1. Why are some response header parameters deleted after the requests are forwarded by Layer-7 listeners?

Symptoms: SLB modifies the values of the Date, Server, X-Pad, X-Accel-Redirect and other parameters in the response headers to achieve session persistence.


  • Add a prefix to the custom header, such as xl-server or xl-date.
  • Change the Layer-7 listener to a Layer-4 listener.

2. Why an additional header Transfer-Encoding: chunked is added to the HTTP request?

Symptoms: After a domain name is resolved into the IP address of a Layer-7 SLB instance, a Transfer-Encoding: chunked field is added in the HTTP request header when accessing the domain name from a local host. However, no such field is found in the request when accessing backend servers directly from the local host.

Cause: Layer-7 SLB is based on the Tengine reverse proxy. The Transfer-Encoding field indicates how the Web server encodes the response message body. For example, Transfer-Encoding: chunked indicates the chunked transfer encoding is used.

Note This header is not added in the requests forwarded by Layer-4 listeners, because Layer-4 listeners only distribute traffic.

3. Why style sheets are not loaded when opening a website through an HTTPS listener?


An HTTP listener and an HTTPS listener are created respectively, and they use the same backend servers. When accessing the website over the HTTP listener with the specified port number, the website is displayed normally. However, the website layout is messy when accessing the website through the HTTPS listener.


By default, SLB does not block loading and transferring JavaScript files. The possible reasons are as follows:

  • The certificate is not compatible with the security level of the web browser.
  • The certificate is an unqualified third-party certificate. In this case, contact the certificate issuer to check the certificate.


  1. When you open the website, click the prompt in the browser's address bar to load the script.
  2. Add the required certificate to the browser.

4. Which port does HTTPS listeners use?

There are no special requirements on ports. However, we recommend that you use 443 as the port number for HTTPS listeners.

5. What types of certificates does SLB support?

SLB supports uploading server certificates and CA certificates in the PEM format.

For the server certificates, you must upload both the certificate content and the private key. For the CA certificates, you only need to upload the certificate content.

6. Does the SLB support keytool-created certificates?


However, you must convert the certificate format to PEM before uploading the certificate to SLB. For more information, see Convert certificate format.

7. Can I use certificates in the PKCS#12(PFX) format?


However, you must convert the certificate format to PEM before uploading the certificate to SLB. For more information, see Convert certificate format.

8. How many certificates can I upload with one account?

A maximum of 100 certificates per account are allowed, including CA certificates and server certificates.

9. Why does the KeyEncryption error occur when uploading certificates?

The private key contains incorrect contents. For more information on private key format, see Certificate formats.

10. How many certificates can be added to an HTTPS listener?

If you use HTTPS one-way authentication, you can only bind one server certificate to a listener; if you use HTTPS mutual authentication, you must bind a server certificate and a CA certificate to a listener.

The HTTPS listener of a guaranteed-performance SLB instance supports attaching multiple certificates to forward requests with different domain names to different backend server groups. For more information, see Tutorial: Configure a domain name extension.

11. What SSL protocol versions are supported by the HTTPS Server Load Balancer service?

TLSv1, TLSv1.1, and TLSv1.2.

12. Why is the actual traffic generated by HTTPS listeners more than the billed traffic of HTTPS listeners?

HTTPS listeners consume some traffic for three-way handshake, so the actual traffic generated is more than the billed traffic.

13. What is the lifetime of an HTTPS session ticket?

The lifetime of an HTTPS session ticket is set to 300 seconds.

14. Can I upload a certificate containing DH PARAMETERS?

No. The ECDHE method used by HTTPS listeners supports forward secrecy, but does not support uploading the PEM files that contain the security enhancement parameters, such as BEGIN DH PARAMETERS.

15. Does HTTPS listeners support SNI?

Yes. SNI (Server Name Indication) is an extension to SSL/TLS protocol so that a server can use multiple domain names and certificates. SLB HTTPS supports the SNI function. For more information, see Configuration tutorial.

16. Which HTTP version is used by HTTP/HTTPS listeners to access the backend servers?


17. Can the backend ECS instances obtain the protocol version used by the client to access the HTTP/HTTPS listener?


18. After SLB forwards a request to a backend server, if the client disconnects from SLB before it receives the response from the backend server, will SLB close the connection to the backend server at the same time?

No. SLB will not close the connection to the backend servers during the reading and writing process.

19. Do HTTP/HTTPS listeners support the WebSocket/SSL WebSocket?

Yes, WebSocket/SSL WebSocket protocol is supported in all regions. For more information, see WS/WSS protocol FAQ.

20. What are timeout values specified for HTTP/HTTPS listeners?

  • A maximum of 100 requests can be sent continuously in an HTTP persistent connection. The connection is closed when the limit is reached.
  • The timeout between two HTTP/HTTPS requests in an HTTP persistent connection is 15 seconds. The TCP connection is closed when the timeout exceeds 15 seconds. If you want to use the HTTP persistent connection, try to send heartbeat requests within 13 seconds.
  • The timeout for the TCP three-way handshake between SLB and a backend ECS instance is 5 seconds. After the handshake times out, SLB selects the next ECS instance. You can find the timeout by checking the upstream response time in the access logs.
  • The time that SLB waits for the response from an ECS instance is 60 seconds. If the wait time exceeds 60 seconds, a 504 or 408 status code is sent to the client. You can find the timeout by checking the upstream response time in the access logs.
  • The HTTPS session reuse times out after 300 seconds. After the timeout, the client needs to perform the complete SSL handshake process again.

21. Does SLB support configuring domain and URL based forwarding rules?

Yes. For more information, see Configure domain and URL based forwarding rules.

22. How many forwarding rules can be configured for each listener?

You can add a maximum of 20 forwarding rules to each listener.