Help Center/ Elastic Load Balance/ Best Practices/ Basic Functions/ Configuring One-way Authentication When Adding an HTTPS Listener
Updated on 2025-08-28 GMT+08:00
View PDF
Share

Configuring One-way Authentication When Adding an HTTPS Listener

Scenarios

If only server authentication is required, you can configure one-way authentication when adding an HTTPS listener to a load balancer.

This section uses certificates purchased on the Cloud Certificate Manager (CCM) console.

Prerequisites

  • There is a dedicated load balancer with an EIP bound to it. If there is not, you can buy one and bind an IPv4 EIP to the load balancer.
  • There is an HTTPS backend server group with an ECS (ECS01) running in it. The ECS hosts an application.
  • You have either purchased a certificate or uploaded a third-party certificate to SSL Certificate Manager (SCM), and configured a public domain name for the certificate. It is recommended that you purchase an SSL certificate on the CCM console.

Procedure

Figure 1 Procedure for configuring one-way authentication

Step 1: Upload the Server Certificate to ELB

Before adding an HTTPS listener to a load balancer, you need to upload your certificate to the ELB console.

  1. Go to the load balancer list page.
  2. In the navigation pane on the left, choose Certificates.
  3. Click Add Certificate on the top right corner and set parameters by referring to Table 1.
    Table 1 Server certificate parameters

    Parameter

    Description

    Certificate Type

    Specifies the certificate type. Select Server certificate.

    Source

    Specifies the source of a certificate. There are two options: SSL Certificate Manager and Your certificate.

    SSL Certificate Manager is used in this example, so that you can select the SSL certificates you have purchased on the CCM console.

    Certificate

    Specifies the certificate that you want to upload to the ELB console.

    Enterprise Project

    Specifies an enterprise project by which cloud resources and members are centrally managed.

    SNI Domain Name (Optional)

    All domain names of the SSL certificate will be automatically selected.

    If the certificate is intended for SNI, you can select an SNI certificate based on the domain name in the HTTPS requests.

    Description (Optional)

    Provides supplementary information about the certificate.
  4. Click OK.

Step 2: Add an HTTPS Listener and Configure One-Way Authentication

  1. Go to the load balancer list page.
  2. Locate the target load balancer and click Add Listener in the Operation column.
  3. On the Add Listener page, select HTTPS for Frontend Protocol and One-way authentication for SSL Authentication.

    Select the server certificate uploaded to the ELB console in Step 1.

    Figure 2 Configuring one-way authentication
  4. Click Next: Configure Request Routing Policy and select Use existing for Backend Server Group. Select an existing backend server group and click Next: Confirm.
  5. Confirm the configurations and click Submit.

Step 3: Configure Domain Name Resolution

You can add an A record set to resolve the domain name to the public IP address of the load balancer so that clients can access the load balancer using the public domain name.

The following provides an example for resolving a website domain name to an IPv4 address. For details about how to configure an A record set, see Routing Internet Traffic to a Website.

  1. Go to the DNS console.
  2. In the navigation pane on the left, choose Public Zones.

    The zone list is displayed.

  3. Locate the public zone and click Manage Record Sets in the Operation column.
  4. Click Add Record Set.
  5. Configure the parameters based on Table 2.
    Table 2 Parameters for adding an A record set

    Parameter

    Example Value

    Description

    Type

    A – Map domains to IPv4 addresses

    Type of the record set. In this example, set it to A - Map domains to IPv4 addresses.

    Name

    www

    Prefix of the domain name to be resolved.

    Line

    Default

    Resolution line. The DNS server will return the IP address of the specified line, depending on where end users come from.

    The default value is Default.

    Default: returns the default resolution result irrespective of where the visitors come from.

    TTL (s)

    300

    Cache duration of the record set on a local DNS server, in seconds.

    In this example, the default value 300 is used.

    Value

    192.168.12.2

    IPv4 addresses mapped to the domain name. In this example, set this parameter to the EIPs bound to the load balancer.

    Advanced Settings (Optional)

    -

    Click to expand the advanced settings, set the alias and weight of the record set, and add a description and tags. In this example, the default settings are used.
  6. Click OK.
  7. Switch back to the Record Sets tab.

    The added record set is in the Normal state.

Step 4: Verify Load Balancing

Deploy an application on ECS01, so that a page with message "Welcome to ELB test page one!" is returned when ECS01 is accessed. For details, see Deploy the Application.

Use a browser to access the domain name (https://load-balancer-domain-name) of the load balancer. If the following page is displayed, the load balancer forwards the access request to ECS01, and the HTTPS one-way authentication is successfully configured.
Figure 3 Accessing ECS01
Parent Topic: Basic Functions