When you develop services like websites, you may need HTTPS one-way authentication, where only the client verifies the server's identity. This topic shows you how to configure this authentication method on a Classic Load Balancer (CLB) instance.
Prerequisites
-
You have created a Classic Load Balancer (CLB) instance. For more information, see Create and manage a CLB instance.
-
You have created a vServer group with two ECS instances, ECS01 and ECS02. Each instance runs a different application.
-
You have registered a domain name and completed the required ICP filing. For more information, see Register an Alibaba Cloud domain name and ICP filing process.
-
You have purchased or uploaded a certificate to SSL Certificates Service and associated it with your domain name. For more information, see Use a commercial certificate to enable HTTPS access for a web application.
Step 1: Upload a server certificate to CLB
To configure an HTTPS listener, you must upload a server certificate to the Certificate Management system of CLB.
-
Log on to the Classic Load Balancer (CLB) console.
-
In the left-side navigation pane, choose .
-
On the Certificates page, click Add Certificate.
-
On the Add Certificate page, configure the following parameters and click Create. Other parameters can be left at their default values.
Parameter
Description
Select Certificate Source
In this topic, Alibaba Cloud Certificates is selected.
Certificates
From the drop-down list, select the certificate that you want to upload.
Region
Select the regions where the certificate will be deployed. The certificate can only be used in the selected regions.
Step 2: Add an HTTPS listener
-
Log on to the Classic Load Balancer (CLB) console.
-
In the left-side navigation pane, choose .
-
In the top navigation bar, select the region where the CLB instance is deployed.
-
On the Instances page, find the target instance and click Configure Listener in the Actions column.
-
On the Protocol & Listener page, configure the following parameters. You can use the default values for other parameters or modify them as needed. Then, click Next.
Parameter
Description
Select Listener Protocol
Select HTTPS.
Listener Port
This example uses the default HTTPS port, 443.
-
On the Certificate Management Service page, configure the following parameter. You can use the default values for other parameters or modify them as needed. Then, click Next.
Parameter
Description
Server Certificate
Select the server certificate that you uploaded in Step 1.
-
On the Backend Servers page, configure the following parameters. You can use the default values for other parameters or modify them as needed. Then, click Next.
Parameter
Description
Server Group Type
Select vServer Groups.
Server Group
Select the vServer group that you created.
-
On the Health Check page, use the default settings and click Next.
-
On the Confirm page, review your settings. If they are correct, click Submit.
Step 3: Configure DNS resolution
-
Log on to the CLB console.
In the top navigation bar, select a region.
Select the CLB instance for domain name resolution, and copy its corresponding public IP address.
To add an A record:
Log on to the Alibaba Cloud DNS console.
On the Public Zone page, click Add Zone.
In the Add Zone dialog box, enter your domain name and click OK.
ImportantVerify your domain ownership by using a TXT record.
Find the domain name that you want to manage and click Settings in the Actions column.
On the Settings page, click Add Record.
In the Add Record panel, configure the following parameters to add an A record and then click OK.
Parameter
Description
Record Type
Select A from the drop-down list.
Hostname
The prefix of your domain name.
Query Source
Select Default.
Record Value
The record value is the public IP address of the CLB instance that you copied.
TTL
Time to live (TTL). This specifies the amount of time that the DNS record is cached on a DNS server. This example uses the default value.
Step 4: Test the load balancing service
In a web browser, enter the domain name that is associated with the CLB instance. Refresh the page several times to verify that you are accessing the backend service over HTTPS and that requests are distributed between the two ECS instances.
The page returns Hello World ! This is ECS01.. After several refreshes, the page returns Hello World ! This is ECS02.. This indicates that requests are distributed between the two ECS instances in a round-robin manner.
Related topics
-
If you want to use a certificate that is not issued by Alibaba Cloud, see Certificate requirements and format conversion for certificate requirements and Upload a certificate not issued by Alibaba Cloud for instructions on how to upload the certificate.
-
For detailed steps on how to add an HTTPS listener, see Add an HTTPS listener.
-
If you have higher security requirements, see Deploy an HTTPS service with mutual authentication on a CLB instance to implement mutual authentication between the server and clients.