> For the complete documentation index, see [llms.txt](https://docs.glesys.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.glesys.com/products/connectivity/load-balancer/how-tos/create-a-http-load-balancer/create-a-https-load-balancer.md).
# Create a HTTPS load balancer
***
In this section, we'll continue with the same load balancer as in [Create a simple HTTP load balancer using the control panel](#create-a-simple-http-load-balancer-using-the-control-panel), but add a new listener. This listener will listen on port 443 for HTTPS traffic. You will also add a certificate to the listener.
The first step is to upload an SSL certificate to the load balancer. Currently, there is no support for renewing Let's Encrypt certificates directly in the load balancer. However, you can issue a Let's Encrypt certificate yourself and renew it manually. It's also possible to automate the process using the API endpoints [loadbalancer/addcertificate](https://github.com/GleSYS/API-docs/wiki/API-Documentation#loadbalanceraddcertificate), [loadbalancer/listcertificate](https://github.com/GleSYS/API-docs/wiki/API-Documentation#loadbalancerlistcertificate), and [loadbalancer/removecertificate](https://github.com/GleSYS/API-docs/wiki/API-Documentation#loadbalancerremovecertificate). Another alternative is to purchase a certificate with a longer expiration date.
Keep in mind that you need to point an FQDN (Fully Qualified Domain Name) to the load balancer for the certificate to appear valid in a web browser. If you're using Glesys DNS, you can easily create an A record for the IPv4 address and an AAAA record for the IPv6 address.
Once you have a valid certificate, upload it to the load balancer by pasting it. Click the **Upload Certificate** button for the load balancer.
In the dialog box that opens, paste the certificate along with all the intermediate CA certificates provided. This is typically referred to as a *CA bundle* or *chain.pem*. Sometimes, you may receive both the certificate and the CA bundle in a single file, which is often named *full-chain.pem* or something similar. You also need to paste the certificate's private key in the same dialog box. The key is typically named *privkey.pem* or something similar. The order should be as follows:
1. The certificate
2. The CA bundle / chain
3. The key
Everything must be in PEM format. See the guide "[Convert an SSL certificate from CRT to PEM format](/products/connectivity/load-balancer/how-tos/convert-an-ssl-certificate-from-crt-to-pem-format.md)" for instructions on how to convert a certificate.
You also need to name the certificate so it can be selected later for the listener. Here, we name it *my-test-lb*.
Now, create a new listener by clicking the **Add Listener** button just below the first listener you created earlier.
However, instead of port 80, choose port 443 for the listener this time. Select HTTP mode as before. Also, select the certificate you just uploaded from the **Certificate** dropdown menu. Click **Save** when everything looks good.
Now, add the targets—web servers—by clicking **Add Target**. Click **Add Target** multiple times to add several servers. Click **Save** to save all the targets.
Currently, it is not possible to use HTTPS for the targets due to how SSL verification works.
## Redirect HTTP to HTTPS with Apache using X-Forwarded-Proto
The load balancer adds two HTTP headers, `X-Forwarded-Proto` and `X-Forwarded-For`. The latter, `X-Forwarded-For`, can be used to [obtain the visitor's IP address](/products/connectivity/load-balancer/how-tos/create-a-http-load-balancer/log-visitors-ip-addresses-and-protocol.md). The former, `X-Forwarded-Proto`, can be used for redirect rules in, for example, Apache.
It is common to use `RewriteCond %{HTTPS} off` with Apache; however, this creates problems when, for example, a load balancer’s backend points to port 80. In that case, the request will always arrive on port 80, so the logic will always match, resulting in a **redirect loop**.
When a **redirect loop** occurs, the flow looks like this:
1. The request arrives on port 443, for example, at the load balancer, which terminates SSL.
2. It is forwarded to Apache on port 80.
3. Apache sees the request came in on port 80 and redirects the request back to the load balancer on port 443.
4. Back to step 1. This loop becomes endless.
This is where `X‑Forwarded‑Proto` comes in. This is a new header. When traffic originates from the load balancer with SSL enabled, `X‑Forwarded‑Proto` is set to `https`. Therefore, you need to rewrite the rule to make an exception when the header includes `X‑Forwarded‑Proto: https` and allow the traffic, so that only clients that originally accessed port 80 are redirected to HTTPS (port 443).
This is an example of how you can use `X-Forwarded-Proto` to write a redirect rule in Apache:
```apacheconf
# MUST be SSL
RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !=https
RewriteRule (.*) https://%{HTTP_HOST}/$1 [R=301,L]
```
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://docs.glesys.com/products/connectivity/load-balancer/how-tos/create-a-http-load-balancer/create-a-https-load-balancer.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.