Alibaba Cloud

AAlliibbaabbaa CClloouudd Alibaba Cloud

SSerrvveer rL oLaoda Bda laBnaclearncer ListLeinsetresners

Document Version: 20210922

Document Version: 20210922 Server Load Balancer List eners·Legal disclaimer

Legal disclaimer

Alibaba Cloud reminds you t o carefully read and fully underst and t he t erms and condit ions of t his legal disclaimer before you read or use t his document . If you have read or used t his document , it shall be deemed as your t ot al accept ance of t his legal disclaimer.

1. You shall download and obt ain t his document from t he Alibaba Cloud websit e or ot her Alibaba Cloud- aut horized channels, and use t his document for your own legal business act ivit ies only. The cont ent of t his document is considered confident ial informat ion of Alibaba Cloud. You shall st rict ly abide by t he confident ialit y obligat ions. No part of t his document shall be disclosed or provided t o any t hird part y for use wit hout t he prior writ t en consent of Alibaba Cloud.

2. No part of t his document shall be excerpt ed, t ranslat ed, reproduced, t ransmit t ed, or disseminat ed by any organizat ion, company or individual in any form or by any means wit hout t he prior writ t en consent of Alibaba Cloud.

3. The cont ent of t his document may be changed because of product version upgrade, adjust ment , or ot her reasons. Alibaba Cloud reserves t he right t o modify t he cont ent of t his document wit hout not ice and an updat ed version of t his document will be released t hrough Alibaba Cloud-aut horized channels from t ime t o t ime. You should pay at t ent ion t o t he version changes of t his document as t hey occur and download and obt ain t he most up-t o-dat e version of t his document from Alibaba Cloud-aut horized channels.

4. This document serves only as a reference guide for your use of Alibaba Cloud product s and services. Alibaba Cloud provides t his document based on t he "st at us quo", "being defect ive", and "exist ing funct ions" of it s product s and services. Alibaba Cloud makes every effort t o provide relevant operat ional guidance based on exist ing t echnologies. However, Alibaba Cloud hereby makes a clear st at ement t hat it in no way guarant ees t he accuracy, int egrit y, applicabilit y, and reliabilit y of t he cont ent of t his document , eit her explicit ly or implicit ly. Alibaba Cloud shall not t ake legal responsibilit y for any errors or lost profit s incurred by any organizat ion, company, or individual arising from download, use, or t rust in t his document . Alibaba Cloud shall not , under any circumst ances, t ake responsibilit y for any indirect , consequent ial, punit ive, cont ingent , special, or punit ive damages, including lost profit s arising from t he use or t rust in t his document (even if Alibaba Cloud has been not ified of t he possibilit y of such a loss).

5. By law, all t he cont ent s in Alibaba Cloud document s, including but not limit ed t o pict ures, archit ect ure design, page layout , and t ext descript ion, are int ellect ual propert y of Alibaba Cloud and/or it s affiliat es. This int ellect ual propert y includes, but is not limit ed t o, t rademark right s, pat ent right s, copyright s, and t rade secret s. No part of t his document shall be used, modified, reproduced, publicly t ransmit t ed, changed, disseminat ed, dist ribut ed, or published wit hout t he prior writ t en consent of Alibaba Cloud and/or it s affiliat es. The names owned by Alibaba Cloud shall not be used, published, or reproduced for market ing, advert ising, promot ion, or ot her purposes wit hout t he prior writ t en consent of Alibaba Cloud. The names owned by Alibaba Cloud include, but are not limit ed t o, "Alibaba Cloud", "Aliyun", "HiChina", and ot her brands of Alibaba Cloud and/or it s affiliat es, which appear separat ely or in combinat ion, as well as t he auxiliary signs and pat t erns of t he preceding brands, or anyt hing similar t o t he company names, t rade names, t rademarks, product or service names, domain names, pat t erns, logos, marks, signs, or special descript ions t hat t hird part ies ident ify as Alibaba Cloud and/or it s affiliat es.

6. Please direct ly cont act Alibaba Cloud for any errors of t his document .

> Document Version: 20210922 I Server Load Balancer List eners·Document convent ions

Document conventions

St yle Descript ion Example

A danger notice indicates a situation that Danger: Danger will cause major system changes, faults, Resetting will result in the loss of user physical injuries, and other adverse configuration data. results.

Warning: A warning notice indicates a situation Warning that may cause major system changes, Restarting will cause business faults, physical injuries, and other adverse interruption. About 10 minutes are results. required to restart an instance.

A caution notice indicates warning Not ice: Not ice information, supplementary instructions, If the weight is set to 0, the server no and other content that the user must longer receives new requests. understand.

A note indicates supplemental Not e: Not e instructions, best practices, tips, and You can use Ctrl + A to select all files. other content.

Closing angle brackets are used to Click Set t ings > Net work> Set net work > indicate a multi-level menu cascade. t ype.

Bold formatting is used for buttons , Bold menus, page names, and other UI Click OK. elements.

Run the cd /d C:/window command to Courier font Courier font is used for commands enter the Windows system folder.

Italic formatting is used for parameters bae log list --instanceid Italic and variables. Instance_ID

This format is used for an optional value, [] or [a|b] ipconfig [-all|-t] where only one item can be selected.

This format is used for a required value, {} or {a|b} switch {active|stand} where only one item can be selected.

> Document Version: 20210922 I Server Load Balancer List eners·Table of Cont ent s

Table of Contents

1.Listener overview 05

2.Add a TCP listener 06

3.Add a UDP listener 12

4.Add an HTTP listener 18

5.Add an HTTPS listener 23

6.Domain name extensions 29

6.1. Manage a domain name extension 29

6.2. Add an additional certiﬁcate 32

6.3. Edit an additional certiﬁcate 34

6.4. Delete an additional certiﬁcate 34

7.Manage TLS security policies 36

8.Redirect HTTP requests to HTTPS 41

9.FAQ 42

9.1. FAQ about CLB 42

9.2. FAQ about Layer 7 listeners that use HTTPS or HTTP 45

> Document Version: 20210922 I Server Load Balancer List eners·List ener overview

1.Listener overview This topic provides an overview of listeners. After you create a Classic Load Balancer (CLB) instance, you must configure one or more listeners for it. A listener checks for connection requests and then distributes the requests to backend servers based on the forwarding rules that are defined by a specified scheduling algorithm.

CLB provides Layer 4 (TCP or UDP) and Layer 7 (HTTP or HTTPS) listeners. The following table lists the features and use cases of these listeners.

Protocol Description Scenario

A connection-oriented protocol. A Applicable to scenarios that require reliable connection must be high reliability and data accuracy but established before data can be sent can tolerate low speeds, such as file and received. transmission, sending or receiving emails, and remote logons. TCP Session persistence is based on source IP addresses. Web applications that do not have Source IP addresses are visible at the custom requirements. network layer. For more information, see Add a TCP Data is transmitted at a fast rate. listener.

A connectionless protocol. UDP transmits data packets directly Applicable to scenarios where real-time instead of making a three-way transmission is more important than handshake with the other party before reliability, such as video chats and real- UDP UDP sends data. UDP does not provide time financial market pushes. error recovery or data re-transmission. For more information, see Add a UDP Fast data transmission but relatively listener. low reliability.

An application-layer protocol that is Applicable to scenarios that require data used to package data. content identification, such as web HTTP Cookie-based session persistence. applications and small mobile games. Use the X-Forward-For header to For more information, see Add an HTTP obtain the real IP addresses of clients. listener.

Encrypted data transmission that Applicable to scenarios that require prevents unauthorized access. encrypted transmission.

HTTPS Centralized certificate management For more information, see Add an HTTPS service. You can upload certificates to listener. CLB. The decryption operations are completed directly on CLB.

> Document Version: 20210922 5 List eners·Add a TCP list ener Server Load Balancer

2.Add a TCP listener This topic describes how to add a Transmission Control Protocol (TCP) listener to a Classic Load Balancer (CLB) instance. TCP provides reliable and accurate data delivery at relatively low connection speeds. Therefore, TCP applies to file transmission, email sending or receiving, and remote logons. You can add a TCP listener to forward TCP requests.

Prerequisites

A CLB instance is created. For more information, see Create a CLB instance.

Step 1: Configure a TCP listener

To configure a TCP listener, perform the following operations: 1. Log on to the CLB console. 2. Select the region where the CLB instance is deployed. 3. Use one of the following methods to open the listener configuration wizard: On the Inst ances page, find the CLB instance that you want to manage and click Conf igure List ener in the Act ions column. On the Inst ances page, click the ID of the CLB instance. On the List eners tab, click Creat e List ener. 4. Set the following parameters and click Next .

