- Release Notes and Announcements
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- CLB Instance
- CLB Listener
- CLB Listener Overview
- Configuring TCP Listener
- Configuring UDP Listener
- Configuring TCP SSL Listener
- Configuring QUIC Listener
- Configuring HTTP Listener
- Configuring HTTPS Listener
- Load Balancing Methods
- Session Persistence
- Layer-7 Redirection Configuration
- Layer-7 Custom Configuration
- Layer-7 Domain Name Forwarding and URL Rules
- Using QUIC Protocol on CLB
- SNI Support for Binding Multiple Certificates to a CLB Instance
- Real Server
- Health Check
- Certificate Management
- Monitoring and Alarm
- Log Management
- Cloud Access Management
- Classic CLB
- Best Practices
- Enabling Gzip Configuration & Testing
- HTTPS Forwarding Configurations
- Obtaining Real Client IPs
- Notes on SNAT and Non-SNAT Types for Private Network CLB
- Implementing HA Across Multiple AZs
- Load Balancing Algorithm Selection and Weight Configuration Examples
- Configuring WAF protection for CLB listening domain names
- Troubleshooting
- OPS Guidelines
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Instance APIs
- Listener APIs
- Real Server APIs
- Target Group APIs
- Redirection APIs
- Other APIs
- Cloud Load Balancer APIs
- Classic CLB APIs
- Data Types
- Error Codes
- CLB API 2017
- FAQs
- Service Level Agreement
- Contact Us
- Glossary
- Release Notes and Announcements
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- CLB Instance
- CLB Listener
- CLB Listener Overview
- Configuring TCP Listener
- Configuring UDP Listener
- Configuring TCP SSL Listener
- Configuring QUIC Listener
- Configuring HTTP Listener
- Configuring HTTPS Listener
- Load Balancing Methods
- Session Persistence
- Layer-7 Redirection Configuration
- Layer-7 Custom Configuration
- Layer-7 Domain Name Forwarding and URL Rules
- Using QUIC Protocol on CLB
- SNI Support for Binding Multiple Certificates to a CLB Instance
- Real Server
- Health Check
- Certificate Management
- Monitoring and Alarm
- Log Management
- Cloud Access Management
- Classic CLB
- Best Practices
- Enabling Gzip Configuration & Testing
- HTTPS Forwarding Configurations
- Obtaining Real Client IPs
- Notes on SNAT and Non-SNAT Types for Private Network CLB
- Implementing HA Across Multiple AZs
- Load Balancing Algorithm Selection and Weight Configuration Examples
- Configuring WAF protection for CLB listening domain names
- Troubleshooting
- OPS Guidelines
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Instance APIs
- Listener APIs
- Real Server APIs
- Target Group APIs
- Redirection APIs
- Other APIs
- Cloud Load Balancer APIs
- Classic CLB APIs
- Data Types
- Error Codes
- CLB API 2017
- FAQs
- Service Level Agreement
- Contact Us
- Glossary
CLB supports custom configurations, allowing you to set the configuration parameters for a single CLB instance, such as client_max_body_size and ssl_protocols, so as to meet your unique needs.
Note:
- Each region can have up to 200 entries of custom configurations.
- Custom configurations are limited to 64K bytes.
- Currently, each instance can be bound to only one entry of custom configuration.
- Custom configurations are valid only for layer-7 HTTP/HTTPS CLB (former Application CLB) listeners.
CLB Custom Configuration Parameters
Currently, CLB custom configuration supports the following fields:
| Configuration Field | Default Value/Recommended Value | Parameter Range | Description |
|---|---|---|---|
| ssl_protocols | TLSv1 TLSv1.1 TLSv1.2 | TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 | Version of TLS protocol used |
| ssl_ciphers | See further below. | See further below. | Encryption suite |
| client_header_timeout | 60s | [30-120]s | Timeout period of obtaining a client request header; in case of timeout, a 408 error will be returned. |
| client_header_buffer_size | 4k | [1-256]k | Size of default buffer where a client request header is stored. |
| client_body_timeout | 60s | [30-120]s | Timeout period of obtaining a client request body, which is not the time for obtaining the entire body but refers to the idle period without data transmission; in case of timeout, a 408 error will be returned. |
| client_max_body_size | 60M | [1-10240]M |
|
| keepalive_timeout | 75s | [0-900]s | Client-server persistent connection hold time; if it is set to 0, persistent connection is prohibited. If you want to set it to over 900, please submit an application(https://console.intl.cloud.tencent.com/workorder/category?level1_id=6&level2_id=163&source=0&data_title=%E8%B4%9F%E8%BD%BD%E5%9D%87%E8%A1%A1%20LB&step=1). The maximum value you can set is 3600. |
| add_header | Custom | - | Specific header field returned to the client in the format of add_header xxx yyy. |
