首页龙虾技能列表 › Alibabacloud Network Alb Http To Https

Alibabacloud Network Alb Http To Https

v0.0.1-beta.1

Configure HTTP-to-HTTPS redirects on Alibaba Cloud ALB, including inspecting the current listener and rule setup, creating missing HTTP or HTTPS listeners, a...

0· 69·0 当前·0 累计
by @sdk-team (alibabacloud-skills-team)·MIT-0
下载技能包
License
MIT-0
最后更新
2026/3/31
安全扫描
VirusTotal
无害
查看报告
OpenClaw
可疑
medium confidence
The skill appears to implement the stated ALB HTTP→HTTPS workflow and its scripts are coherent, but the registry metadata omits the fact that active Alibaba Cloud credentials are required and the SKILL.md asks you to enable automatic plugin installation — these gaps and a few policy/permission implications merit caution before installing.
评估建议
This skill is functionally coherent for configuring Alibaba Cloud ALBs, but review and take these precautions before installing or running it: - Credentials: The skill requires an active Alibaba Cloud CLI profile (AK/SK, STS, or OAuth) configured locally. The registry metadata did not declare required env vars/primary credential — make sure you configure credentials yourself (aliyun configure) and do NOT paste secrets into the chat. The scripts use the aliyun CLI (they do not contain embedded c...
详细分析 ▾
用途与能力
The name, description, SKILL.md, and included scripts consistently implement configuring HTTP-to-HTTPS redirects on Alibaba Cloud ALB (listing load balancers/listeners, creating listeners/server groups, creating redirect rules, uploading certificates). The requested ALB and CAS RAM permissions match the declared capability.
指令范围
Runtime instructions and scripts confine actions to local shell operations and calls to the aliyun CLI (plus openssl for test cert generation). They do not reference external endpoints beyond the official Aliyun CLI download URLs in the installation reference and do not instruct the agent to read unrelated system files or unrelated environment variables.
安装机制
There is no install spec (instruction-only). The included installation guidance points to official Alibaba download URLs (aliyuncli.alicdn.com) — acceptable. However, the SKILL.md requires enabling aliyun CLI auto-plugin-install, which causes the CLI to fetch product plugins from the network at runtime; that is a legitimate functional need but increases runtime network activity and should be acknowledged.
凭证需求
The skill requires active Alibaba Cloud credentials to operate (SKILL.md explicitly says to run 'aliyun configure' or set env vars), but the registry metadata shows no required env vars and no primary credential. The omission is an inconsistency: the skill will use the user's configured AK/SK/sts/OAuth via the aliyun CLI, so the installer/operator must ensure credentials are present and follow least-privilege RAM policies (the SKILL.md lists the specific ALB and CAS permissions).
持久化与权限
The skill is not 'always: true' and does not request persistent system-wide changes beyond running scripts. It does suggest changing the aliyun CLI setting (--auto-plugin-install true) which affects CLI behavior but not the agent platform; otherwise there is no indication the skill modifies other skills or system-wide agent config.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

无特殊依赖

版本

latestv0.0.1-beta.12026/3/31

- Initial beta release of the skill for configuring HTTP-to-HTTPS redirects on Alibaba Cloud ALB. - Supports inspecting current ALB listener and rule setup, and creating missing HTTP/HTTPS listeners as needed. - Adds redirect rules to force HTTP (port 80) traffic to HTTPS (port 443). - Includes detailed authentication, permission, and workflow instructions. - Requires Alibaba Cloud CLI (>= 3.3.1) with relevant plugins and proper credentials.

● 无害

安装命令 点击复制

官方npx clawhub@latest install alibabacloud-network-alb-http-to-https
镜像加速npx clawhub@latest install alibabacloud-network-alb-http-to-https --registry https://cn.clawhub-mirror.com

技能文档

Use the aliyun CLI to configure HTTP-to-HTTPS 301/302 redirects on ALB. Write scripts poll resource status after creation until listeners or rules become available.

All Alibaba Cloud service calls in this skill must include --user-agent AlibabaCloud-Agent-Skills.