Parameter Description

Select a protocol for the listener. Select List ener Prot ocol In this example, T CP is selected.

6 > Document Version: 20210922 Server Load Balancer List eners·Add a TCP list ener

Parameter Description

Enter the port on which the CLB instance listens. The CLB instance uses the port to receive requests and forward the requests to backend servers.

Valid values: 1 to 65535.

Not e You can apply for t he permissions t o specif y t he same port f or T CP and UDP list eners in t he same CLB inst ance on the Quota Management page. This feature is in public preview and is supported in the following regions. In other scenarios, the listening ports must be unique. UAE (Dubai) Australia (Sydney) UK (London) Germany (Frankfurt) US (Silicon Valley) US (Virginia) Indonesia (Jakarta) Japan (Tokyo) India (Mumbai) Singapore (Singapore)

List ening Port Malaysia (Kuala Lumpur) China (Hong Kong) China (Shenzhen) China (Hohhot) China (Qingdao) China (Chengdu) China (Zhangjiakou) China (Shanghai) China (Beijing) China (Hangzhou)

List ener Name Enter a name for the listener.

> Document Version: 20210922 7 List eners·Add a TCP list ener Server Load Balancer

Parameter Description

Advanced Click Modif y to configure advanced settings.

Select a scheduling algorithm. Weight ed Round-Robin (WRR): Backend servers that have a higher weight receive more requests than those that have a lower weight. Round-Robin (RR): Requests are distributed to backend servers in sequence. Consist ent Hash (CH):

Source IP: specifies consistent hashing that is based on source IP Scheduling addresses. Requests from the same source IP address are distributed to the same backend server. Algorit hm T uple: specifies consistent hashing that is based on four factors: source IP address, destination IP address, source port number, and destination port number. Requests that contain the same information based on the four factors are distributed to the same backend server.

Not e Only high-performance CLB instances support the CH algorithm.

Specify whether to enable session persistence.

After session persistence is enabled, the listener forwards all requests from Enable Session the same client to a specific backend server. Persist ence For TCP listeners, session persistence is implemented based on IP addresses. Requests from the same IP address are forwarded to the same backend server.

8 > Document Version: 20210922 Server Load Balancer List eners·Add a TCP list ener

Parameter Description

Specify whether to enable access control.

After you enable access control, select an access control method and select an access control list (ACL) that is used as the whitelist or blacklist of the listener.

Whit elist : Only request s f rom t he IP addresses or CIDR blocks in t he ACL are f orwarded. Whitelists apply to scenarios in which you are required to allow only specific IP addresses to access an application.

Your business may be adversely affected if the whitelist is not set properly. The whitelist allows only network traffic from the IP addresses in the specified ACL to access the CLB listener. If you enable a whitelist but Enable Access the whitelist does not contain an IP address, the CLB listener does not Cont rol forward requests.

Blacklist : All request s f rom t he IP addresses or CIDR blocks in t he ACL are reject ed. Blacklists apply to scenarios in which you are required to block access from specific IP addresses to an application.

If you enable a blacklist but the blacklist does not contain an IP address, the CLB listener forwards all requests.

Not e IPv6 instances can be associated with only IPv6 ACLs. IPv4 instances can be associated with only IPv4 ACLs. For more information, see Create an access control list.

Specify whether to set a bandwidth limit for the listener.

If a CLB instance is billed based on bandwidth usage, you can set different bandwidth limit values for different listeners. This limits the amount of traffic that flows through each listener. The sum of the bandwidth limit Enable Peak values of all listeners that are added to a CLB instance cannot exceed the Bandwidt h Limit bandwidth of this CLB instance. By default, this feature is disabled and all listeners share the bandwidth of the CLB instance.

Not e If a CLB instance is billed based on the amount of data transfer, the bandwidth of its listeners is not automatically limited.

Specify the timeout of idle TCP connections. Unit: seconds. Valid values: 10 Idle T imeout to 900.

Specify whether to use the proxy protocol to send client IP addresses or Proxy Prot ocol virtual private cloud (VPC) IDs to backend servers.

Obt ain Client Source Specify whether to retrieve the real IP address of the client. Only Layer 4 IP Address listeners support this feature. By default, this feature is enabled.

Aut omat ically Specify whether to immediately enable the listener after it is created. By Enable List ener default, this feature is enabled. Af t er Creat ion

> Document Version: 20210922 9 List eners·Add a TCP list ener Server Load Balancer

Step 2: Add backend servers

After you configure the listener, you must add backend servers to process client requests. You can use the default server group that is configured for the CLB instance. You can also create a vServer group or a primary/secondary server group, or enable the primary/secondary mode for the listener. For more information, see 后端服务器概述. 1. On the Backend Servers wizard page, select whether to enable the primary/secondary mode. A listener that has the primary/secondary mode enabled is associated with a primary server group and a secondary server group. Each server group contains one or more Elastic Compute Service (ECS) instances. A listener associated with a primary/secondary server group offers higher reliability than a listener associated with a primary server and a secondary server. Before you enable the primary/secondary mode for a listener, make sure the listener is associated with at least two vServer groups. For more information about how to create a vServer group, see Create a vServer group.

Parameter Description

Primary Server Select a vServer group as the primary server group. The server group is used Group to receive requests.

Select a vServer group as the secondary server group. When the number of Secondary Server unhealthy ECS instances in the primary server group reaches the failover Group threshold, user traffic is distributed to the secondary server group.

Select a primary/secondary failover policy. Primary Server Group First : The primary server group is prioritized to receive requests. When the number of unhealthy ECS instances drops below the failover threshold, the user traffic is distributed to the primary server group again.

Failover T hreshold: Set a threshold to trigger a primary/secondary failover. Failover Policy Manual Failover: If you select this policy, the primary server group and the secondary server group have the same weight. When the number of unhealthy ECS instances drops below the default threshold, the user traffic is still distributed to the secondary server group. If you want to distribute the user traffic to the primary server group, you must manually switch over the server group. The interval between two switchovers must be no less than 1 minute.

2. If the primary/secondary mode is disabled, select the type of backend server to which the listener forwards requests. In this example, Default Server Group is selected. Select Def ault Server Group and click Add More. 3. In the My Servers panel, select the ECS instances that you want to add as backend servers and click Next . 4. On the Conf igure Port s and Weight s wizard page, specify the weights of the backend servers that you want to add. A backend server that has a higher weight receives more requests than a backend server that has a lower weight.

10 > Document Version: 20210922 Server Load Balancer List eners·Add a TCP list ener

Not e If the weight of a backend server is set to 0, no request is distributed to the backend server.

5. Click Add. On the Default Server Group tab, specify the ports that you want to open on the backend servers to receive requests. The backend servers are the ECS instances that you selected. Valid values: 1 to 65535. You can specify the same port on different backend servers that are added to a CLB instance. 6. Click Next .

Step 3: Configure health checks

CLB performs health checks to check the availability of the ECS instances that serve as backend servers. The health check feature improves the overall availability of your workloads and avoids the exceptions that may occur on backend ECS instances. Click Modif y to modify the configurations of health checks. For more information, see Configure health checks.

Step 4: Submit the configurations

To submit the configurations, perform the following operations: 1. On the Conf irm wizard page, check the configurations. You can click Modif y to modify the configurations. 2. After you confirm the configurations, click Submit . 3. When Successf ul appears, click OK. After you configure the listener, you can view the listener on the Listener tab. Related information References

Add a default backend server Create a vServer group Overview CreateLoadBalancerTCPListener

> Document Version: 20210922 11 List eners·Add a UDP list ener Server Load Balancer

3.Add a UDP listener This topic describes how to add a User Datagram Protocol (UDP) listener to a Classic Load Balancer (CLB) instance. UDP applies to services that prioritize real-time content delivery over reliability, such as video conferencing and real-time quote services. You can add a UDP listener to forward UDP packets.

Prerequisites

A CLB instance is created. For more information, see Create a CLB instance.

Context

Before you configure a UDP listener, take note of the following items: You cannot specify ports 250, 4789, or 4790 for UDP listeners. They are system reserved ports. Fragmentation is not supported. You cannot view source IP addresses by using the UDP listeners of a CLB instance in the classic network. The following operations take effect 5 minutes after they are performed on a UDP listener: Remove backend servers. Set the weight of a backend server to 0 after it is detected unhealthy.

