Help Center/ Elastic Load Balance/ Best Practices/ Basic Functions/ Using a Dedicated Load Balancer for TLS Offloading (Mutual Authentication)

Updated on 2025-08-28 GMT+08:00

View PDF

Using a Dedicated Load Balancer for TLS Offloading (Mutual Authentication)

Scenarios

If your Layer 4 services have strict security requirements, you can configure mutual authentication for TLS listeners to allow clients and servers to authenticate each other to improve service security.

Prerequisites

There is a dedicated load balancer with an EIP bound to it. If there is not, you can buy one and bind an IPv4 EIP to the load balancer.
You have either purchased a certificate or uploaded a third-party certificate to SSL Certificate Manager (SCM), and configured a public domain name for the certificate. It is recommended to purchase an SSL certificate on the CCM console.
You have purchased a CA certificate and exported the CA certificate to the local PC, or you have a self-signed CA certificate. If you do not have such certificates, you can purchase a private CA from Huawei Cloud CCM and export a private CA certificate.
You have issued a private certificate using the private CA and install the certificate on the client by referring to Applying for a Private Certificate and Installing a Private Certificate on the Client.

There is a TLS backend server group with two ECSs (ECS01 and ECS02) running in it. Each ECS hosts an application.
Deployment Commands of ECS01
- yum install -y nginx
- systemctl start nginx.service
- cd /usr/share/nginx/html/
- echo "Hello World! This is ECS01 for the ELB test." > index.html
Deployment Commands of ECS02
- yum install -y nginx
- systemctl start nginx.service
- cd /usr/share/nginx/html/
- echo "Hello World! This is ECS02 for the ELB test." > index.html

Procedure

Figure 1 Procedure for configuring mutual authentication for TLS offloading

Step 1: Upload the Server Certificate to the ELB Console

Before adding a TLS listener to a load balancer, you need to upload your server certificate to the ELB console.

Go to the load balancer list page.
In the navigation pane on the left, choose Certificates.

Click Add Certificate on the top right corner and set parameters by referring to Table 1.

**Table 1** Server certificate parameters
Parameter	Description
Certificate Type	Specifies the certificate type. Select Server certificate.
Source	Specifies the source of a certificate. There are two options: SSL Certificate Manager and Your certificate. SSL Certificate Manager is used in this example, so that you can select the SSL certificates you have purchased on the CCM console.
Certificate	Specifies the certificate that you want to upload to the ELB console.
Enterprise Project	Specifies an enterprise project by which cloud resources and members are centrally managed.
SNI Domain Name (Optional)	All domain names of the SSL certificate will be automatically selected. If the certificate is intended for SNI, you can select an SNI certificate based on the domain name in the HTTPS requests.
Description (Optional)	Provides supplementary information about the certificate.

Click OK.

Step 2: Upload the CA Certificate to the ELB Console

Before adding a TLS listener to a load balancer, you need to upload your CA certificate to the ELB console.

Go to the load balancer list page.
In the navigation pane on the left, choose Certificates.

Click Add Certificate on the top right corner and set parameters by referring to Table 2.

**Table 2** CA certificate parameters
Parameter	Description
Certificate Type	Specifies the certificate type. Select CA certificate.
Certificate Name	Specifies the name of the CA certificate.
Enterprise Project	Specifies an enterprise project by which cloud resources and members are centrally managed.
Certificate Content	Specifies the content of the CA certificate in PEM format. Click Upload and select the CA certificate to be uploaded. Ensure that your browser is the latest version. The format of the certificate body is as follows: -----BEGIN CERTIFICATE----- Base64–encoded certificate -----END CERTIFICATE-----
Description (Optional)	Provides supplementary information about the certificate.

Click OK.

Step 3: Add a TLS Listener and Configure Mutual Authentication

Go to the load balancer list page.
Locate the target load balancer and click Add Listener in the Operation column.
On the Add Listener page, select TLS for Frontend Protocol and Mutual authentication for SSL Authentication.
Select the server certificate uploaded to the ELB console in Step 1.

Select the CA certificate uploaded to the ELB console in Step 2.

Figure 2 Configuring mutual authentication
Click Next: Configure Request Routing Policy and select Use existing for Backend Server Group. Select an existing backend server group and click Next: Confirm.
Confirm the configurations and click Submit.

Step 4: Configure Domain Name Resolution

You can add an A record set to resolve the domain name to the public IP address of the load balancer so that clients can access the load balancer using the public domain name.

For details about how to configure A record sets, see Routing Internet Traffic to a Website.

Go to the DNS console.
In the navigation pane on the left, choose Public Zones.
The zone list is displayed.
Locate the public zone and click Manage Record Sets in the Operation column.
Click Add Record Set.

Configure the parameters based on Table 3.

**Table 3** Parameters for adding an A record set
Parameter	Example Value	Description
Type	A – Map domains to IPv4 addresses	Type of the record set. In this example, set it to A - Map domains to IPv4 addresses.
Name	www	Prefix of the domain name to be resolved.
Line	Default	Resolution line. The DNS server will return the IP address of the specified line, depending on where end users come from. The default value is Default. Default: returns the default resolution result irrespective of where the visitors come from.
TTL (s)	300	Cache duration of the record set on a local DNS server, in seconds. In this example, the default value 300 is used.
Value	192.168.12.2 192.168.12.3	IPv4 addresses mapped to the domain name. In this example, set this parameter to the EIPs bound to the load balancer.
Advanced Settings (Optional)	-	Click to expand the advanced settings, set the alias and weight of the record set, and add a description and tags. In this example, the default settings are used.

Click OK.
Switch back to the Record Sets tab.
The added record set is in the Normal state.

Step 5: Verify TLS Mutual Authentication

The following describes how you can verify TLS mutual authentication.

Enter the domain name of the load balancer in the address box of the browser, for example, https://www.elbtest.com. In the displayed dialog box, select a certificate to authenticate yourself and click OK.
Figure 3 Selecting a certificate to authenticate yourself
Open the website in the incognito mode for accurate testing, because browser cache can cause clients to reuse existing TLS sessions. Refresh the page multiple times and you will see that requests are distributed across the two ECSs.
Figure 4 Requests forwarded to ECS01

Figure 5 Requests forwarded to ECS02

curl -k --cert /root/client.crt --key /root/client.key https://www.elbtest.com

--cert /root/client.crt defines where the client certificate file is stored, and --key /root/client.key indicates where the private key of the client certificate is stored.

If the following information is displayed, the client and servers have authenticated each other, allowing requests to reach the two ECSs.

Figure 6 Verifying mutual authentication (Linux)