- Release Notes and Announcements
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- CLB Instance
- CLB Listener
- CLB Listener Overview
- Configuring TCP Listener
- Configuring UDP Listener
- Configuring TCP SSL Listener
- Configuring QUIC Listener
- Configuring HTTP Listener
- Configuring HTTPS Listener
- Load Balancing Methods
- Session Persistence
- Layer-7 Redirection Configuration
- Layer-7 Custom Configuration
- Layer-7 Domain Name Forwarding and URL Rules
- Using QUIC Protocol on CLB
- SNI Support for Binding Multiple Certificates to a CLB Instance
- Real Server
- Health Check
- Certificate Management
- Monitoring and Alarm
- Log Management
- Cloud Access Management
- Classic CLB
- Best Practices
- Enabling Gzip Configuration & Testing
- HTTPS Forwarding Configurations
- Obtaining Real Client IPs
- Notes on SNAT and Non-SNAT Types for Private Network CLB
- Implementing HA Across Multiple AZs
- Load Balancing Algorithm Selection and Weight Configuration Examples
- Configuring WAF protection for CLB listening domain names
- Troubleshooting
- OPS Guidelines
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Instance APIs
- Listener APIs
- Real Server APIs
- Target Group APIs
- Redirection APIs
- Other APIs
- Cloud Load Balancer APIs
- Classic CLB APIs
- Data Types
- Error Codes
- CLB API 2017
- FAQs
- Service Level Agreement
- Contact Us
- Glossary
- Release Notes and Announcements
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- CLB Instance
- CLB Listener
- CLB Listener Overview
- Configuring TCP Listener
- Configuring UDP Listener
- Configuring TCP SSL Listener
- Configuring QUIC Listener
- Configuring HTTP Listener
- Configuring HTTPS Listener
- Load Balancing Methods
- Session Persistence
- Layer-7 Redirection Configuration
- Layer-7 Custom Configuration
- Layer-7 Domain Name Forwarding and URL Rules
- Using QUIC Protocol on CLB
- SNI Support for Binding Multiple Certificates to a CLB Instance
- Real Server
- Health Check
- Certificate Management
- Monitoring and Alarm
- Log Management
- Cloud Access Management
- Classic CLB
- Best Practices
- Enabling Gzip Configuration & Testing
- HTTPS Forwarding Configurations
- Obtaining Real Client IPs
- Notes on SNAT and Non-SNAT Types for Private Network CLB
- Implementing HA Across Multiple AZs
- Load Balancing Algorithm Selection and Weight Configuration Examples
- Configuring WAF protection for CLB listening domain names
- Troubleshooting
- OPS Guidelines
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Instance APIs
- Listener APIs
- Real Server APIs
- Target Group APIs
- Redirection APIs
- Other APIs
- Cloud Load Balancer APIs
- Classic CLB APIs
- Data Types
- Error Codes
- CLB API 2017
- FAQs
- Service Level Agreement
- Contact Us
- Glossary
HTTPS
- What cipher suites are supported by HTTPS?
- What types of SSL/TLS protocols are supported by HTTPS?
- Which port should be used for HTTPS listeners?
- Why HTTPS mutual authentication is needed?
- Why does HTTPS protocol actually generate more traffic than the billed traffic?
- Will the requests from CLB instances to real servers still be transferred over HTTP after an HTTPS listener is added?
Certificates
- What types of certificates does CLB currently support?
- How many HTTPS certificates can be bound to a listener?
- How many CLB instances or listeners can a certificate be applied to?
- How to upload certificates?
- Are certificates region-specific?
- Does a certificate need to be uploaded to a backend CVM instance?
- What to do after a certificate expires?
- What can I do if an error occurs when adding a certificate?
What cipher suites are supported by HTTPS?
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
What types of SSL/TLS protocols are supported by HTTPS?
CLB HTTPS currently supports the following SSL protocols: TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3.
Which port should be used for HTTPS listeners?
There is no mandatory requirement for this. Port 443 is recommended.
Why HTTPS mutual authentication is needed?
Some users such as financial service providers have higher requirements for data security. They require HTTPS authentication on both the server and client. To meet their needs, HTTPS mutual authentication is provided.
Why does HTTPS protocol actually generate more traffic than the billed traffic?
If the HTTPS protocol is used, it actually generates more traffic than the billed traffic as some of the traffic is used for protocol handshake.
Will the requests from CLB instances to real servers still be transferred over HTTP after an HTTPS listener is added?
Yes. After an HTTPS listener is added, the requests from the client to the CLB instance will be encrypted over HTTPS, but the requests from the CLB instance to the real server will still be transferred over HTTP. Therefore, there is no need to configure SSL on the real server.
What types of certificates does CLB currently support?
It currently supports the upload of server certificates and CA certificates. For server certificates, both certificate content and private key are required to be uploaded. For CA certificates, only certificate content is required to be uploaded. Both types of certificates only support upload in PEM encoding format.
How many HTTPS certificates can be bound to a listener?
If HTTPS one-way authentication is used, only one server certificate can be bound to a listener. If HTTPS mutual authentication is used, one server certificate and one CA certificate need to be bound to a listener.
How many CLB instances or listeners can a certificate be applied to?
A certificate can be applied to one or multiple CLB instances or listeners.
How to upload certificates?
You can upload certificates by calling an API or through the CLB console.
Are certificates region-specific?
Yes. If a user's certificate needs to be used in multiple regions, it is necessary to upload the certificate in multiple regions to ensure the security and performance.
Does a certificate need to be uploaded to a backend CVM instance?
No. CLB HTTPS provides a certificate management system to manage and store user certificates. Certificates do not need to be uploaded to backend CVM instances, and all the private keys uploaded to the certificate management system are stored in an encrypted manner.
What to do after a certificate expires?
If the current certificate expires, you need to update the certificate manually.
What can I do if an error occurs when adding a certificate?
This may be caused by the wrong content of the private key. In this case, you need to replace it with a new certificate that meets the requirements.
Yes
No
Was this page helpful?