IPv6 packets have longer IP headers than IPv4 packets. When an IPv6 CLB instance uses a UDP listener, make sure that the following requirement is met: The maximum transmission unit (MTU) supported by the network interface controller (NIC) that each backend server uses to communicate with CLB does not exceed 1,200 bytes. Otherwise, oversized packets may be discarded. You must modify the MTU setting in the configuration files of some applications accordingly. TCP supports Maximum Segment Size (MSS) announcement. Therefore, when you use a TCP, HTTP, or HTTPS listener, you do not need to perform additional configurations.

Step 1: Configure a UDP listener

1. Log on to the CLB console. 2. In the top navigation bar, select the region where the CLB instance is deployed. 3. Use one of the following methods to open the listener configuration wizard: On the Inst ances page, find the CLB instance and click Conf igure List ener in the Act ions column. On the Inst ances page, find the CLB instance that you want to manage and click the ID of the instance. On the List eners tab, click Creat e List ener.

12 > Document Version: 20210922 Server Load Balancer List eners·Add a UDP list ener

4. Set the following parameters and click Next .

Parameter Description

Select the protocol of the listener. Select List ener Prot ocol In this example, UDP is selected.

Set the listening port that is used to receive requests and forward them to backend servers. Valid values: 1 to 65535. List ening Port You can set a TCP or UDP listener to listen on all ports within a specified port range.

List ener Name Enter a name for the listener.

Advanced Click Modif y to configure advanced settings.

Select a scheduling algorithm. Weight ed Round-Robin (WRR): Backend servers that have higher weights receive more requests than backend servers that have lower weights.

Round-Robin (RR): Requests are distributed to backend servers in sequence.

Consist ent Hash (CH): Source IP: specifies consistent hashing that is based on source IP addresses. Requests from the same source IP address are distributed to the same backend server.

T uple: specifies consistent hashing that is based on four factors: source IP address, destination IP address, source port, Scheduling Algorit hm and destination port. Requests that contain the same information based on the four factors are distributed to the same backend server.

QUIC ID: specifies consistent hashing that is based on Quick UDP Internet Connections (QUIC) IDs. Requests that contain the same QUIC ID are distributed to the same backend server.

Not ice QUIC is implemented based on draft-ietf- quic-transport-10 and is rapidly evolving. Therefore, compatibility is not guaranteed for all QUIC versions. We recommend that you perform tests before you apply the protocol to a production environment.

Specify whether to enable session persistence.

Enable Session Persist ence After session persistence is enabled, CLB forwards all requests from a client to the same backend server.

> Document Version: 20210922 13 List eners·Add a UDP list ener Server Load Balancer

Parameter Description

Specify whether to enable access control.

Select an access control method after you enable access control. Then, select an access control list (ACL) that is used as the whitelist or blacklist of the listener.

Whit elist : Only request s f rom t he IP addresses or CIDR blocks in t he specif ied ACL are f orwarded. Whitelists apply to scenarios in which you want to allow only specific IP addresses to access an application.

Your business may be adversely affected if the whitelist is not set properly. After you configure a whitelist for a listener, only requests from IP addresses that are added to the whitelist can be forwarded by the listener. If you enable a whitelist but the whitelist does not contain an IP address, the listener does not forward requests. Enable Access Cont rol Blacklist : Request s f rom t he IP addresses or CIDR blocks in t he specif ied ACL are not f orwarded. You can use the blacklist feature when you want to deny access from specified IP addresses.

After you configure a blacklist but the blacklist does not contain an IP address, the listener forwards all requests.

Not e IPv6 instances can be associated only with IPv6 ACLs, while IPv4 instances can be associated only with IPv4 ACLs. For more information, see Create an access control list.

After connection draining is enabled, connections to backend Enable Connect ion Draining servers can function as expected during the specified timeout period after the backend servers are removed or fail health checks.

Specify whether to set a bandwidth limit for the listener.

If a CLB instance is billed based on bandwidth usage, you can specify different bandwidth limit values for different listeners. This limits the amount of network traffic that flows through each listener. The sum of the bandwidth limit values of all listeners that Enable Peak Bandwidt h are added to a CLB instance cannot exceed the bandwidth limit of Limit this CLB instance. By default, this feature is disabled and all listeners share the bandwidth of the CLB instance.

Not e If a CLB instance is billed based on data transfer, the bandwidth of its listeners is not limited by default.

14 > Document Version: 20210922 Server Load Balancer List eners·Add a UDP list ener

Parameter Description

Use the proxy protocol to pass client IP addresses to backend Proxy Prot ocol servers.

Specify whether to retrieve the real IP address of the client. Only Layer 4 listeners support this feature. By default, this feature is enabled. Obt ain Client Source IP Address Not e You cannot view source IP addresses by using the UDP listeners of a CLB instance in the classic network.

Aut omat ically Enable Specify whether to immediately enable the listener after it is List ener Af t er Creat ion created. By default, this feature is enabled.

Step 2: Add backend servers

After you configure the listener, you must add backend servers to process client requests. You can use the default server group that is configured for the CLB instance. You can also configure a vServer group or a primary/secondary server group, or enable the primary/secondary mode for the listener. For more information, see 后端服务器概述. 1. On the Backend Servers wizard page, select whether to enable the primary/secondary mode. A listener that has the primary/secondary mode enabled is associated with a primary server group and a secondary server group. Each server group contains one or more Elastic Compute Service (ECS) instances. A listener associated with a primary/secondary server group offers higher reliability than a listener associated with a primary server and a secondary server. Before you enable the primary/secondary mode for a listener, make sure that two vServer groups are created. For more information about how to create a vServer group, see Create a vServer group.

Parameter Description

Primary Server Select a vServer group as the primary server group. The server group is used Group to receive requests.

> Document Version: 20210922 15 List eners·Add a UDP list ener Server Load Balancer

Parameter Description

Not e If the weight of a backend server is set to 0, no request is distributed to the backend server.

Step 3: Configure health checks

CLB performs health checks to check the availability of the ECS instances that serve as backend servers. The health check feature improves overall service availability and reduces the impact of backend server failures. On the Healt h Check wizard page, click Modif y to modify the health check configurations. For more information, see Configure health checks.

Step 4: Submit the configurations

16 > Document Version: 20210922 Server Load Balancer List eners·Add a UDP list ener

After you configure the listener, you can view the listener on the Listener tab. Related information References

Configure health checks Add a default backend server Create a vServer group Create a primary/secondary server group Overview CreateLoadBalancerUDPListener

> Document Version: 20210922 17 List eners·Add an HTTP list ener Server Load Balancer

4.Add an HTTP listener This topic describes how to add an HTTP listener to a Classic Load Balancer (CLB) instance. HTTP is applicable to applications that must identify data from different users, such as web applications and mobile games. You can add HTTP listeners to forward HTTP requests.

Prerequisites

A CLB instance is created. For more information, see Create a CLB instance.

Step 1: Configure an HTTP listener

1. Log on to the CLB console. 2. Select the region where the CLB instance is deployed. 3. Use one of the following methods to open the listener configuration wizard: On the Inst ances page, find the CLB instance that you want to manage and click Conf igure List ener in the Act ions column. On the Inst ances page, click the ID of the CLB instance that you want to manage. On the List ener tab, click Add List ener. 4. Set the following parameters to configure the listener.

Parameter Description

Select a protocol for the listener. Select List ener Prot ocol In this example, HT T P is selected.

Enter the port on which the CLB instance listens. The CLB instance List ening Port uses the port to receive requests and forward the requests to backend servers. Valid values: 1 to 65535.

List ener Name Enter a name for the listener.

Advanced Click Modif y to configure advanced settings.

Select a scheduling algorithm. Weight ed Round-Robin (WRR): Backend servers that have higher weights receive more requests than those that have lower Scheduling Algorit hm weights. Round-Robin (RR): Requests are evenly and sequentially distributed to backend servers.

Specify whether to redirect traffic from the HTTP listener to an HTTPS listener.

Redirect ion Not e Before you enable redirection, make sure that you have created an HTTPS listener.

18 > Document Version: 20210922 Server Load Balancer List eners·Add an HTTP list ener

Parameter Description

Specify whether to enable session persistence.

After session persistence is enabled, CLB forwards all requests from a client to the same backend server.

CLB maintains the persistence of HTTP sessions based on cookies. CLB allows you to use the following methods to process cookies:

Insert cookie: If you select this option, you need only to specify the timeout period of the cookie.

CLB inserts a cookie (SERVERID) into the first HTTP or HTTPS response that is sent to a client. The next request from the client Enable Session Persist ence contains the cookie. Then, the listener distributes the request to the recorded backend server.

