Help Center/ Elastic Load Balance/ User Guide/ Listener/ Adding an HTTPS Listener
Updated on 2024-03-19 GMT+08:00

Adding an HTTPS Listener

Scenarios

HTTPS listeners are best suited for applications that require encrypted transmission. Load balancers decrypt HTTPS requests before routing them to backend servers, which then send the processed requests back to load balancers for encryption before they are sent to clients.

When you add an HTTPS listener, ensure that the subnet of the load balancer has sufficient IP addresses. If the IP addresses are insufficient, add more subnets on the summary page of the load balancer. After you select a subnet, ensure that ACL rules are not configured for this subnet. If rules are configured, request packets may not be allowed.

Constraints

  • Dedicated load balancers: If the listener protocol is HTTPS, the protocol of the backend server group can be HTTP or HTTPS.
  • If you only select network load balancing (TCP/UDP) for your dedicated load balancer, you cannot add an HTTPS listener to this load balancer.

Adding an HTTPS Listener to a Dedicated Load Balancer

  1. Log in to the management console.
  2. In the upper left corner of the page, click and select the desired region and project.
  3. Hover on in the upper left corner to display Service List and choose Network > Elastic Load Balance.
  4. Locate the load balancer and click its name.
  5. Under Listeners, click Add Listener. Configure the parameters based on Table 1.
    Table 1 Parameters for configuring a listener

    Parameter

    Description

    Example Value

    Name

    Specifies the listener name.

    listener-pnqy

    Frontend Protocol

    Specifies the protocol that will be used by the load balancer to receive requests from clients.

    HTTPS

    Frontend Port

    Specifies the port that will be used by the load balancer to receive requests from clients.

    The port number ranges from 1 to 65535.

    80

    SSL Authentication

    Specifies whether how you want the clients and backend servers to be authenticated.

    There are two options: One-way authentication or Mutual authentication.

    • If only server authentication is required, select One-way authentication.
    • If you want the clients and the load balancer to authenticate each other, select Mutual authentication. Only authenticated clients will be allowed to access the load balancer.

    One-way authentication

    Server Certificate

    Specifies the certificate that will be used by the backend server to authenticate the client when HTTPS is used as the frontend protocol.

    Both the certificate and private key are required.

    For details, see Adding, Modifying, or Deleting a Certificate.

    N/A

    CA Certificate

    Specifies the certificate that will be used by the backend server to authenticate the client when SSL Authentication is set to Mutual authentication.

    A CA certificate is issued by a certificate authority (CA) and used to verify the certificate issuer. If HTTPS mutual authentication is required, HTTPS connections can be established only when the client provides a certificate issued by a specific CA.

    For details, see Adding, Modifying, or Deleting a Certificate.

    N/A

    Enable SNI

    Specifies whether to enable SNI when HTTPS is used as the frontend protocol.

    SNI is an extension to TLS and is used when a server uses multiple domain names and certificates.

    This allows the client to submit the domain name information while sending an SSL handshake request. After the load balancer receives the request, the load balancer queries the corresponding certificate based on the domain name and returns it to the client. If no certificate is found, the load balancer will return the default certificate. For details, see SNI Certificate.

    N/A

    SNI Certificate

    Specifies the certificate associated with the domain name when the frontend protocol is HTTPS and SNI is enabled.

    Select an existing certificate or create one.

    For details, see Adding, Modifying, or Deleting a Certificate.

    N/A

    Access Control

    Specifies how access to the listener is controlled. For details, see Access Control. The following options are available:

    • All IP addresses
    • Blacklist
    • Whitelist

    Whitelist

    IP Address Group

    Specifies the IP address group associated with a whitelist or blacklist. If there is no IP address group, create one first. For more information, see Creating an IP Address Group.

    ipGroup-b2

    Transfer Client IP Address

    Specifies whether to transmit IP addresses of the clients to backend servers.

    This function is enabled for dedicated load balancers by default and cannot be disabled.

