tencent cloud

Feedback

Configuring HTTPS Listener

Last updated: 2022-03-11 11:38:44

    You can create an HTTPS listener to a CLB instance to forward HTTPS requests from the client. HTTPS is suitable for HTTP applications where data transfer needs to be encrypted.

    Prerequisites

    You need to create a CLB instance first.

    Directions

    Step 1. Configure a listener

    1. Log in to the CLB console and click Instance Management on the left sidebar.
    2. Select a region in the top-left corner of the CLB instance list page and click Configure Listener in the Operation column on the right.
    3. Under HTTP/HTTPS Listener, click Create and configure the HTTPS listener in the Create Listener pop-up window.

    a. Listener creation

    Configuration Item Description Example
    Name Listener name. test-https-443
    Listener Protocol and Ports
    • Listener protocol: HTTPS is used in this example.
    • Listener port: a port used to receive requests and forward them to the real server. Port range: 1-65535. Ports 843, 1020, 1433, 1434, 3306, 3389, 6006, 20000, 36000, 42222, 48369, 56000, and 65010 are system reserved ports and cannot be opened.
    • The listener port must be unique in the same CLB instance.
    HTTPS:443
    Enable Persistent Connection Once this feature is enabled, persistent connections will be used between CLB and real server, and CLB will no longer pass through the source IP, which can be obtained from XFF. To ensure normal forwarding, enable the "Allow by default" feature in the CLB security group or allow `100.127.0.0/16` in the CVM security group. Existing certificate
    Enable SNI If SNI is enabled, multiple domain names of a listener can be configured with different certificates; if it is disabled, multiple domain names of a listener can be configured with one certificate only. Disabled
    SSL parsing method One-Way authentication and mutual authentication are supported. CLB takes over the overheads of SSL encryption and decryption to guarantee the access security. One-Way authentication
    Server certificate You can select an existing certificate in the SSL Certificates Service or upload a certificate One-Way authentication
    b. Forwarding rule creation
    Forwarding Rule Configuration Description Example
    Domain name Forwarding domain name:
    • Length: 1 - 80 characters.
    • Underscores (_) cannot be the first character.
    • Exact and wildcard domain names are supported.
    • Regex is supported.
    • For detailed configuration rules, see Layer-7 Domain Name Forwarding and URL Rules.
    www.example.com
    Default Domain Name
  • If all domain names of the listener are not matched, the system will direct requests to the default domain name, making default access controllable.
  • Each listener can be configured with one default domain name only.
  • Enabled
    HTTP 2.0 After HTTP 2.0 is enabled, CLB instances can receive HTTP 2.0 requests. CLB instances access real servers over HTTP 1.1 no matter what HTTP version the client uses to access CLB instances. Enabled
    URL Path Forwarding URL path: /index
    Balancing method For HTTPS listeners, CLB supports three scheduling algorithms: weighted round robin (WRR), weighted least connections (WLC), and IP hash.
    • WRR: requests are sequentially delivered to different real servers according to their weights. Scheduling is done based on the number of new connections, where servers with higher weights will undergo more polls (i.e., a higher probability), while servers with the same weight process the same number of connections.
    • WLC: loads of servers are estimated according to the number of active connections to the servers. Scheduling is done based on server loads and weights. If their weights are the same, servers with fewer active connections will undergo more polls (i.e., a higher probability).
    • IP hash: hash keys are used to locate the corresponding servers in the static hash table based on the source IPs of requests. If a server is available and not overloaded, requests will be delivered to it; otherwise, a null value will be returned.
    WRR
    Backend protocol Backend protocol is deployed between a CLB instance and a real server:
    • If HTTP is selected as the backend protocol, HTTP service should be deployed on the real server.
    • If HTTPS is selected as the backend protocol, HTTPS service should be deployed on the real server, and the encryption and decryption of the HTTPS service will consume more resources on the real server.
    HTTP
    Getting Client IP Enabled by default. Enabled
    Gzip Compression Enabled by default. Enabled
    c. Health check For more information, see Health Check Configuration.
    d. Session persistence
    Session Persistence Configuration Description Example
    Session Persistence Switch
    • After session persistence is enabled, CLB listener will distribute access requests from the same client to the same real server.
    • TCP session persistence is implemented based on client IP address. The access requests from the same IP address are forwarded to the same real server.
    • Session persistence can be enabled for WRR scheduling but not WLC scheduling.
    Enabled
    Session Persistence Duration
    • If there is no new request within the connection beyond the session persistence duration, session persistence will be disabled automatically.
    • Value range: 30-3600s.
    30s

    Step 2. Bind a real server

    1. On the Listener Management page, select the created listener HTTPS:443. Click + on the left to expand the domain names and URL paths, select the desired URL path, and view the real servers bound to the path on the right of the listener.
    2. Click Bind, select the target real server, configure the server port and weight in the pop-up window.
      Note:

      Default port: enter the Default Port first and then select the CVM instance. The port of every CVM instance is the default port.

    Step 3. Configure a security group (optional)

    You can configure a CLB security group to isolate public network traffic. For more information, see CLB Security Group Configuration.

    Step 4. Modify and delete a listener (optional)

    If you need to modify or delete a created listener, click the listener on the Listener Management page and click for modification or for deletion.

    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support