Rewrit e cookie: If you select this option, you can specify the cookie that you want to insert into an HTTP or HTTPS response. You must specify the timeout period and lifecycle of the cookie on the backend server.

After you specify a cookie, CLB overwrites the original cookie with the specified cookie. The next time CLB receives a client request that carries the specified cookie, the listener distributes the request to the recorded backend server.

Specify whether to enable access control.

Select an access control method after you enable access control. Then, select an access control list (ACL) that is used as the whitelist or blacklist of the listener.

Whit elist : Only request s f rom t he IP addresses or CIDR blocks in t he specif ied ACL are f orwarded. Whitelists apply to scenarios that require you to allow only specific IP addresses to access an application.

Risks may arise if you specify a whitelist. After you configure a whitelist for a listener, only requests from IP addresses that are added to the whitelist can be forwarded by the listener. If you enable a whitelist but the whitelist does not contain an IP Enable Access Cont rol address, the CLB listener does not forward requests.

Blacklist : Request s f rom t he IP addresses or CIDR blocks in t he specif ied ACL are not f orwarded. You can use the blacklist feature when you want to deny access from specified IP addresses.

If you enable a blacklist but the blacklist does not contain an IP address, the CLB listener forwards all requests.

Not e IPv6 instances can be associated with only IPv6 ACLs, while IPv4 instances can be associated only with IPv4 ACLs. For more information, see Create an access control list.

> Document Version: 20210922 19 List eners·Add an HTTP list ener Server Load Balancer

Parameter Description

Specify whether to set a bandwidth limit for the listener. Unit: Mbit/s. Valid values: 0 to 5120.

If a CLB instance is billed based on bandwidth usage, you can set different bandwidth limit values for different listeners. This limits the amount of traffic that flows through each listener. The sum of the bandwidth limit values of all listeners that are added to a CLB Enable Peak Bandwidt h instance cannot exceed the bandwidth of this CLB instance. By Limit default, this feature is disabled and all listeners share the bandwidth of the CLB instance.

Not e If a CLB instance is billed based on the amount of data transfer, the bandwidth of its listeners is not automatically limited.

Specify the timeout period of idle connections. Unit: seconds. Valid values: 1 to 60.

Idle T imeout If no request is received within the specified timeout period, CLB closes the connection. CLB recreates the connection when a new connection request is received.

Specify the request timeout period. Unit: seconds. Valid values: 1 to 180. Request T imeout If no response is received from the backend server within the request timeout period, CLB returns an HTTP 504 error to the client.

Specify whether to enable Gzip compression for a specified file type.

Enable Gz ip Compression Gzip supports the following file types: text/xml, text/plain, text/css, application/javascript, application/x-javascript, application/rss+xml, application/atom+xml, and application/xml.

You can add the following HTTP header fields:

Use the X-Forwarded-For header field to retrieve the real IP addresses of clients.

Use the SLB-ID header field to retrieve the ID of the CLB Add HT T P Header Fields instance. Use the SLB-IP header field to retrieve the public IP address of the CLB instance.

Use the X-Forwarded-Proto header field to retrieve the listener protocol used by the CLB instance.

Obt ain Client Source IP Specify whether to retrieve the real IP address of the client. By Address default, this feature is enabled.

20 > Document Version: 20210922 Server Load Balancer List eners·Add an HTTP list ener

Parameter Description

Aut omat ically Enable Specify whether to immediately enable the listener after it is List ener Af t er Creat ion created. By default, this feature is enabled.

5. Click Next .

Step 2: Add backend servers

After you configure the listener, you must add backend servers to process client requests. You can use the default server group that is configured for the CLB instance. You can also create a vServer group or a primary/secondary server group. For more information, see 后端服务器概述. The default server group is selected in this example. 1. On the Backend Servers wizard page, select Def ault Server Group. Then, click Add More. 2. In the My Servers panel, select the Elastic Compute Service (ECS) instances that you want to add as backend servers and click Next . 3. On the Conf igure Port s and Weight s wizard page, specify the weights of the backend servers that you want to add. A backend server with a higher weight receives more requests.

Not e If the weight of a backend server is set to 0, no request is distributed to the backend server.

4. Click Add. On the Default Server Group tab, specify the ports that you want to open on the backend servers (ECS instances) to receive requests. Valid values: 1 to 65535. You can specify the same port on different backend servers that are added to a CLB instance. 5. Click Next .

Step 3: Configure health checks

Step 4: Submit the configurations

1. On the Conf irm wizard page, check the configurations. You can click Modif y to modify the configurations. 2. After you confirm the configurations, click Submit . 3. When Successful appears, click OK. After you configure the listener, you can view the listener on the Listener tab. Related information References

Add a default backend server Configure health checks

> Document Version: 20210922 21 List eners·Add an HTTP list ener Server Load Balancer

Create a vServer group Create a primary/secondary server group Overview Forward requests based on domain names or URLs Manage a domain name extension CreateLoadBalancerHTTPListener

22 > Document Version: 20210922 Server Load Balancer List eners·Add an HTTPS list ener

5.Add an HTTPS listener This topic describes how to add an HTTPS listener to a Classic Load Balancer (CLB) instance. HTTPS is intended for applications that require encrypted data transmission. You can add an HTTPS listener to forward HTTPS requests.

Prerequisites

A CLB instance is created. For more information, see Create a CLB instance.

Step 1: Configure a UDP listener

Parameter Description

Select the protocol type of the listener. Select List ener Prot ocol In this example, HT T PS is selected.

Set the listening port that is used to receive requests and forward them to List ening Port backend servers. Valid values: 1 to 65535.

List ener Name Enter a name for the listener.

Advanced Click Modif y to configure advanced settings.

Select a scheduling algorithm. Weight ed Round-Robin (WRR): Backend servers that have higher Scheduling weights receive more requests than backend servers that have lower Algorit hm weights. Round-Robin (RR): Requests are distributed to backend servers in sequence.

> Document Version: 20210922 23 List eners·Add an HTTPS list ener Server Load Balancer

Parameter Description

Specify whether to enable session persistence.

After session persistence is enabled, CLB forwards all requests from the same client to the same backend server.

HTTP session persistence is implemented through cookies. CLB allows you to use the following methods to process cookies:

Insert cookie: If you select this option, you only need to specify the timeout period of the cookie.

Enable Session CLB inserts a cookie (SERVERID) into the first HTTP or HTTPS response that Persist ence is sent to a client. The next request from the client will contain this cookie, and the listener will forward this request to the recorded backend server.

Rewrit e cookie: If you select this option, you can specify the cookie that you want to insert into an HTTP or HTTPS response. You must specify the timeout period and the lifetime of a cookie on a backend server.

Select whether to enable HTTP/2 for the frontend protocol of the CLB Enable HT T P/2 instance.

Specify whether to enable access control.

Select an access control method after you enable access control. Then, select an access control list (ACL) that is used as the whitelist or blacklist of the listener.

Your business may be adversely affected if the whitelist is not set properly. After a whitelist is configured, only IP addresses in the whitelist Enable Access can access the CLB listener. If you enable a whitelist but the whitelist does Cont rol not contain an IP address, the listener forwards all requests.

Blacklist : Requests from the IP addresses or CIDR blocks in the specified ACL are blocked. You can choose this option if you want to block requests from specified IP addresses.

If you enable a blacklist but the blacklist does not contain an IP address, the CLB listener forwards all requests.

Not e IPv6 instances can be associated with only IPv6 ACLs, while IPv4 instances can be associated only with IPv4 ACLs. For more information, see Create an access control list.

24 > Document Version: 20210922 Server Load Balancer List eners·Add an HTTPS list ener

Parameter Description

Specify whether to set a maximum bandwidth value for the listener.

If a CLB instance is billed based on bandwidth usage, you can set different maximum bandwidth values for different listeners. This limits the amount of traffic that flows through each listener. The sum of the maximum bandwidth Enable Peak values of all listeners that are added to a CLB instance cannot exceed the Bandwidt h Limit maximum bandwidth value of the CLB instance. By default, this feature is disabled and all listeners share the bandwidth of the CLB instance.

Not e If a CLB instance is billed based on data transfer, the bandwidth of its listeners is not limited by default.

Specify the timeout period of idle connections. Unit: seconds. Valid values: 1 to 60.

Idle T imeout If no request is received within the specified timeout period, CLB closes the current connection. CLB creates a new connection when a new connection request is received.

Specify the request timeout period. Unit: seconds. Valid values: 1 to 180.