    Enabled

    Advanced Forwarding

    Specifies whether to enable the advanced forwarding policy. You can add advanced forwarding policies to HTTP or HTTPS listeners to forward requests to different backend server groups based on HTTP request method, HTTP header, query string, or CIDR block in addition to domain names and URLs.

    Enabled

    Advanced Settings

    Security Policy

    Specifies the security policy you can use if you select HTTPS as the frontend protocol. For more information, see TLS Security Policy.

    TLS-1-0

    HTTP/2

    Specifies whether you want to use HTTP/2 if you select HTTPS for Frontend Protocol. For details, see HTTP/2.

    N/A

    Transfer Load Balancer EIP

    Specifies whether to store the EIP bound to the load balancer in the X-Forwarded-ELB-IP header field and pass this field to backend servers.

    N/A

    Transfer Listener Port Number

    Specifies whether to store the port number used by the listener in the X-Forwarded-Port header field and pass the field to backend servers.

    N/A

    Transfer Port Number in the Request

    Specifies whether to store the port number used by the client in the X-Forwarded-For-Port header field and pass the field to backend servers.

    N/A

    Rewrite X-Forwarded-Host

    • If you disable this option, the load balancer passes the X-Forwarded-Host field to backend servers.
    • If you enable this option, the load balancer rewrites the X-Forwarded-Host field based on the Host field in the request header sent from the client and sends the rewritten X-Forwarded-Host field to backend servers.

    N/A

    Idle Timeout

    Specifies the length of time for a connection to keep alive, in seconds. If no request is received within this period, the load balancer closes the connection and establishes a new one with the client when the next request arrives.

    The idle timeout duration ranges from 0 to 4000.

    60

    Request Timeout

    Specifies the length of time (in seconds) after which the load balancer closes the connection if the load balancer does not receive a request from the client.

    The request timeout duration ranges from 1 to 300.

    60

    Response Timeout

    Specifies the length of time (in seconds) after which the load balancer sends a 504 Gateway Timeout error to the client if the load balancer receives no response from the backend server after routing a request to the backend server and receives no response after attempting to route the same request to other backend servers.

    The request timeout duration ranges from 1 to 300.

    NOTE:

    If you have enabled sticky sessions and the backend server does not respond within the response timeout duration, the load balancer returns 504 Gateway Timeout to the clients.

    60

    Description

    Provides supplementary information about the listener.

    You can enter a maximum of 255 characters.

    N/A

  6. Click Next: Configure Request Routing Policy.
    1. You are advised to select an existing backend server group.
    2. You can also click Create new to create a backend server group and configure parameters as described in Table 2.
    Table 2 Parameters for configuring a backend server group

    Parameter

    Description

    Example Value

    Backend Server Group

    Specifies a group of servers with the same features to receive requests from the load balancer. Two options are available:

    • Create new
    • Use existing
      NOTE:

      The backend protocol of the backend server group must match the frontend protocol. For example, if the frontend protocol is TCP, the backend protocol must be TCP.

    Create new

    Backend Server Group Name

    Specifies the name of the backend server group.

    server_group-sq4v

    Backend Protocol

    Specifies the protocol that will be used by backend servers to receive requests.

    If the frontend protocol is HTTPS, the backend protocol can be HTTP, or HTTPS.

    HTTP

    Load Balancing Algorithm

    Specifies the algorithm that will be used by the load balancer to distribute traffic. The following options are available:

    • Weighted round robin: Requests are routed to different servers based on their weights, which indicate server processing performance. Backend servers with higher weights receive proportionately more requests, whereas equal-weighted servers receive the same number of requests.
    • Weighted least connections: In addition to the number of active connections established with each backend server, each server is assigned a weight based on their processing capability. Requests are routed to the server with the lowest connections-to-weight ratio.
    • Source IP hash: The source IP address of each request is calculated using the consistent hashing algorithm to obtain a unique hash key, and all backend servers are numbered. The generated key is used to allocate the client to a particular server. This allows requests from different clients to be routed based on source IP addresses and ensures that a client is directed to the same server that it was using previously.
    NOTE:
    • Choose an appropriate algorithm based on your requirements for better traffic distribution.
    • For Weighted round robin or Weighted least connections, no requests will be routed to a server with a weight of 0.

