Adding an HTTPS Listener

Scenarios

You can add an HTTPS listener if you require encrypted transmission. Load balancers decrypt HTTPS requests before routing them to backend servers. Once the servers process the requests, they send them back to the load balancers for encryption. Finally, the load balancers send the encrypted requests to the clients.

When you add an HTTPS listener, ensure that the backend subnet of the load balancer has sufficient IP addresses. If the IP addresses are insufficient, add more subnets on the summary page of the load balancer. After you select a subnet, do not configure network ACL rules for this subnet. If rules are configured, access to the load balancer may be denied.

Constraints

• If the listener protocol is HTTPS, the backend protocol can be HTTP or HTTPS.
• If you only select the network load balancing type for your dedicated load balancer, you cannot add HTTPS listeners to this load balancer.

Procedure

1. Go to the load balancer list page.
2. On the displayed page, locate the load balancer and click its name.
3. On the Listeners tab, click Add Listener. Configure the parameters based on Table 1.

   Table 1 Parameters for configuring an HTTPS listener

   Parameter	Description
   Name	Specifies the listener name.
   Frontend Protocol	Specifies the protocol that will be used by the load balancer to receive requests from clients. Select HTTPS.
   Frontend Port	Specifies the port that will be used by the load balancer to receive requests from clients. The port number ranges from 1 to 65535.
   SSL Authentication	Specifies how you want the clients and backend servers to be authenticated. There are two options: One-way authentication or Mutual authentication. If only server authentication is required, select One-way authentication. If you want the clients and the load balancer to authenticate each other, select Mutual authentication. Only authenticated clients will be allowed to access the load balancer.
   CA Certificate	Specifies the certificate that will be used by the backend server to authenticate the client when SSL Authentication is set to Mutual authentication. A CA certificate is issued by a certificate authority (CA) and used to verify the certificate issuer. If HTTPS mutual authentication is required, HTTPS connections can be established only when the client provides a certificate issued by a specific CA. For details, see Adding a Certificate.
   Server Certificate	Specifies the certificate that will be used by the backend server to authenticate the client when HTTPS is used as the frontend protocol. The server certificate is used for SSL handshake negotiation to authenticate clients and ensure encrypted transmission. For details, see Adding a Certificate.
   Enable SNI	Specifies whether to enable SNI when HTTPS is used as the frontend protocol. SNI can be used when a server uses multiple domain names and certificates. This allows the client to submit the domain name information while sending an SSL handshake request. After the load balancer receives the request, the load balancer queries the corresponding certificate based on the domain name and returns it to the client. If no certificate is found, the load balancer will return the default certificate. For details, see SNI Certificate.
   SNI Certificate	Specifies the certificate associated with the domain name when the frontend protocol is HTTPS and SNI is enabled. Select an existing certificate or add one. For details, see Adding a Certificate.
   Access Control	Specifies how access to the listener is controlled. For details, see What Is Access Control? The following options are available: All IP addresses Blacklist Whitelist
   IP Address Group	Specifies the IP address group associated with a whitelist or blacklist. If there is no IP address group, create one first. For more information, see IP Address Group.
   Transfer Client IP Address	Specifies whether to transmit IP addresses of the clients to backend servers. This function is enabled for dedicated load balancers by default and cannot be disabled.
   Advanced Forwarding	Specifies whether to enable advanced forwarding. This option allows you to configure advanced forwarding policies for HTTP or HTTPS listeners to forward requests to different backend server groups. For more information, see Advanced Forwarding.
   Advanced Settings (Optional)
   Security Policy	Specifies the security policy you can use if you select HTTPS as the frontend protocol. For more information, see TLS Security Policy.
   0-RTT	Specifies whether to enable 0-RTT data transfer to reduce the request response duration. 0-RTT data transfer can be enabled only when the security policy supports TLS 1.3. If this option is enabled, replay attacks may occur. NOTE: This option is available in certain regions. You can see which regions support this option on the console.
   HTTP/2	Specifies whether you want to use HTTP/2 if you select HTTPS for Frontend Protocol. For details, see HTTP/2 for Faster Communication.
