tencent cloud

Providing HTTPS Access through CLB
Download PDF
Last updated: 2025-04-23 14:28:38
Providing HTTPS Access through CLB
Last updated: 2025-04-23 14:28:38
Download PDF
Currently, most applications provide HTTP access capability. If you want to help customers directly integrate HTTPS certificates and domain name bindings, see this document.


Declare Installation Parameters

Declare the installation parameters in package.yaml as follows:
args:
  - name: app_certification
    label: SSL Certificates
    widget: certificate-select
    optional: true
  - name: app_domain
    label: domain name
    widget: domain-input
    optional: true
    certId: ${app_certification.certId}
Two parameters are declared through certificate-select and domain-input, which respectively receive the customer's certificate and domain name input. The domain name component binds the certificate ID to help users select or enter a domain name compatible with the certificate.

Declare a Resource Stack

Add two variables in variable.tf to receive installation parameters:
variable "app_certification" {
   type = object({
     certId = string
   })
}

variable "app_domain" {
   type = object({
     domain = string
   })
}
Declare instances, listeners and corresponding forwarding rules of CLB in deployment.tf:
# Declare a CLB instance
resource "tencentcloud_clb_instance" "open_clb" {
  # Network type of the load balancing instance. OPEN: public network. INTERNAL: private network.
  network_type = "OPEN"
  # Security group
  security_groups = [var.sg.security_group.id]
  # VPC
  vpc_id = var.app_target.vpc.id
  # Subnet
  subnet_id = var.app_target.subnet.id
  # Enable default pass-through, that is, the Target allows traffic from the CLB.
  load_balancer_pass_to_target = true
}

# Declare a CLB HTTPS listener
resource "tencentcloud_clb_listener" "https_listener" {
  clb_id        = tencentcloud_clb_instance.open_clb.id
  listener_name = "https_listener"
  # CLB listens on port 443, support HTTPS access
  port          = 443
  protocol      = "HTTPS"
  # Use the certificate declared in the installation parameters here
  certificate_id       = var.app_certification.certId
  certificate_ssl_mode = "UNIDIRECTIONAL"
}

# Declare a CLB forwarding rule
resource "tencentcloud_clb_listener_rule" "https_rule" {
  clb_id      = tencentcloud_clb_instance.open_clb.id
  listener_id = tencentcloud_clb_listener.https_listener.id
  # Configure this as the domain name declared in the installation parameters. It means that when the request is a domain name request, forward it.
  domain = var.app_domain.domain
  # Which path to forward. Here, configure the root path for site-wide forwarding.
  url = "/"
}

# Declare a CLB backend service binding to forward the traffic that hits the forwarding rule to the CVM.
resource "tencentcloud_clb_attachment" "clb_backend" {
  clb_id      = tencentcloud_clb_instance.open_clb.id
  listener_id = tencentcloud_clb_listener.https_listener.id
  rule_id     = tencentcloud_clb_listener_rule.api_https_rule.id
  
  targets {
    # CVM instance ID (replace with the actual instance ID)
    instance_id = tencentcloud_instance.demo_cvm[0].id
    # Assume our CVM has an open http port 3000.
    port = 3000
    # weight
    weight = 100
  }
}

Principle

The product design of CLB is used as load balancing, but also supports being used as certificate offloading. It provides customers with HTTPS port, then forwards to the HTTP port of the software in the backend.


Complete Example

For a complete example, you can access Github to obtain.

Other Solutions

Besides CLB, TKE's layer-7 Service, CDN, EdgeOne and other acceleration products also support certificate deployment. Subsequently, Cloud App will provide more integration samples for reference.
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No

Feedback