisites

You have created a CLB instance and configured an HTTPS listener for it. For more information, see Add an HTTPS listener.

Add an additional domain name

  1. Log on to the CLB console.

  2. On the Instances page, click the ID of the target instance.

  3. On the Listener tab, find the HTTPS listener that you created. In the Actions column, choose image.png> Manage Additional Certificate.

  4. In the Manage Additional Certificate panel, click Add Additional Certificate.

    1. Enter the additional domain name.

      To check whether a domain name is valid, use the Alibaba Cloud Domain Name Check tool.

      Forwarding based on domain names supports two matching modes: exact match and wildcard match.

      • Exact domain name: www.aliyun.com

      • Wildcard domain name: *.aliyun.com, *.market.aliyun.com

        If a request matches multiple domain-based forwarding rules, the rules are prioritized as follows: exact match > more specific wildcard match > less specific wildcard match.

        Note

        In the following table, ✓ indicates a match and × indicates a mismatch.

        Mode

        Test request URL

        Domain forwarding rules

        www.aliyun.com

        *.aliyun.com

        *.market.aliyun.com

        Exact match

        www.aliyun.com

        ×

        ×

        Wildcard match

        market.aliyun.com

        ×

        ×

        info.market.aliyun.com

        ×

        ×

    2. Select the server certificate to associate with the domain name.

    3. Click OK.

      An additional domain name takes effect only when associated with a forwarding rule.

  5. Optional: Configure a forwarding rule.

    1. In the Note dialog box, click Configure. Alternatively, on the Instances page, click the ID of the target instance, go to the Listener tab, find the HTTPS listener, and then click Set Forwarding Rule in the Actions column.

    2. In the Add Forwarding Rules panel, enter a domain name and configure a URL, and then click Add Forwarding Policy.

    For more information, see Configure a CLB instance to serve multiple domain names over HTTPS.

    Note

    Make sure the domain name configured in the forwarding rule is the same as the additional domain name.

Edit an additional domain name

You can replace the certificate used by an additional domain name.

  1. Log on to the CLB console.

  2. On the Instances page, click the ID of the instance, go to the Listener tab, find the HTTPS listener, and in the Actions column, choose More> Manage Additional Certificate.

  3. On the Manage Additional Certificate page, find the target additional domain name, and in the Actions column, click Modify.

  4. In the Modify Additional Certificate dialog box, select a new certificate and click OK.

Delete an additional domain name

You can delete an additional domain name if it is no longer needed.

  1. Log on to the CLB console.

  2. On the Instances page, click the ID of the instance.

  3. Go to the Listener tab, find the HTTPS listener, and then in the Actions column, choose More> Manage Additional Certificate.

  4. On the Manage Additional Certificate page, find the target additional domain name, and in the Actions column, click Delete.

  5. In the confirmation dialog box, click OK.

FAQ

Cannot find purchased certificate

  • If you purchased an SSL certificate from Alibaba Cloud, you must deploy it from the Certificates page in the CLB console by using the Alibaba Cloud Certificates option.

  • If you purchased a certificate from a third-party provider, you must deploy it from the Certificates page in the CLB console by using the Third-party Certificates option.

Related topics