Installation

Pre-check: Aliyun CLI >= 3.3.1 required
>
Run aliyun version to verify >= 3.3.1. If not installed or version too low, see references/cli-installation-guide.md for installation instructions.
>
Then [MUST] run the following to enable automatic plugin installation:
> 
> aliyun configure set --auto-plugin-install true

Authentication

Pre-check: Alibaba Cloud Credentials Required
>
Security Rules:
>
- NEVER read, echo, or print AK/SK values (e.g., echo $ALIBABA_CLOUD_ACCESS_KEY_ID is FORBIDDEN)
- NEVER ask the user to input AK/SK directly in the conversation or command line
- NEVER use aliyun configure set with literal credential values
- ONLY use aliyun configure list to check credential status
> 
> aliyun configure list
>
Check the output for a valid profile (AK, STS, or OAuth identity).
>
If no valid profile exists, STOP here.
>
1. Obtain credentials from Alibaba Cloud Console
2. Configure credentials outside of this session (via aliyun configure in terminal or environment variables in shell profile)
3. Return and re-run after aliyun configure list shows a valid profile

RAM Policy

This skill requires the following RAM permissions. See references/ram-policies.md for the complete list.

Core Permissions Required:

  • ALB: ListLoadBalancers, GetLoadBalancerAttribute, ListListeners, GetListenerAttribute
  • ALB: CreateListener, ListRules, CreateRule, CreateServerGroup
  • CAS: UploadUserCertificate
[MUST] Permission Failure Handling: When any command or API call fails due to permission errors at any point during execution, follow this process:
>
1. Read references/ram-policies.md to get the full list of permissions required by this SKILL
2. Use ram-permission-diagnose skill to guide the user through requesting the necessary permissions
3. Pause and wait until the user confirms that the required permissions have been granted

Decision tree

Inspect the current state first, then choose the next action:

  • Use get_load_balancer.sh to confirm the ALB exists and is Active. Do not continue with certificate upload, server group creation, listener creation, or rule creation until the ALB existence check passes.
  • If the user provides an ALB name, or the identifier is ambiguous, resolve it to a real LoadBalancerId first with list_load_balancers.sh. Only pass a confirmed ALB ID to scripts that require --lb-id.
  • Use list_listeners.sh to inspect existing listeners.
  • Branch on the result:
- No HTTPS listener -> Ask whether to create one. A server group ID and certificate ID are required. If no certificate exists, suggest generate_test_cert.sh plus upload_cert.sh to generate and upload a self-signed test certificate. - HTTPS exists, but no HTTP listener -> Ask whether to create HTTP:80 with a redirect. The HTTP listener DefaultAction must reference a server group, so an empty placeholder server group may be needed. - HTTP listener exists, but no redirect rule -> Use get_listener.sh to confirm the protocol is HTTP, then use list_rules.sh to find occupied priorities and create a Redirect rule with the highest available priority. - Redirect rule already exists -> Inform the user that redirect is already configured and show the current rule.

Workflow

# 1. Verify CLI version and enable automatic plugin installation
aliyun version
aliyun configure set --auto-plugin-install true
# 2. Verify credentials without printing secrets
aliyun configure list
# 3. Resolve ALB name to ID if needed
bash scripts/list_load_balancers.sh --region  --lb-names 
# 4. Inspect current state and stop early if the ALB does not exist
bash scripts/get_load_balancer.sh --region  --lb-id 
bash scripts/list_listeners.sh --region  --lb-id 
# 5. Generate and upload a certificate only if a new HTTPS listener is needed and no usable certificate exists
bash scripts/generate_test_cert.sh --domain 
bash scripts/upload_cert.sh --name  --cert-file /tmp/alb-test-certs/cert.pem --key-file /tmp/alb-test-certs/key.pem
# 6. Create an empty server group only if an HTTP listener must be created and no placeholder server group is available
# Use the VPC ID from the ALB details in step 4 instead of trusting free-form VPC input
bash scripts/create_server_group.sh --region  --name http-placeholder --vpc-id 
# 7. Create the HTTPS listener if it does not exist
bash scripts/create_listener.sh --region  --lb-id  \
    --protocol HTTPS --port 443 --forward-sg  --cert-id 
# 8. Create the HTTP listener if it does not exist, using the placeholder server group
bash scripts/create_listener.sh --region  --lb-id  \
    --protocol HTTP --port 80 --forward-sg 
# 9. Confirm the protocol, inspect used priorities, and add the redirect rule
bash scripts/get_listener.sh --region  --listener-id 
bash scripts/list_rules.sh --region  --listener-id 
bash scripts/create_rule.sh --region  --listener-id  \
    --name "force-https" --priority  --action-type Redirect
# 10. Verify
bash scripts/list_listeners.sh --region  --lb-id 
bash scripts/list_rules.sh --region  --listener-id