   HTTP Headers	You can enable the following options as needed. Transfer headers: Transfer Load Balancer EIP: transmits the EIP bound to the load balancer to backend servers through the X-Forwarded-ELB-IP header. Transfer Listener Port Number: transmits the port number used by the listener to backend servers through the X-Forwarded-Port header. Transfer Port Number in the Request: transmits the port number used by the client to backend servers through the X-Forwarded-For-Port header. Transfer Load Balancer ID: transmits the load balancer ID to backend servers through the X-Forwarded-ELB-ID header. Rewrite headers: Rewrite X-Forwarded-Host: rewrites the Host header in the request from the client into the X-Forwarded-Host header and transmits it to the backend servers. Rewrite X-Forwarded-Proto: rewrites the listener protocol into the X-Forwarded-Proto header and transmits it to the backend servers. Rewrite X-Real-IP: rewrites the source IP address of the client into the X-Real-IP header and transmits it to the backend servers. For details, see HTTP Headers. NOTE: More HTTP headers are coming soon. See the available HTTP headers on the management console.
   Data Compression	Specifies whether to enable the data compression option. If you do not enable this option, files will not be compressed. Brotli and Gzip can compress the files in the following format: text/html, tex/xml, text/plain text/css, application/javascript, application/x-javascript, application/rss+xml, application/atom+xml, application/xml, and application/json. NOTE: This option is available in certain regions. You can see which regions support this option on the console.
   Retry on Other Backend Servers	Specifies whether to allow the load balancer to attempt to establish connections with other backend servers in the same backend server group, if it fails to connect to a backend server. If all four retries fail, error code 502 or 504 will be returned. Connection error: If the load balancer cannot connect to a backend server due to an error, such as a failed or rejected connection, error code 502 will be returned. Request timeout: If the backend server does not respond within the timeout duration, error code 504 will be returned. Connection timeout: The load balancer attempts to connect to a backend server but fails within the timeout duration. Response timeout: The load balancer has sent a request to a backend server but does not receive a response within the timeout duration. Note: If there is an error after the load balancer forwards a request using a non-idempotent request method, such as POST, PATCH, or DELETE, the load balancer will not resend the request. NOTE: This option is available in certain regions. You can see which regions support this option on the console.
   Idle Timeout (s)	Specifies the length of time for a connection to keep alive, in seconds. If no request is received within this period, the load balancer closes the connection and establishes a new one with the client when the next request arrives. The idle timeout duration ranges from 0 to 4000.
   Request Timeout (s)	Specifies the length of time (in seconds) that a load balancer is willing to wait for a client request to finish. The load balancer terminates the connection if a request takes too long to complete. The request timeout duration ranges from 1 to 300.
   Response Timeout (s)	Specifies the length of time (in seconds) after which the load balancer sends a 504 Gateway Timeout error to the client if the load balancer receives no response from the backend server after routing a request to the backend server and receives no response after attempting to route the same request to other backend servers. If sticky session is enabled and the load balancer receives no response from the backend server within the response timeout duration, the load balancer returns a 504 Gateway Timeout error to the client directly. The response timeout duration ranges from 1 to 300.
   Maximum New Connections per AZ	Specifies the maximum number of new connections that a listener can handle per second in each AZ. The default value is Unlimited. You can select Limit request to set the maximum number of new connections. The value ranges from 1 to 1000000. If the value is greater than the number defined in the load balancer specifications, the latter is used as the limit. NOTE: This option is available in certain regions. You can see which regions support this option on the console.
   Maximum Concurrent Connections per AZ	Specifies the maximum number of concurrent connections that a listener can handle per second in each AZ. The default value is Unlimited. You can select Limit request to set the maximum number of concurrent connections. The value ranges from 1 to 1000000. If the value is greater than the number defined in the load balancer specifications, the latter is used as the limit. Reducing the concurrent connection limit does not interrupt established connections. NOTE: This option is available in certain regions. You can see which regions support this option on the console.
   Tag	Adds tags to the listener. Each tag is a key-value pair, and the tag key is unique. NOTE: This option is available in certain regions. You can see which regions support this option on the console.
   Description	Provides supplementary information about the listener. You can enter a maximum of 255 characters.

4. Click Next: Configure Request Routing Policy.
   1. You are advised to select an existing backend server group.
   2. You can also select Create new to create a backend server group.
      1. Configure the backend server group by referring to Table 3.
      2. Click Next: Add Backend Server. Add backend servers and configure a health check for the backend server group.

         For details about how to add backend servers, see Backend Server Overview. For the parameters required for configuring a health check, see Table 4.

5. Click Next: Confirm.
6. Confirm the configurations and click Submit.

Popular Questions