Request T imeout If no response is received from the backend server within the request timeout period, CLB returns an HTTP 504 error to the client.

Specify whether to enable Gzip compression to compress specific types of files. Enable Gz ip Gzip supports the following file types: text/xml, text/plain, text/css, Compression application/javascript, application/x-javascript, application/rss+xml, application/atom+xml, and application/xml.

Add HT T P Header Select the custom HTTP header field that you want to add. Fields

Obt ain Client Source Specify whether to retrieve the real IP addresses of clients. By default, this IP Address feature is enabled.

Aut omat ically Specify whether to immediately enable the listener after it is created. By Enable List ener default, this feature is enabled. Af t er Creat ion

Step 2: Configure an SSL certificate

When you add an HTTPS listener, you must upload a server certificate or certification authority (CA) certificate and select a TLS security policy, as shown in the following table.

> Document Version: 20210922 25 List eners·Add an HTTPS list ener Server Load Balancer

Required for one-way Required for mutual Certificate Description authentication authentication

The certificate that is used to identify Yes Yes the server. Server You must upload the You must upload the Your browser uses the server cert if ica server certificate to the server certificate to the certificate to check whether the t e certificate management certificate management certificate sent by the server is signed system of CLB. system of CLB. and issued by a trusted CA.

The certificate that is used to identify the client. Yes Client The server identifies the client by You must install the cert if ica No checking the certificate sent by the client certificate on the t e client. You can sign a client certificate client. with a self-signed CA certificate.

Yes The server uses a CA certificate to CA You must upload the CA verify the signature on the client cert if ica No certificate to the certificate. If the signature is invalid, t e certificate management the connection request is denied. system of CLB.

TLS security policies are supported only by high-performance CLB instances. T LS A TLS security policy contains TLS securit y Yes Yes protocol versions and cipher suites policy that are available for HTTPS. For more information, see Manage TLS security policies.

Before you upload a certificate, take note of the following rules: CLB supports the following public key algorithms: RSA 1024, RSA 2048, RSA 4096, ECDSA P-256, ECDSA P-384, and ECDSA P-521. The certificate that you want to upload must be in the PEM format. After you upload a certificate to CLB, CLB can manage the certificate. You do not need to bind the certificate to backend servers. It may take a few minutes to upload, load, and verify the certificate. Therefore, an HTTPS listener is not enabled immediately after it is created. It takes about 1 to 3 minutes to enable an HTTPS listener. The ECDHE cipher suite used by HTTPS listeners supports forward secrecy. It does not support the security enhancement parameters that are required by the DHE cipher suite. Therefore, you cannot upload certificates (PEM files) that contain the BEGIN DH PARAMETERS field. For more information, see Certificate requirements. HTTPS listeners do not support Server Name Indication (SNI). You can choose TCP listeners and configure SNI on backend servers. By default, the timeout period of session tickets for HTTPS listeners is 300 seconds.

26 > Document Version: 20210922 Server Load Balancer List eners·Add an HTTPS list ener

The actual amount of data transfer on an HTTPS listener is larger than the billed amount because a portion of data is used for handshaking. If a large number of connections are established, a large amount of data is used for handshaking. 1. On the SSL Cert if icat es wizard page, select the server certificate that you uploaded. You can also click Creat e Server Cert if icat e to upload a server certificate. 2. To enable mutual authentication or configure a TLS security policy, click Modif y next to Advanced. 3. Enable mutual authentication, and select an uploaded CA certificate. You can also create a CA certificate.

4. For more information about TLS security policies, see Manage TLS security policies.

Step 3: Add backend servers

After configuring the listener, you must add backend servers to process client requests. You can use the default server group that is configured for the CLB instance. You can also create a vServer group or a primary/secondary server group. For more information, see 后端服务器概述. The default server group is selected in this example. 1. On the Backend Servers wizard page, select Def ault Server Group. Then, click Add More. 2. In the My Servers panel, select the Elastic Compute Service (ECS) instances that you want to add as backend servers and click Next . 3. On the Conf igure Port s and Weight s wizard page, specify the weights of the backend servers that you want to add. A backend server that has a higher weight receives more requests than a backend server that has a lower weight.

Not e If the weight of a backend server is set to 0, the backend server no longer accepts requests.

4. Click Add. On the Default Server Group tab, specify the ports that you want to open on the backend servers to receive requests. Valid values: 1 to 65535. Click Next . You can specify the same port on different backend servers that are added to a CLB instance.

Step 4: Configure health checks

Step 5: Submit the configurations

> Document Version: 20210922 27 List eners·Add an HTTPS list ener Server Load Balancer

Add a default backend server Create a vServer group Create a primary/secondary server group Overview Forward requests based on domain names or URLs Add an additional certificate CreateLoadBalancerHTTPSListener

28 > Document Version: 20210922 Server Load Balancer List eners·Domain name ext ensions

6.Domain name extensions 6.1. Manage a domain name extension

HTTPS listeners of guaranteed-performance Server Load Balancer (SLB) instances support configuring multiple certificates, allowing you to forward requests with different domain names to different backend servers.

Introduction to SNI

Server Name Indication (SNI) is an extension to the SSL/TLS protocol, allowing a server to install multiple SSL certificates on the same IP address. When a client accesses SLB, the certificate configured for the domain name is used by default. If no certificate is configured for the domain name, the certificate configured for the HTTPS listener is used.

Not e Only guaranteed-performance SLB instances support SNI.

If you want to resolve multiple domain names to the IP address of an SLB instance, distribute requests from different domains to different backend servers, and at the same time use HTTPS encrypted access, you can use the domain name extension function.

The domain name extension function is available in all regions.

Add a domain name extension

1. Log on to the SLB console. 2. Select the region of the target SLB instance. 3. Find the target SLB instance and click the instance ID. 4. Click the List eners tab. 5. On the List eners tab page, find the target HTTPS listener, and choose More > Addit ional Domains in the Act ions column.

6. Click Add Addit ional Domain and configure the domain name:

> Document Version: 20210922 29 List eners·Domain name ext ensions Server Load Balancer

i. Enter a domain name. The domain name can only contain letters, numbers, hyphens (-), and periods (.), and must start with a letter or a number. To check if the domain name you enter is valid, you can use the Alibaba Cloud domain name check tool.

Domain name-based forwarding rules support exact match and wildcard match. Exact domain name: www.aliyun.com Wildcard domain name (generic domain name): *.aliyun.com, *.market.aliyun.com

When a request matches multiple forwarding rules, exact match takes precedence over small-scale wildcard match and small-scale wildcard match takes precedence over large- scale wildcard match, as shown in the following table.

Request URL

Type Request URL www.aliyu *.aliyun.co *.market.a n.com m liyun.com

Exact match www.aliyun.com ✓ × ×

Wildcard match market.aliyun.com × ✓ ×

Wildcard match info.market.aliyun.com × × ✓

ii. Select the certificate associated with the domain name.

Not e The domain name in the certificate must be the same as the added domain name extension.

iii. Click OK. 7. On the List eners page, find the target HTTPS listener and click Add Forwarding Rules in the Act ions column. 8. On the Add Forwarding Rules page, configure the forwarding rule and click Add Forwarding Rules. 9. For more information, see Forward requests based on domain names or URLs.

Not e Make sure that the domain name configured in the forwarding rule is the same as the added domain name extension.

Edit a domain name extension

You can replace the certificate used by an added domain name extension. To edit a domain name extension, follow these steps:

1. Log on to the SLB console. 2. Select the region of the target SLB instance. 3. Find the target SLB instance and click the instance ID. 4. Click the List eners tab. 5. On the List eners page, find the created HTTPS listener, and then choose More > Addit ional Domains in the Act ions column.

30 > Document Version: 20210922 Server Load Balancer List eners·Domain name ext ensions

6. Find the target domain name extension and then click Edit . 7. In the Edit Addit ional Domain dialog box, select a new certificate and then click OK.

Delete a domain name extension

To delete a domain name extension, follow these steps: 1. Log on to the SLB console. 2. Select the region of the target SLB instance. 3. Find the target SLB instance and click the instance ID. 4. Click the List eners tab. 5. On the List eners page, find the created HTTPS listener, and then choose More > Addit ional Domains in the Act ions column. 6. Find the target domain name extension and click Delet e.

> Document Version: 20210922 31 List eners·Domain name ext ensions Server Load Balancer

7. In the displayed dialog box, click OK. 6.2. Add an additional certificate

This topic describes how to add an additional certificate to a listener of an SLB instance.

