{Alibaba CLB} Add an HTTPS listener

 

https://hao2.hatenablog.jp/entry/loadbalancer_ssl


前提: Let's Encrypt で無料SSL証明書作成済
※デフォルトでECCとなり、Alibabaに取り込めないのでRSAで作成する

 

-- 1. CLB作成

 

cat <<-'EOF' | base64
#!/bin/bash
yum install -y httpd
systemctl start httpd
systemctl enable httpd
echo $(uname -n) > /var/www/html/index.html
EOF


echo "IyEvYmluL2Jhc2gKeXVtIGluc3RhbGwgLXkgaHR0cGQKc3lzdGVtY3RsIHN0YXJ0IGh0dHBkCnN5c3RlbWN0bCBlbmFibGUgaHR0cGQKZWNobyAkKHVuYW1lIC1uKSA+IC92YXIvd3d3L2h0bWwvaW5kZXguaHRtbAo=" | base64 -d

 

cat <<-'EOF' > variables.tf

locals {
  availability_zone = "ap-northeast-1a"
}


variable "instance_type" {
  description = "instance_type"
  type = string
  default = "ecs.t5-lc2m1.nano"
}

variable "image_id" {
  description = "image_id"
  type = string
  default = "aliyun_2_1903_x64_20G_alibase_20231221.vhd"
}

EOF

 

cat <<-'EOF' > main.tf

terraform {
  required_version = ">= 1.0.0, < 2.0.0"
  required_providers {
    alicloud = {
       source  = "aliyun/alicloud"
       version = "= 1.217.0"
    }
  }
}

provider "alicloud" {
    region  = "ap-northeast-1"
}


resource "alicloud_vpc" "vpc01" {
  vpc_name          = "vpc01"
  description       = "vpc01"
  cidr_block        = "10.2.0.0/16"
}

 

resource "alicloud_vswitch" "sw01" {
  vswitch_name      = "sw01"
  description       = "sw01"
  vpc_id            = alicloud_vpc.vpc01.id
  cidr_block        = "10.2.1.0/24"
  zone_id           = local.availability_zone
}

 resource "alicloud_security_group" "sg01" {
   name                = "sg01"
   description         = "sg01"
   vpc_id              = alicloud_vpc.vpc01.id
   security_group_type = "normal"
 }


resource "alicloud_security_group_rule" "sg0101" {
  type              = "ingress"
  ip_protocol       = "tcp"
  port_range        = "80/80"
  security_group_id = alicloud_security_group.sg01.id
  nic_type          = "intranet"
  policy            = "accept"
  priority          = 10
  cidr_ip           = "10.2.1.0/24"
  description       = "sg0101"
}


resource "alicloud_security_group_rule" "sg0102" {
  type              = "ingress"
  ip_protocol       = "tcp"
  port_range        = "443/443"
  security_group_id = alicloud_security_group.sg01.id
  nic_type          = "intranet"
  policy            = "accept"
  priority          = 10
  cidr_ip           = "10.2.1.0/24"
  description       = "sg0102"
}

resource "alicloud_instance" "instance01" {
  image_id                   = var.image_id
  instance_type              = var.instance_type
  security_groups            = [alicloud_security_group.sg01.id]
  instance_name              = "instance01"
  system_disk_category       = "cloud_ssd"
  system_disk_name           = "instance01"
  system_disk_size           = 20
  description                = "instance01"
  internet_charge_type       = "PayByBandwidth"
  internet_max_bandwidth_out = 0
  host_name                  = "instance01"
  vswitch_id                 = alicloud_vswitch.sw01.id
  instance_charge_type       = "PostPaid"
  key_name                   = "alibabakey01"
  deletion_protection        = false
  credit_specification       = "Standard"
  user_data                  = "IyEvYmluL2Jhc2gKeXVtIGluc3RhbGwgLXkgaHR0cGQKc3lzdGVtY3RsIHN0YXJ0IGh0dHBkCnN5c3RlbWN0bCBlbmFibGUgaHR0cGQKZWNobyAkKHVuYW1lIC1uKSA+IC92YXIvd3d3L2h0bWwvaW5kZXguaHRtbAo="
}

resource "alicloud_instance" "instance02" {
  image_id                   = var.image_id
  instance_type              = var.instance_type
  security_groups            = [alicloud_security_group.sg01.id]
  instance_name              = "instance02"
  system_disk_category       = "cloud_ssd"
  system_disk_name           = "instance02"
  system_disk_size           = 20
  description                = "instance02"
  internet_charge_type       = "PayByBandwidth"
  internet_max_bandwidth_out = 0
  host_name                  = "instance02"
  vswitch_id                 = alicloud_vswitch.sw01.id
  instance_charge_type       = "PostPaid"
  key_name                   = "alibabakey01"
  deletion_protection        = false
  credit_specification       = "Standard"
  user_data                  = "IyEvYmluL2Jhc2gKeXVtIGluc3RhbGwgLXkgaHR0cGQKc3lzdGVtY3RsIHN0YXJ0IGh0dHBkCnN5c3RlbWN0bCBlbmFibGUgaHR0cGQKZWNobyAkKHVuYW1lIC1uKSA+IC92YXIvd3d3L2h0bWwvaW5kZXguaHRtbAo="
}

resource "alicloud_slb_load_balancer" "clb01" {
  load_balancer_name   = "clb01"
  address_type         = "internet"
  internet_charge_type = "PayByBandwidth"
  bandwidth            = 1
  load_balancer_spec   = "slb.s1.small"
  payment_type         = "PayAsYouGo"
  master_zone_id       = local.availability_zone
  delete_protection    = "off"
  instance_charge_type = "PayBySpec"
  
