All Products
Search
Document Center

Server Load Balancer:FAQ about Layer 7 listeners

Last Updated:Jan 31, 2024

After requests are forwarded by Layer 7 listeners, why are some parameters removed from response headers returned from backend servers?

Issue: CLB modifies the values of the Date, Server, X-Pad, and X-Accel-Redirect parameters in the response headers to implement session persistence.

Solutions:

  • Add a prefix to the custom header, such as xl-server or xl-date.

  • Change Layer 7 HTTP listeners to Layer 4 TCP listeners.

Why is the additional header, Transfer-Encoding: chunked, added to an HTTP request?

Issue:

After a domain name is resolved to the service address of a Layer 7 CLB instance, the Transfer-Encoding: chunked field is added in the HTTP request header when I access the domain name from an on-premises host. However, this field is not found in the request when you access backend servers directly from the on-premises host.

Causes:

Layer 7 CLB instances implement load balancing based on the Tengine reverse proxy. The Transfer-Encoding field indicates how the web server encodes the response message body. For example, Transfer-Encoding: chunked indicates that chunked transfer encoding is used.

Note

This header is not added to the requests forwarded by Layer 4 listeners because Layer 4 listeners only distribute traffic.

Why do the style sheets fail to load when I open a website over an HTTPS listener?

Issue:

An HTTP listener and an HTTPS listener are created, and they use the same backend servers. When I access the website over the HTTP listener with the specified port number, the website is displayed. However, the website layout is distorted when I access the website over the HTTPS listener.

Causes:

By default, CLB does not block loading and transferring of JavaScript files. This problem may be caused by the following reasons:

  • The certificate is not compatible with the security level of the web browser.

  • The certificate is an unqualified third-party certificate. In this case, contact the certificate issuer to check the qualification of the certificate.

Solutions:

  1. When you open the website, load scripts as prompted by the browser.

  2. Add the required certificate to the browser.

Which port do HTTPS listeners use?

HTTPS listeners have no special requirements for ports. However, we recommend that you specify port 443 for HTTPS listeners.

What types of certificates does CLB support?

CLB supports server certificates and CA certificates in PEM format.

For the server certificates, you must upload both the certificate content and the private key. For the CA certificates, you need to upload only the certificate content.

Does CLB support keytool-created certificates?

Yes, CLB supports keytool-created certificates.

You must convert the certificate format to PEM before you upload the certificates to CLB. For more information, see Convert certificate formats.

Can I use certificates in the PKCS#12 (PFX) format?

Yes, you can use certificates in the PKCS#12 (PFX) format.

You must convert the certificate format to PEM before you upload the certificates to CLB. For more information, see Convert certificate formats.

Why does the KeyEncryption error arise when I upload certificates?

The error arises because the private key contains incorrect content. For more information, see Certificate requirements.

What SSL protocol versions are supported by HTTPS listeners?

HTTPS listeners support the following SSL protocol versions: TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3.

What is the TTL of an HTTPS session ticket?

The TTL of an HTTPS session ticket is 300 seconds.

Can I upload a certificate that contains the DH PARAMETERS field?

The ECDHE cipher suites used by HTTPS listeners support forward secrecy but do not support the security enhancement parameters required by DHE cipher suites. As a result, strings that contain the BEGIN DH PARAMETERS field in a PEM certificate file cannot be uploaded.

Do HTTPS listeners support SNI?

Server Name Indication (SNI) is an extension to SSL and TLS and allows a server to install multiple SSL certificates on the same IP address. For more information, see Add and manage additional domain names.

Which version of HTTP is used by HTTP and HTTPS listeners when they access backend servers?

  • If requests use HTTP/1.1 or HTTP/2, Layer 7 listeners use HTTP/1.1 to distribute the requests to backend servers.

  • If requests use protocols other than HTTP/1.1 and HTTP/2, Layer 7 listeners use HTTP/1.0 to distribute the requests to backend servers.

Can backend servers obtain the protocol version that a client uses to access the HTTP or HTTPS listener?

Yes, backend servers can obtain the protocol version that a client uses to access the HTTP or HTTPS listener.

What are the timeout values specified for HTTP and HTTPS listeners?

  • A maximum of 100 requests can be consecutively sent over an HTTP persistent connection. The connection is closed when the limit is reached.

  • The timeout period between two HTTP or HTTPS requests over an HTTP persistent connection can be set to a value from 1 to 60 seconds. The actual timeout period may have a time error of 1 or 2 seconds. The TCP connection is closed when the timeout period reaches the specified value. If your customers want to use HTTP persistent connections, configure the clients to send heartbeat requests every 13 seconds or less.

  • The timeout period for the TCP three-way handshake between CLB and a backend Elastic Compute Service (ECS) instance is 5 seconds. After the handshake times out, CLB selects the next ECS instance. You can find the timeout record by checking the upstream response time in the access logs.

  • The time that CLB waits for the response from an ECS instance can be set to a value that ranges from 1 to 180 seconds. If the wait time reaches the specified timeout period, an HTTP 504 or 408 status code is sent to the client. You can find the timeout record by checking the upstream response time in the access logs.

  • After 300 seconds, HTTPS session reuse times out. Then, the client must perform the complete SSL handshake process again.