edit-icon download-icon

Layer-7 SLB

Last Updated: Mar 15, 2018

1. Why are some response header parameters deleted after the requests are forwarded by the Layer-7 Server Load Balancer (SLB)?

SLB modifies the values of the Date, Server, X-Pad, X-Accel-Redirect and other parameters in the response headers to achieve session persistence.


  • Add a prefix to the custom header, such as xl-server or xl-date.

  • Change the Layer-7 HTTP listener to a Layer-4 TCP listener.

2. Why an additional header Transfer-Encoding: chunked is added to the HTTP request?

After resolving a domain name to the IP address of a Layer-7 SLB instance, a Transfer-Encoding: chunked header is added in the HTTP request when accessing the domain name from a local host. However, this header is not displayed in the request when accessing the application directly from the local host.

The Layer-7 SLB is based on the Tengine reverse proxy. The Transfer-Encoding field indicates the form of encoding that the web server uses to transfer response body. For example, Transfer-Encoding: chunked indicates the chunked transfer encoding is used.

Note: This header is not added for the Layer-4 SLB, because the Layer-4 SLB only distributes traffic.

3. Why the style sheets are not loaded when accessing the application through an HTTPS listener?


An HTTP and HTTPS listeners are created respectively, and they use the same backend servers. When accessing the application over the HTTP listener with the specified port number, the website is displayed normally. However, the website layout is messy when accessing the web application through the HTTPS listener.


By default, SLB does not block loading and transferring JavaScript files. The following are possible reasons:

  • The certificate is not compatible with the security level of the browser.

  • The certificate is an unqualified third-party certificate. In this case, contact the certificate issuer to check the certificate.


  1. When you open the website, click the prompt in the browser's address bar to load the script.

  2. Add the required certificate to the browser.

4. Which port does HTTPS listeners use?

No special requirements, but the recommended port is 443.

5. What types of certificates does SLB support?

SLB supports uploading server certificates and CA certificates in the PEM format.

For the server certificates, you must upload both the certificate content and the private key. For the CA certificates, you only need to upload the certificate content.

6. Does SLB support using certificates created by keytool?


However, you must convert the certificate format to PEM before uploading the certificate to SLB. For more information, see Convert certificate format.

7. Can I use certificates in the PKCS#12(PFX) format?


However, you must convert the certificate format to PEM before uploading the certificate to SLB. For more information, see Convert certificate format.

8. How many certificates can I upload with one account?

A maximum of 100 certificates per account are allowed, including CA certificates and server certificates.

9. Why does the KeyEncryption error occur when uploading certificates?

Because the private key contains incorrect contents. For more information on private key format, see Certificate formats.

10. How many certificates can be added to an HTTPS listener?

If you are using HTTPS one-way authentication, only one server certificate is required.

If you are using HTTPS two-way authentication, two certificates, a server certificate and a CA certificate, are required.

11. Which SSL protocol versions are supported by SLB HTTPS listeners?

TLSv1, TLSv1.1, and TLSv1.2.

12. Why is the actual traffic generated by HTTPS listeners more than the billed traffic of HTTPS listeners?

HTTPS listeners consume some traffic for three-way handshake, so the actual traffic generated is more than the billed traffic.

13. What is the lifetime of an HTTPS session ticket?

The lifetime of an HTTPS session ticket is set to 300 seconds.

14. Can I upload a certificate containing DH PARAMETERS?


The ECDHE method used by HTTPS listeners supports forward secrecy, but does not support uploading the PEM files that contain the security enhancement parameters, such as BEGIN DH PARAMETERS.

15. Does the HTTPS listener support SNI?

SNI (Server Name Indication) is an SSL/TLS extension enabling a server to use multiple domain names and certificates. Now SLB HTTPS listeners do not support SNI.

If you want to use SNI, we recommend that you use TCP listeners and configure SNI on the backend servers.

16. Which HTTP version is used by HTTP/HTTPS listeners to access the backend servers?


17. Can the backend ECS instances obtain the protocol version used by the client to access the HTTP/HTTPS listener?


18. After SLB forwards a request to a backend server, if the client disconnects from SLB before it receives the response from the backend server, does SLB disconnect from the backend server at the same time?

No. SLB does not disconnect from the backend servers in the reading and writing process.

19. Do HTTP/HTTPS listeners support the WebSocket/SSL WebSocket protocol?

Yes, WebSocket/SSL WebSocket protocol is supported in all regions. For more information, see WS/WSS protocol FAQ.

20. What are timeout values specified for HTTP/HTTPS listeners?

  • A maximum of 100 requests can be sent continuously in an HTTP persistent connection. The connection is closed when the limit is reached.

  • The timeout between two HTTP/HTTPS requests in an HTTP persistent connection is 15 seconds. The TCP connection is closed when the timeout exceeds 15 seconds. If you want to use the HTTP persistent connection, try to send heartbeat requests within 13 seconds.

  • The timeout for the TCP three-way handshake between SLB and a backend ECS instance is 5 seconds. After the handshake times out, SLB selects the next ECS instance. You can find the timeout by checking the upstream response time in the access logs.

  • The time that SLB waits for the response from an ECS instance is 60 seconds. If the wait time exceeds 60 seconds, a 504 or 408 status code is sent to the client. You can find the timeout by checking the upstream response time in the access logs.

  • The HTTPS session reuse timeout is 300 seconds. If the session reuse times out, the same client must re-establish the complete SSL handshake process.

  • The HTTPS session reuse times out after 300 seconds. After the timeout, the client needs to perform the complete SSL handshake process again.

21. Does SLB support configuring domain and URL based forwarding rules?


For more information, see Configure domain and URL based forwarding rules.

22. How many forwarding rules can be configured for each listener?

You can add a maximum of 20 forwarding rules to each listener.

Thank you! We've received your feedback.