Not every step is required. Skip any step already satisfied by the current state.

Defaults & rules

  • DefaultAction supports only ForwardGroup. Redirect and FixedResponse must be implemented through rules.
  • An HTTP listener must reference a placeholder server group, which may be empty, and then use a Redirect rule to cover all requests.
  • Redirect rules can be attached only to HTTP listeners. create_rule.sh validates the listener protocol automatically.
  • create_rule.sh checks for priority conflicts automatically and returns an error with the conflicting rule if one exists.
  • The default is HTTP 301 permanent redirect, which browsers may cache. Use --redirect-code 302 during testing.
  • The certificate service (cas) is global. upload_cert.sh calls the cas.aliyuncs.com endpoint.
  • aliyun configure list is only a local credential check and does not need --user-agent.
  • All Alibaba Cloud service calls in this skill must set --user-agent AlibabaCloud-Agent-Skills. The bundled scripts do this through scripts/common.sh, and any manual aliyun alb ... or aliyun cas ... command must include the same flag.
  • ALB and CAS commands use aliyun CLI product-plugin mode with kebab-case subcommands and the global --region parameter.
  • Query scripts automatically aggregate paginated results in plain-text output so the first page is not shown in isolation.
  • Query scripts return the raw aliyun CLI JSON response when --json is used, which is useful for automation.
  • Write scripts perform scenario-specific prechecks before execution, such as instance state, port conflicts, and rule priority conflicts.

Scripts

ScriptPurpose
scripts/list_load_balancers.shList ALB instances and resolve a load balancer name to its LoadBalancerId
scripts/get_load_balancer.shGet load balancer details
scripts/list_listeners.shList listeners
scripts/get_listener.shGet listener details, including protocol, certificate, and DefaultAction
scripts/list_rules.shList forwarding rules, or query a single rule with --rule-id
scripts/generate_test_cert.shGenerate a self-signed test certificate with openssl
scripts/upload_cert.shUpload a certificate to Alibaba Cloud Certificate Management Service and return the CertId
scripts/create_server_group.shCreate an empty server group for the HTTP listener DefaultAction placeholder
scripts/create_listener.shCreate an HTTP, HTTPS, or QUIC listener
scripts/create_rule.shCreate a forwarding rule of type Redirect, ForwardGroup, or FixedResponse
Each script supports --help, --json, --dry-run for write operations, and --output FILE.

References

  • references/ram-policies.md: Required RAM permissions for this skill
  • related_apis.yaml: API inventory for the ALB and CAS operations covered by this skill

Rollback

Deleting the redirect rule does not affect the HTTPS listener or backend services.

# Delete only the rule
aliyun --user-agent AlibabaCloud-Agent-Skills alb delete-rule --region  --rule-id 
# Or delete the HTTP listener as well
aliyun --user-agent AlibabaCloud-Agent-Skills alb delete-listener --region  --listener-id

Troubleshooting

SymptomCauseResolution
Redirect loop with ERR_TOO_MANY_REDIRECTSThe HTTPS listener also has a redirectCheck that the HTTPS listener DefaultAction is ForwardGroup
Connection fails after redirectThe HTTPS listener is not running or has no certificate attachedCheck the HTTPS listener status and certificate
Only some domains are redirectedThe rule condition restricts HostRemove the --host condition or use /* to match all paths
Listener creation fails with a port conflictA listener already exists on the same portAdd the rule to the existing listener instead
The browser does not redirectThe 301 response is cachedClear the cache, use incognito mode, or test with curl -I
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制

了解定制服务