Why are some response header parameters deleted after requests are forwarded by Layer 7 listeners?

Issue: CLB modifies the values of the Date, Server, X-Pad, and X-Accel-Redirect parameters in the response headers to implement session persistence.

Solution:

  • Add a prefix to the custom header, such as xl-server or xl-date.
  • Change Layer 7 HTTP listeners to Layer 4 TCP listeners.

Why is an additional header, Transfer-Encoding: chunked, added to an HTTP request?

Issue:

Issue: After a domain name is resolved to the service address of Layer 7 CLB instance, a Transfer-Encoding: chunked field is added in the HTTP request header when you access the domain name from an on-premises host. However, this field is not found in the request when you access backend servers directly from the on-premises host.

Cause:

Cause: Layer 7 CLB is based on the Tengine reverse proxy. The Transfer-Encoding field indicates how the web server encodes the response message body. For example, Transfer-Encoding: chunked indicates that chunked transfer encoding is used.

Note This header is not added to the requests forwarded by Layer 4 listeners, because Layer 4 listeners only distribute traffic.

Why do the style sheets fail to load when I open a website over an HTTPS listener?

Issue:

An HTTP listener and an HTTPS listener are created, and they use the same backend servers. When you access the website over the HTTP listener with the specified port number, the website is displayed. However, the website layout is messy when you access the website over the HTTPS listener.

Cause:

By default, CLB does not block loading and transferring of JavaScript files. This problem may be caused by the following reasons:

  • The certificate is not compatible with the security level of the web browser.
  • The certificate is an unqualified third-party certificate. In this case, contact the certificate issuer to check the certificate.

Solution:

  1. When you open the website, load scripts as prompted by the browser.
  2. Add the required certificate to the browser.

Which port number do HTTPS listeners use?

HTTPS listeners have no special requirements on ports. However, we recommend that you use 443 as the port number for HTTPS listeners.

What types of certificates does CLB support?

CLB supports server certificates and CA certificates in PEM format.

For the server certificates, you must upload both the certificate content and the private key. For the CA certificates, you need to upload only the certificate content.

Does CLB support keytool-created certificates?

Yes.

You must convert the certificate format to PEM before you upload the certificates to CLB. For more information, see Convert the certificate format.

Can I use certificates in PKCS#12 (PFX) format?

Yes.

You must convert the certificate format to PEM before you upload the certificates to CLB. For more information, see Convert the certificate format.

Why does a KeyEncryption error occur when I upload certificates?

The error occurs because the private key contains incorrect content. For more information, see Certificate requirements.

What SSL protocol versions are supported by HTTPS listeners?

TLSv1, TLSv1.1, and TLSv1.2.

What is the TTL of an HTTPS session ticket?

The TTL of an HTTPS session ticket is set to 300 seconds.

Can I upload a certificate that contains the DH PARAMETERS field?

The ECDHE cipher suites used by HTTPS listeners support forward secrecy but do not support the security enhancement parameters required by DHE cipher suites. As a result, strings that contain the BEGIN DH PARAMETERS field in a PEM certificate file cannot be uploaded.

Do HTTPS listeners support SNI?

Yes. Server Name Indication (SNI) is an extension to the SSL or TLS protocol so that a server can use multiple domain names and certificates. HTTPS listeners support the SNI feature. For more information, see Add an additional certificate.

Which version of HTTP is used by HTTP and HTTPS listeners to access the backend servers?

  • If client requests use HTTP/1.1 or HTTP/2, Layer 7 listeners use HTTP/1.1 to distribute network traffic to backend servers.
  • If client requests do not use HTTP/1.1 or HTTP/2, Layer 7 listeners use HTTP/1.0 to distribute network traffic to backend servers.

Can backend servers obtain the protocol version used by the client to access the HTTP or HTTPS listener?

Yes.

What are the timeout values specified for HTTP and HTTPS listeners?

  • A maximum of 100 requests can be consecutively sent in an HTTP persistent connection. The connection is closed when the limit is reached.
  • The timeout period between two HTTP or HTTPS requests in an HTTP persistent connection can be set to a value from 1 to 60 seconds. The actual timeout period may have a time error of 1 or 2 seconds. The TCP connection is closed when the timeout period exceeds the specified value. If you want to use the HTTP persistent connection, try to send heartbeat requests within 13 seconds.
  • The timeout period for the TCP three-way handshake between CLB and a backend ECS instance is 5 seconds. After the handshake times out, CLB selects the next ECS instance. You can find the timeout record by checking the upstream response time in the access logs.
  • The time that CLB waits for the response from an ECS instance can be set to a value ranging from 1 to 180 seconds. If the wait time exceeds the specified timeout period, an HTTP 504 or 408 status code is sent to the client. You can find the timeout record by checking the upstream response time in the access logs.
  • After 300 seconds, the HTTPS session reuse times out. Then, the client must perform the complete SSL handshake process again.