Procedure

1. Log on to the CLB console. 2. In the left-side navigation pane, choose Inst ances > Inst ances. 3. On the Inst ances page, find the SLB instance to which you want to add an additional certificate and click its instance ID. 4. On the page that appears, click the List ener tab. On the Listener tab, find the HTTPS listener you create, and choose > Manage Addit ional Cert if icat e in the Actions column.

5. In the Manage Addit ional Cert if icat e panel, click Add Addit ional Cert if icat e.

32 > Document Version: 20210922 Server Load Balancer List eners·Domain name ext ensions

i. Enter a domain name. A domain can contain only letters, digits, hyphens (-), and periods (.), and must start with a letter or a digit.

Domain name-based forwarding rules include exact matching and wildcard matching. Exact domain name: www.aliyun.com Wildcard domain name: *.aliyun.com and *.market.aliyun.com

When a request matches multiple forwarding rules, exact matching prevails over exact wildcard matching, and exact wildcard matching prevails over less exact wildcard matching. The following table describes the priority of domain name-based forwarding rules.

Domain name-based forwarding rule

Mode Request URL www.aliyu *.aliyun.co *.market.a n.com m liyun.com

Exact matching www.aliyun.com ✓ × ×

Exact wildcard matching market.aliyun.com × ✓ ×

Less exact wildcard info.market.aliyun.com × × ✓ matching

ii. Select the certificate associated with the domain name.

Not e The domain name in the certificate must be the same as the added additional certificate. If you configure a wildcard certificate, only the first wildcard certificate can be automatically matched.

iii. Click OK. An additional certificate takes effect only when it is configured with a forwarding rule and the domain name specified in the rule is the same as that in the additional certificate. 6. (Optional)Perform the following steps, configure forwarding rules. i. Click Conf igure Rule in the Inf ormat ion dialog box, or go to the List ener tab of the instance. ii. Find the HTTPS listener, and click Add Forwarding Rules in the corresponding Actions column. iii. In the Add Forwarding Rules panel, click Add Forwarding Rules. iv. Configure forwarding rules. For more information, see Forward requests based on domain names or URLs.

Not e Make sure that the domain name configured in the forwarding rule is the same as the added additional certificate.

Related information

> Document Version: 20210922 33 List eners·Domain name ext ensions Server Load Balancer

CreateDomainExtension 6.3. Edit an additional certificate

This topic describes how to replace an existing additional certificate.

Procedure

1. Log on to the CLB console. 2. In the left-side navigation pane, choose Inst ances > Inst ances. 3. On the Inst ances page, find an SLB instance and click its instance ID. 4. On the page that appears, click the List ener tab. Find an HTTPS listener and choose > Manage

Addit ional Cert if icat e in the Actions column. 5. Find an additional certificate, and then click Edit in the Actions column.

6. In the Modif y Addit ional Cert if icat e dialog box, select a new certificate and then click OK. 6.4. Delete an additional certificate

You can delete additional certificates that are no longer needed.

Procedure

1. Log on to the CLB console. 2. In the left-side navigation pane, choose Inst ances > Inst ances. 3. On the Inst ances page, find the SLB instance from which you want to delete an additional certificate and click its instance ID.

34 > Document Version: 20210922 Server Load Balancer List eners·Domain name ext ensions

4. On the List ener tab, find the HTTPS listener, and then choose > Manage Addit ional

Cert if icat e in the Actions column. 5. In the Manage Addit ional Cert if icat e panel, click Delet e in the Actions column corresponding to an additional certificate.

6. In the dialog box that appears, click OK.

> Document Version: 20210922 35 List eners·Manage TLS securit y polici Server Load Balancer es 7.Manage TLS security policies When you create or configure an HTTPS listener for a guaranteed-performance server load balancer (SLB) instance, you can select from a variety of TLS security policies.

When you create or configure an HTTPS listener, you can modify the advanced settings in the SSL Cert if icat es step and select a TLS security policy. For more information, see Add an HTTPS listener.

A TLS security policy contains available TLS protocols and supported cipher suites.

TLS security policies

Supported Security policy Feature Supported cipher suite TLS version

ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE- ECDSA-AES256-SHA384, ECDHE-RSA- AES128-GCM-SHA256, ECDHE-RSA- Provides AES256-GCM-SHA384, ECDHE-RSA- optimal TLSv1.0, AES128-SHA256, ECDHE-RSA-AES256- tls_cipher_policy_1_0 compatibility TLSv1.1, and SHA384, AES128-GCM-SHA256, AES256- and basic TLSv1.2 GCM-SHA384, AES128-SHA256, AES256- security SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA- AES128-SHA, ECDHE-RSA-AES256-SHA, AES128-SHA, AES256-SHA, and DES- CBC3-SHA

ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE- ECDSA-AES256-SHA384, ECDHE-RSA- AES128-GCM-SHA256, ECDHE-RSA- Provides high AES256-GCM-SHA384, ECDHE-RSA- compatibility TLSv1.1 and AES128-SHA256, ECDHE-RSA-AES256- tls_cipher_policy_1_1 and standard TLSv1.2 SHA384, AES128-GCM-SHA256, AES256- security GCM-SHA384, AES128-SHA256, AES256- SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA- AES128-SHA, ECDHE-RSA-AES256-SHA, AES128-SHA, AES256-SHA, and DES- CBC3-SHA

36 > Document Version: 20210922 List eners·Manage TLS securit y polici Server Load Balancer es

Supported Security policy Feature Supported cipher suite TLS version

ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE- ECDSA-AES256-SHA384, ECDHE-RSA- AES128-GCM-SHA256, ECDHE-RSA- Provides high AES256-GCM-SHA384, ECDHE-RSA- compatibility AES128-SHA256, ECDHE-RSA-AES256- tls_cipher_policy_1_2 and TLSv1.2 SHA384, AES128-GCM-SHA256, AES256- advanced GCM-SHA384, AES128-SHA256,AES256- security SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA- AES128-SHA, ECDHE-RSA-AES256-SHA, AES128-SHA, AES256-SHA, and DES- CBC3-SHA

ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, Supports ECDHE-ECDSA-AES128-SHA256, ECDHE- only perfect ECDSA-AES256-SHA384, ECDHE-RSA- forward AES128-GCM-SHA256, ECDHE-RSA- secrecy (PFS) tls_cipher_policy_1_2_strict TLSv1.2 AES256-GCM-SHA384, ECDHE-RSA- cipher suites AES128-SHA256, ECDHE-RSA-AES256- and provides SHA384, ECDHE-ECDSA-AES128-SHA, premium ECDHE-ECDSA-AES256-SHA, ECDHE-RSA- security. AES128-SHA, and ECDHE-RSA-AES256- SHA

> Document Version: 20210922 37 List eners·Manage TLS securit y polici Server Load Balancer es

Supported Security policy Feature Supported cipher suite TLS version

tls_cipher_policy_1_2_strict_wi th_1_3

Not e TLSv1.3 is supported in the following regions: UK (London)

China (Qingdao) TLS_AES_128_GCM_SHA256, China (Hohhot) TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, China (Chengdu) TLS_AES_128_CCM_SHA256, Supports Singapore TLS_AES_128_CCM_8_SHA256, ECDHE- only perfect Japan (Tokyo) ECDSA-AES128-GCM-SHA256, ECDHE- forward ECDSA-AES256-GCM-SHA384, ECDHE- India (Mumbai) secrecy (PFS) TLSv1.2 and ECDSA-AES128-SHA256, ECDHE-ECDSA- Australia (Sydney) cipher suites TLSv1.3 AES256-SHA384, ECDHE-RSA-AES128- and provides Malaysia (Kuala GCM-SHA256, ECDHE-RSA-AES256-GCM- premium Lumpur) SHA384, ECDHE-RSA-AES128-SHA256, security. US (Silicon Valley) ECDHE-RSA-AES256-SHA384, ECDHE- ECDSA-AES128-SHA, ECDHE-ECDSA- US (Virginia) AES256-SHA, ECDHE-RSA-AES128-SHA, Germany and ECDHE-RSA-AES256-SHA (Frankfurt) UAE (Dubai)

Cipher suites supported by different TLS security policies

tls_cipher_p tls_cipher_p tls_cipher_p tls_cipher_p tls_cipher_p olicy_1_2_st Security policy olicy_1_2_st olicy_1_0 olicy_1_1 olicy_1_2 rict_with_1_ rict 3