    Weighted round robin

    Sticky Session

    Specifies whether to enable sticky sessions. If you enable sticky sessions, all requests from a client during one session are sent to the same backend server.

    This parameter is optional and can be enabled if you have selected Weighted round robin for Load Balancing Algorithm.

    N/A

    Sticky Session Type

    Specifies the type of sticky sessions for HTTP and HTTPS listeners.

    • Load balancer cookie: The load balancer generates a cookie after receiving a request from the client. All subsequent requests with the same cookie are then routed to the same backend server.
    NOTE:

    Load balancer cookie

    Stickiness Duration (min)

    Specifies the minutes that sticky sessions are maintained. You can enable sticky sessions only if you select Weighted round robin for Load Balancing Algorithm.

    • Stickiness duration at Layer 4: 1 to 60
    • Stickiness duration at Layer 7: 1 to 1440

    20

    Slow Start

    Specifies whether to enable slow start, which is disabled by default.

    After you enable slow start, the load balancer linearly increases the proportion of requests to send to backend servers in this mode. When the slow start duration elapses, the load balancer sends full share of requests to backend servers and exits the slow start mode.

    For details, see Slow Start (Dedicated Load Balancers).

    N/A

    Slow Start Duration

    Specifies how long the slow start will last.

    The duration ranges from 30 to 1200, in seconds, and the default value is 30.

    30

    Description

    Provides supplementary information about the backend server group.

    You can enter a maximum of 255 characters.

    N/A

  7. Click Next: Add Backend Server. Add backend servers and configure health check for the backend server group. For details about how to add backend servers, see Overview. For the parameters required for configuring a health check, see Table 3.
    Table 3 Parameters for configuring a health check

    Parameter

    Description

    Example Value

    Health Check

    Specifies whether to enable health checks.

    If the health check is enabled, click next to Advanced Settings to set health check parameters.

    N/A

    Health Check Protocol

    Specifies the protocol that will be used by the load balancer to check the health of backend servers.

    If the backend protocol is HTTP or HTTPS, the health check protocol can be TCP, HTTP, or HTTPS.

    HTTP

    Domain Name

    Specifies the domain name that will be used for health checks. This parameter is mandatory if the health check protocol is HTTP or HTTPS.

    • You can use the private IP address of the backend server as the domain name.
    • You can also specify a domain name that consists of at least two labels separated by periods (.). Use only letters, digits, and hyphens (-). Do not start or end strings with a hyphen. Max total: 100 characters. Max label: 63 characters.

    www.elb.com

    Health Check Port

    Specifies the port that will be used by the load balancer to check the health of backend servers. The port number ranges from 1 to 65535.

    NOTE:

    By default, the service port on each backend server is used. You can also specify a port for health checks.

    80

    Path

    Specifies the health check URL, which is the destination on backend servers for health checks. This parameter is mandatory if the health check protocol is HTTP or HTTPS. The path can contain 1 to 80 characters and must start with a slash (/).

    The path can contain letters, digits, hyphens (-), slashes (/), periods (.), question marks (?), percent signs (%), ampersands (&), and underscores (_).

    /index.html

    Interval (s)

    Specifies the interval for sending health check requests, in seconds.

    The interval ranges from 1 to 50.

    5

    Timeout (s)

    Specifies the maximum time required for waiting for a response from the health check, in seconds. The timeout duration ranges from 1 to 50.

    3

    Maximum Retries

    Specifies the maximum number of health check retries. The value ranges from 1 to 10.

    3

  8. Click Next: Confirm.
  9. Confirm the configuration and click Submit.