You can create an HTTPS listener to a CLB instance to forward HTTPS requests from the client. HTTPS is suitable for HTTP applications where data transfer needs to be encrypted.
You need to create a CLB instance first.
Step 1. Configure a listener
- Log in to the CLB console and click Instance Management on the left sidebar.
- Select a region in the top-left corner of the CLB instance list page and click Configure Listener in the Operation column on the right.
- Under HTTP/HTTPS Listener, click Create and configure the HTTPS listener in the Create Listener pop-up window.
a. Listener creation
b. Forwarding rule creation
|Listener Protocol and Ports
- Listener protocol: HTTPS is used in this example.
- Listener port: a port used to receive requests and forward them to the real server. Port range: 1-65535. Ports 843, 1020, 1433, 1434, 3306, 3389, 6006, 20000, 36000, 42222, 48369, 56000, and 65010 are system reserved ports and cannot be opened.
- The listener port must be unique in the same CLB instance.
|Enable Persistent Connection
||Once this feature is enabled, persistent connections will be used between CLB and real server, and CLB will no longer pass through the source IP, which can be obtained from XFF. To ensure normal forwarding, enable the "Allow by default" feature in the CLB security group or allow `100.127.0.0/16` in the CVM security group.
||If SNI is enabled, multiple domain names of a listener can be configured with different certificates; if it is disabled, multiple domain names of a listener can be configured with one certificate only.
|SSL parsing method
||One-Way authentication and mutual authentication are supported. CLB takes over the overheads of SSL encryption and decryption to guarantee the access security.
||You can select an existing certificate in the SSL Certificates Service or upload a certificate
c. Health check
|Forwarding Rule Configuration
||Forwarding domain name:
- Length: 1 - 80 characters.
- Underscores (_) cannot be the first character.
- Exact and wildcard domain names are supported.
- Regex is supported.
- For detailed configuration rules, see Layer-7 Domain Name Forwarding and URL Rules.
|Default Domain Name
||If all domain names of the listener are not matched, the system will direct requests to the default domain name, making default access controllable. Each listener can be configured with one default domain name only.
||After HTTP 2.0 is enabled, CLB instances can receive HTTP 2.0 requests. CLB instances access real servers over HTTP 1.1 no matter what HTTP version the client uses to access CLB instances.
||Forwarding URL path:
||For HTTPS listeners, CLB supports three scheduling algorithms: weighted round robin (WRR), weighted least connections (WLC), and IP hash.
- WRR: requests are sequentially delivered to different real servers according to their weights. Scheduling is done based on the number of new connections, where servers with higher weights will undergo more polls (i.e., a higher probability), while servers with the same weight process the same number of connections.
- WLC: loads of servers are estimated according to the number of active connections to the servers. Scheduling is done based on server loads and weights. If their weights are the same, servers with fewer active connections will undergo more polls (i.e., a higher probability).
- IP hash: hash keys are used to locate the corresponding servers in the static hash table based on the source IPs of requests. If a server is available and not overloaded, requests will be delivered to it; otherwise, a null value will be returned.
||Backend protocol is deployed between a CLB instance and a real server:
- If HTTP is selected as the backend protocol, HTTP service should be deployed on the real server.
- If HTTPS is selected as the backend protocol, HTTPS service should be deployed on the real server, and the encryption and decryption of the HTTPS service will consume more resources on the real server.
|Getting Client IP
||Enabled by default.
||Enabled by default.
For more information, see Health Check Configuration
d. Session persistence
|Session Persistence Configuration
|Session Persistence Switch
- After session persistence is enabled, CLB listener will distribute access requests from the same client to the same real server.
- TCP session persistence is implemented based on client IP address. The access requests from the same IP address are forwarded to the same real server.
- Session persistence can be enabled for WRR scheduling but not WLC scheduling.
|Session Persistence Duration
- If there is no new request within the connection beyond the session persistence duration, session persistence will be disabled automatically.
- Value range: 30-3600s.
Step 2. Bind a real server
- On the Listener Management page, select the created listener
HTTPS:443. Click + on the left to expand the domain names and URL paths, select the desired URL path, and view the real servers bound to the path on the right of the listener.
- Click Bind, select the target real server, configure the server port and weight in the pop-up window.
Default port: enter the Default Port first and then select the CVM instance. The port of every CVM instance is the default port.
Step 3. Configure a security group (optional)
You can configure a CLB security group to isolate public network traffic. For more information, see CLB Security Group Configuration.
Step 4. Modify and delete a listener (optional)
If you need to modify or delete a created listener, click the listener on the Listener Management page and click for modification or for deletion.