TLS - 1.2/1.1/1.0 1.2/1.1 1.2 1.2 1.2 and 1.3

ECDHE-RSA-AES128- ✔ ✔ ✔ ✔ ✔ GCM-SHA256

ECDHE-RSA-AES256- ✔ ✔ ✔ ✔ ✔ GCM-SHA384

ECDHE-RSA-AES128- ✔ ✔ ✔ ✔ ✔ SHA256

38 > Document Version: 20210922 List eners·Manage TLS securit y polici Server Load Balancer es

tls_cipher_p tls_cipher_p tls_cipher_p tls_cipher_p tls_cipher_p olicy_1_2_st Security policy olicy_1_2_st olicy_1_0 olicy_1_1 olicy_1_2 rict_with_1_ rict 3

ECDHE-RSA-AES256- ✔ ✔ ✔ ✔ ✔ SHA384

AES128-GCM- ✔ ✔ ✔ - - SHA256

AES256-GCM- ✔ ✔ ✔ - - SHA384

AES128-SHA256 ✔ ✔ ✔ - -

AES256-SHA256 ✔ ✔ ✔ - -

ECDHE-RSA-AES128- ✔ ✔ ✔ ✔ ✔ SHA

ECDHE-RSA-AES256- ✔ ✔ ✔ ✔ ✔ SHA

AES128-SHA ✔ ✔ ✔ - -

AES256-SHA ✔ ✔ ✔ - -

DES-CBC3-SHA ✔ ✔ ✔ - - CIP TLS_AES_128_GCM_ HER - - - - ✔ SHA256

TLS_AES_256_GCM_ - - - - ✔ SHA384

TLS_CHACHA20_POL - - - - ✔ Y1305_SHA256

TLS_AES_128_CCM_S - - - - ✔ HA256

TLS_AES_128_CCM_8 - - - - ✔ _SHA256

ECDHE-ECDSA- AES128-GCM- - - - - ✔ SHA256

ECDHE-ECDSA- AES256-GCM- - - - - ✔ SHA384

> Document Version: 20210922 39 List eners·Manage TLS securit y polici Server Load Balancer es

tls_cipher_p tls_cipher_p tls_cipher_p tls_cipher_p tls_cipher_p olicy_1_2_st Security policy olicy_1_2_st olicy_1_0 olicy_1_1 olicy_1_2 rict_with_1_ rict 3

ECDHE-ECDSA- - - - - ✔ AES128-SHA256

ECDHE-ECDSA- - - - - ✔ AES256-SHA384

ECDHE-ECDSA- - - - - ✔ AES128-SHA

ECDHE-ECDSA- - - - - ✔ AES256-SHA

40 > Document Version: 20210922 List eners·Redirect HTTP request s t o Server Load Balancer HTTPS 8.Redirect HTTP requests to HTTPS This topic describes how to change configurations to redirect HTTP requests to HTTPS. HTTPS is the secure version of HTTP. Server Load Balancer (SLB) allows you to redirect HTTP requests to HTTPS, which facilitates whole-site HTTPS deployment. You can redirect HTTP requests to HTTPS in all regions, and customize the status code for redirection in the UK (London) region.

Prerequisites

An HTTPS listener is created. For more information, see Add an HTTPS listener.

Context

This feature is available only when you create an HTTP listener in the new SLB console.

Procedure

1. Log on to the SLB console. 2. In the left-side navigation pane, choose Inst ances > Inst ances. 3. On the Inst ances page, click the ID of an SLB instance. 4. On the List ener tab. Click Add List ener. 5. In the Prot ocol and List ener step, set the listener protocol to HT T P and specify a listening port. 6. In the Advanced section, click Modify. Turn on Redirect ion and select a listener to which you want to redirect requests.

The listener can be an HTTPS listener with any port in the SLB instance. You can set the status code for redirection in the UK (London) region.

7. Click Next . 8. Check the configurations and click Submit . 9. Click OK. After the redirection feature is enabled, all HTTP requests are redirected to the selected HTTPS listener and distributed based on the configurations of the HTTPS listener.

> Document Version: 20210922 41 List eners·FAQ Server Load Balancer

9.FAQ 9.1. FAQ about CLB This topic provides answers to some frequently asked questions about Classic Load Balancer (CLB). Does CLB support port redirection? If I disable the public ENI, is my CLB service affected? Why do connections fail to reach the maximum bandwidth value? What is the connection timeout period of each listener? Why does my connection to a CLB instance time out? Why does session persistence sometimes fail? How do I view the session persistence string? How do I test session persistence by using the Linux curl command? If I disconnect my client from a CLB instance before I receive a response from the backend server, does the CLB instance disconnect from the backend servers? Does CLB support a client request that has the default TOA field?

Does CLB support port redirection?

Yes.

For more information, see Redirect HTTP requests to HTTPS.

If I disable the public ENI, is my CLB service affected?

If the Elastic Compute Service (ECS) instance is configured with a public IP address, the CLB service is affected if you disable the public elastic network interface (ENI).

By default, traffic goes through the public ENI if the backend ECS instance is configured with a public IP address. If the public ENI is disabled, packets cannot be returned and the CLB service is affected. We do not recommend that you disable the public ENI. If you want to disable the public ENI, you must change the default route to a private route to ensure that the CLB service is not affected. However, you must first assess whether your business relies on the Internet. For example, if your CLB instance needs to access ApsaraDB RDS over the Internet, your business will be affected if you change the default route.

Why do connections fail to reach the maximum bandwidth value?

CLB instances provide services based on CLB server clusters. All external requests are evenly distributed to CLB servers. Therefore, the specified maximum bandwidth value is also evenly distributed to these servers. The maximum inbound bandwidth per connection is calculated based on the following formula: Maximum inbound bandwidth per connection = Specified maximum bandwidth of the CLB instance/(N - 1). N indicates the number of forwarding groups. N is set to 4. For example, if you set the maximum bandwidth to 10 Mbit/s in the CLB console, the maximum inbound bandwidth value of each client is 10/(4 - 1), which equals 3.33 Mbit/s. We recommend that you set the maximum bandwidth value for a single listener based on your business requirements to avoid impacts on your service.

What is the connection timeout period of each listener?

42 > Document Version: 20210922 Server Load Balancer List eners·FAQ

TCP listener: 900 seconds UDP listener: 90 seconds HTTP listener: 60 seconds HTTPS listener: 60 seconds

Why does my connection to a CLB instance time out?

This problem may be caused by one of the following reasons:

The IP address of the CLB instance is blocked for security reasons. The IP address of the CLB instance may be blocked due to traffic blackholing and scrubbing or Web Application Firewall (WAF) protection. WAF offers protection by sending RST packets to both the client and the server after a connection is established.

The client ports are insufficient. Insufficient client ports may lead to connection failures especially in stress tests. By default, CLB erases the timestamp attribute of TCP connections. As a result, tw_reuse of the Linux protocol stack (reuse of ports in time_wait state) does not work, and connections in time_wait state accumulate, which results in a lack of client ports. Solution: We recommend that you enable persistent connections for clients and use RST packets instead of FIN packets to close connections. In this case, you can set the SO_LINGER socket option. The accept queue of a backend server is full.

If the accept queue of a backend server is full, the backend server does not respond with the syn_ack packet and the client times out.

Solution: Run the sysctl -w net.core.somaxconn=1024 command to change the value of net.core.somaxconn and restart the application on the backend server. The default value of net.core.somaxconn is 128.

The Layer 4 CLB service is accessed from backend servers. If you access the Layer 4 CLB service from a backend server, the connection fails. For example, the service is accessed from a backend server by using a concatenated URL. The RST is improperly configured.

If no data is transferred within 900 seconds after a TCP connection is established on a CLB instance, the CLB instance sends the RST packet to the client and the backend server to terminate the connection. If the RST configuration is incorrect on the backend server, the backend server may send data to the closed connection, which leads to a connection timeout.

Why does session persistence sometimes fail?

Check whether you have enabled session persistence. HTTP or HTTPS listeners cannot insert the cookies for session persistence into the HTTP 4xx status code returned by backend servers. Solution: Change HTTP or HTTPS listeners to TCP listeners. TCP listeners implement session persistence based on source client IP addresses. Cookies can be inserted into backend servers and validated to ensure session persistence.

An HTTP 302 redirection changes the SERVERID string for session persistence.

> Document Version: 20210922 43 List eners·FAQ Server Load Balancer

When CLB inserts a cookie into the response of a backend server and the HTTP status code 302 is returned by the backend server, the SERVERID string for session persistence is changed. This results in a session persistence failure.