| more_set_headers | Custom | - | Specific header field returned to the client in the format of more_set_headers "A:B". |
| proxy_connect_timeout | 4s | [4-120]s | Timeout period of upstream backend connection. |
| proxy_read_timeout | 60s | [30-3600]s | Timeout period of reading upstream backend response. |
| proxy_send_timeout | 60s | [30-3600]s | Timeout period of sending a request to the upstream backend. |
| server_tokens | on | on, off |
|
| keepalive_requests | 100 | [1-10000] | Maximum number of requests that can be sent over the client-server persistent connection. |
| proxy_buffer_size | 4k | [1-64]k | Size of server response header, which is the size of a single buffer set in proxy_buffer by default; to use proxy_buffer_size, proxy_buffers must be set at the same time. |
| proxy_buffers | 8 4k | [3-8] [4-8]k | Buffer quantity and size. |
| proxy_request_buffering | on | on, off |
|
| proxy_set_header | X-Real-Port $remote_port |
|
|
| send_timeout | 60s | [1-3600]s | Timeout period of data transfer from the server to the client, which is the time interval between two consecutive data transfer actions, not the entire request transfer period. |
| ssl_verify_depth | 1 | [1, 10] | Verification depth of the client certificate chain. |
| proxy_redirect | http:// https:// | http:// https:// | If the upstream server returns a request to redirect or refresh, for example, HTTP response code 301 or 302, proxy_redirect will reset http to https in the "Location" or "Refresh" field in the HTTP header for safe redirection. |
| ssl_early_data | off | on, off | Enables or disables TLS 1.3 0-RTT. Only when the field value of ssl_protocols contains TLSv1.3, ssl_early_data can take effect. You shall consider the risk of replay attacks before enabling ssl_early_data. |
| http2_max_field_size | 4k | [1-256]k | Restricts the maximum size of the request header compressed in HPACK. |
| error_page | - | error_page code [ = [ response]] uri | A predefined URL will be shown for the specific error code. The default response code defaults to 302. The URI must start with /. |
Note:Requirements on the value of
proxy_buffer_sizeandproxy_buffers: 2 * max (proxy_buffer_size, proxy_buffers.size) ≤ (proxy_buffers.num - 1)* proxy_buffers.size; For example, ifproxy_buffer_sizeis "24k",proxy_buffersis "8 8k"; then 2 * 24k = 48k, (8 - 1)* 8k = 56k; and 48k ≤ 56k, so there will be no configuration error.
ssl_ciphers Configuration Instructions
The ssl_ciphers encryption suite being configured must be in the same format as that used by OpenSSL. The algorithm list is one or more <cipher strings="">; multiple algorithms should be separated with ":"; ALL represents all algorithms, "!" indicates not to enable an algorithm, and "+" indicates to move an algorithm to the last place.
The encryption algorithm for default forced disabling is: !aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!DHE.
Default value:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!DHE:3DES;
Parameter range:
ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-AES-128-CBC-SHA:ECDH-RSA-AES128-SHA256:DH-RSA-AES128-SHA256:DH-RSA-CAMELLIA128-SHA:DH-DSS-AES256-GCM-SHA384:DH-RSA-AES256-SHA256:AES256-SHA256:SEED-SHA:CAMELLIA256-SHA:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:DH-RSA-AES128-SHA:DH-RSA-AES128-GCM-SHA256:DH-DSS-AES128-SHA:ECDH-RSA-AES128-SHA:DH-DSS-CAMELLIA256-SHA:SRP-AES-256-CBC-SHA:DH-DSS-AES128-SHA256:SRP-RSA-AES-256-CBC-SHA:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:DH-DSS-AES256-SHA256:ECDH-ECDSA-AES256-SHA384:AES128-SHA:DH-DSS-AES128-GCM-SHA256:AES128-SHA256:DH-RSA-SEED-SHA:ECDH-ECDSA-AES128-SHA:IDEA-CBC-SHA:AES128-GCM-SHA256:DH-RSA-CAMELLIA256-SHA:CAMELLIA128-SHA:DH-RSA-AES256-GCM-SHA384:SRP-RSA-AES-128-CBC-SHA:SRP-DSS-AES-128-CBC-SHA:ECDH-RSA-AES128-GCM-SHA256:DH-DSS-CAMELLIA128-SHA:DH-DSS-SEED-SHA:AES256-SHA:DH-RSA-AES256-SHA:kEDH+AESGCM:AES256-GCM-SHA384:DH-DSS-AES256-SHA:HIGH:AES128:AES256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!DHE
CLB Custom Configuration Examples
- Log in to the CLB Console and click Custom Configuration on the left sidebar.
- Click Create, fill in the configuration items and end them with ";".
- Click Completed.
- Click Bind to Instance.
- In the pop-up window, select a CLB instance of the same region, and click Submit.
- You can now view the corresponding custom configuration information on the instance list page.
Default configuration sample code:ssl_protocols TLSv1 TLSv1.1 TLSv1.2; client_header_timeout 60s; client_header_buffer_size 4k; client_body_timeout 60s; client_max_body_size 60M; keepalive_timeout 75s; add_header xxx yyy; more_set_headers "A:B"; proxy_connect_timeout 4s; proxy_read_timeout 60s; proxy_send_timeout 60s;
Yes
No
Was this page helpful?