}


resource "alicloud_slb_server_group" "be01" {
  load_balancer_id = alicloud_slb_load_balancer.clb01.id
  name             = "be01"
}

resource "alicloud_slb_server_group_server_attachment" "be01_instance01" {
  server_group_id = alicloud_slb_server_group.be01.id
  server_id       = alicloud_instance.instance01.id
  port            = 80
  weight          = 100
  type            = "ecs"
}

resource "alicloud_slb_server_group_server_attachment" "be01_instance02" {
  server_group_id = alicloud_slb_server_group.be01.id
  server_id       = alicloud_instance.instance02.id
  port            = 80
  weight          = 100
  type            = "ecs"
}

 


resource "alicloud_slb_listener" "lis01" {
  load_balancer_id          = alicloud_slb_load_balancer.clb01.id
  backend_port              = 80
  frontend_port             = 80
  protocol                  = "http"
  bandwidth                 = 1
  description               = "lis01"
  scheduler                 = "wrr"
  sticky_session            = "off"
  health_check              = "on"
  health_check_type         = "http"
  health_check_uri          = "/"
  health_check_connect_port = 80
  healthy_threshold         = 3
  unhealthy_threshold       = 3
  health_check_timeout      = 5
  health_check_interval     = 2
  health_check_http_code    = "http_2xx,http_3xx"
  health_check_method       = "head"
  gzip                      = "true"
  idle_timeout              = 15
  request_timeout           = 60
  listener_forward          = "off"
  server_group_id           = alicloud_slb_server_group.be01.id
}


EOF

 

cat <<-'EOF' > outputs.tf

 

output "vpc01_id" {
  value = alicloud_vpc.vpc01.id
  description = "vpc01.id"
}


output "sw01_id" {
  value = alicloud_vswitch.sw01.id
  description = "sw01.id"
}


output "sg01_id" {
  value = alicloud_security_group.sg01.id
  description = "sg01.id"
}

 

output "instance01_id" {
  value = alicloud_instance.instance01.id
  description = "instance01.id"
}

output "instance02_id" {
  value = alicloud_instance.instance02.id
  description = "instance02.id"
}


output "clb01_id" {
  value = alicloud_slb_load_balancer.clb01.id
  description = "clb01.id"
}

 

EOF

 


terraform init
terraform fmt
terraform -version

 

terraform plan


terraform apply -auto-approve

 


terraform destroy -auto-approve

 


-- 2. サーバー証明書のアップロード

CLIでエラーとなるのでCLB/証明書画面から実施


証明書ソース: サードパーティの証明書
証明書名: cert01
証明書のタイプ: サーバー証明書
証明書: cert2.pem
秘密鍵: privkey2.pem

秘密鍵はそのままではアップロードできない。下記のように文言修正必要
-----BEGIN PRIVATE KEY-----

-----BEGIN RSA PRIVATE KEY-----

-----END PRIVATE KEY-----

-----END RSA PRIVATE KEY-----


-- 3. リスナー変更

HTTPリスナー削除

aliyun slb DeleteLoadBalancerListener \
--LoadBalancerId lb-111111111111111111111 \
--ListenerPort 80 

 

HTTPSリスナー作成

aliyun slb CreateLoadBalancerHTTPSListener \
--Bandwidth 1 \
--HealthCheck on \
--ListenerPort 443 \
--LoadBalancerId lb-111111111111111111111 \
--StickySession off \
--Description lis02 \
--Gzip on \
--HealthCheckConnectPort 80 \
--HealthCheckHttpCode "http_2xx,http_3xx" \
--HealthCheckInterval 2 \
--HealthCheckMethod head \
--HealthCheckTimeout 5 \
--HealthCheckURI "/" \
--HealthyThreshold 3 \
--IdleTimeout 15 \
--RequestTimeout 60 \
--UnhealthyThreshold 3 \
--VServerGroupId rsp-1111111111111 \
--ServerCertificateId 1111111111111111_11111111111_-1111111111_111111111

 


HTTPSリスナーの起動
aliyun slb StartLoadBalancerListener \
--LoadBalancerId lb-111111111111111111111 \
--ListenerPort 443 


HTTPSリスナーの停止
aliyun slb StopLoadBalancerListener \
--LoadBalancerId lb-111111111111111111111 \
--ListenerPort 443 

 

HTTPSリスナー削除

aliyun slb DeleteLoadBalancerListener \
--LoadBalancerId lb-111111111111111111111 \
--ListenerPort 443 

 

 

-- 4. 動作確認

curl http://192.0.2.1

curl https://192.0.2.1

curl -k https://192.0.2.1

 


hostsファイルの設定

証明書の変換

openssl x509 -outform der -in cert2.pem -out cert2.crt

証明書のインポート