To find the cause, check the requests and responses by using your browser or packet capture software. Then, check whether a 302 code is included in the packets and whether the SERVERID string in the cookie is changed.

Solution: Change HTTP or HTTPS listeners to TCP listeners. TCP listeners implement session persistence based on source client IP addresses. Cookies can be inserted into backend servers and validated to ensure session persistence.

If the timeout period is set to a small value, session persistence failures may occur.

How do I view the session persistence string?

You can open the browser and press F12 to check whether the SERVERID string or any keywords that you specified are included in the response message. Alternatively, you can run the curl www.example.com -c /tmp/cookie123 command to save a cookie and then run the curl www.example.com -b /tmp/cookie123 command to view the cookie.

How do I test session persistence by using the Linux curl command?

1. Create a test page. Create a test page on each of the backend servers and make sure that the private IP address of the backend server is displayed on the test page. The following figure shows an example of a test page. The private IP address is used to check the backend server to which client requests are distributed. You can check whether the private IP addresses are the same to determine whether session persistence works.

2. Perform a test by using the curl command in Linux.

Assume that the IP address of the CLB instance is 10.XX.XX.10 and the URL of the test page is http: //10.XX.XX.10/check.jsp . i. Log on to the Linux server used for the test.

44 > Document Version: 20210922 Server Load Balancer List eners·FAQ

ii. Run the following command to query the cookie of the test server:

curl -c test.cookie http://10.XX.XX.10/check.jsp

Not e By default, CLB session persistence inserts a cookie. However, a curl test does not save or send a cookie. Therefore, you must first save the cookie for cookie tests. Otherwise, the curl test result may mistakenly show that session persistence is not working.

iii. Run the following command to continue the test:

for ((a=1;a<=30;a++)); 2="" do="" curl="" -b="" 1.cookie="" check.jsp="">/dev/null | grep '10.170.*';sleep 1; done`

Not e a<=30 specifies the number of repeated tests and can be modified as needed. grep ‘10.170.*’ indicates the filtered IP address. You can modify it based on the private IP address of the ECS instance.

iv. Check the IP addresses returned in the preceding tests. If they are the same, it indicates that session persistence is working. Otherwise, session persistence is not working.

If I disconnect my client from a CLB instance before I receive a response from the backend server, does the CLB instance disconnect from the backend servers?

No, the CLB instance does not disconnect from the backend servers during read/write operations.

Does CLB support a client request that has the default TOA field?

No.

The default TCP Option Address (TOA) field of a client request conflicts with that of CLB. As a result, the real IP address of the client cannot be obtained. 9.2. FAQ about Layer 7 listeners that use HTTPS or HTTP The following questions about Layer 7 listeners that use HTTPS or HTTP are frequently asked: Why are some response header parameters deleted after requests are forwarded by Layer 7 listeners? Why is an additional header, Transfer-Encoding: chunked, added to an HTTP request? Why do the style sheets fail to load when I open a website over an HTTPS listener? Which port number do HTTPS listeners use? What types of certificates does SLB support? Does SLB support keytool-created certificates? Can I use certificates in the PKCS#12 (PFX) format? Why does a KeyEncryption error occur when I upload certificates? What SSL protocol versions are supported by the HTTPS Server Load Balancer service? What is the lifetime of an HTTPS session ticket?

> Document Version: 20210922 45 List eners·FAQ Server Load Balancer

Can I upload a certificate that contains DH PARAMETERS? Do HTTPS listeners support SNI? Which version of HTTP is used by HTTP and HTTPS listeners to access the backend servers? Can backend servers obtain the protocol version used by the client to access the HTTP or HTTPS listener? What are the timeout values specified for HTTP and HTTPS listeners?

Why are some response header parameters deleted after requests are forwarded by Layer 7 listeners?

Symptom: SLB modifies the values of the Date, Server, X-Pad, and X-Accel-Redirect parameters in the response headers to implement session persistence.

Solution: Add a prefix to the custom header, such as xl-server or xl-date. Change Layer 7 HTTP listeners to Layer 4 TCP listeners.

Why is an additional header, Transfer-Encoding: chunked, added to an HTTP request?

Symptom: After a domain name is resolved to the service address of Layer 7 SLB instance, a Transfer- Encoding: chunked field is added in the HTTP request header when you access the domain name from a local host. However, this field is not found in the request when you access backend servers directly from the local host. Cause: Layer 7 SLB is based on the Tengine reverse proxy. The Transfer-Encoding field indicates how the web server encodes the response message body. For example, Transfer-Encoding: chunked indicates that chunked transfer encoding is used.

Not e This header is not added in the requests forwarded by Layer 4 listeners, because Layer 4 listeners only distribute traffic.

Why do the style sheets fail to load when I open a website over an HTTPS listener?

Symptom:

An HTTP listener and an HTTPS listener are created, and they use the same backend servers. When you access the website over the HTTP listener with the specified port number, the website is displayed normally. However, the website layout is messy when you access the website over the HTTPS listener. Cause:

By default, SLB does not block loading and transferring of JavaScript files. This problem may be caused by the following reasons: The certificate is not compatible with the security level of the web browser. The certificate is an unqualified third-party certificate. In this case, contact the certificate issuer to check the certificate.

Solution: 1. When you open the website, load scripts as prompted by the browser.

46 > Document Version: 20210922 Server Load Balancer List eners·FAQ

2. Add the required certificate to the browser.

Which port number do HTTPS listeners use?

HTTPS listeners have no special requirements on ports. However, we recommend that you use 443 as the port number for HTTPS listeners.

What types of certificates does SLB support?

SLB supports server certificates and CA certificates in the PEM format.

For the server certificates, you must upload both the certificate content and the private key. For the CA certificates, you need to upload only the certificate content.

Does SLB support keytool-created certificates?

Yes. You must convert the certificate format to PEM before you upload the certificates to SLB. For more information, see Convert the certificate format.

Can I use certificates in the PKCS#12 (PFX) format?

Yes.

You must convert the certificate format to PEM before you upload the certificates to SLB. For more information, see Convert the certificate format.

Why does a KeyEncryption error occur when I upload certificates?

The private key contains incorrect contents. For more information about the private key format, see Certificate requirements.

What SSL protocol versions are supported by the HTTPS Server Load Balancer service?

TLSv1, TLSv1.1, and TLSv1.2.

What is the lifetime of an HTTPS session ticket?

The lifetime of an HTTPS session ticket is set to 300 seconds.

Can I upload a certificate that contains DH PARAMETERS?

The ECDHE cipher suites used by HTTPS listeners support forward secrecy but do not support the security enhancement parameters required by DHE cipher suites. As a result, strings that contain the BEGIN DH PARAMETERS field in a PEM certificate file cannot be uploaded.

Do HTTPS listeners support SNI?

Yes. Server Name Indication (SNI) is an extension to the SSL or TLS protocol so that a server can use multiple domain names and certificates. HTTPS listeners support the SNI feature. For more information, see Add an additional certificate.

Which version of HTTP is used by HTTP and HTTPS listeners to access the backend servers?

When the protocol used by client requests is HTTP 1.1 or HTTP 2.0, Layer 7 listeners use HTTP 1.1 to

> Document Version: 20210922 47 List eners·FAQ Server Load Balancer

access backend servers. When the protocol used by client requests is not HTTP 1.1 or HTTP 2.0, Layer 7 listeners use HTTP 1.0 to access backend servers.

Can backend servers obtain the protocol version used by the client to access the HTTP or HTTPS listener?

Yes, backend servers can obtain the protocol version used by the client to access the HTTP or HTTPS listener.

What are the timeout values specified for HTTP and HTTPS listeners?

A maximum of 100 requests can be sent continuously in an HTTP persistent connection. The connection is closed when the limit is reached. The timeout period between two HTTP or HTTPS requests in an HTTP persistent connection can be set to a value ranging from 1 to 60 seconds. The TCP connection is closed when the timeout period exceeds the specified value. If you want to use the HTTP persistent connection, try to send heartbeat requests within 13 seconds. The timeout period for the TCP three-way handshake between SLB and a backend ECS instance is 5 seconds. After the handshake times out, SLB selects the next ECS instance. You can find the timeout record by checking the upstream response time in the access logs. The time that SLB waits for the response from an ECS instance can be set to a value ranging from 1 to 180 seconds. If the wait time exceeds the specified timeout period, a 504 or 408 status code is sent to the client. You can find the timeout record by checking the upstream response time in the access logs. After 300 seconds, the HTTPS session reuse times out. Then, the client must perform the complete SSL handshake process again.

48 > Document Version: 20210922