Layer-7 Custom Configuration

Last updated: 2021-09-16 10:14:27

    CLB supports custom configurations, allowing you to set the configuration parameters for a single CLB instance, such as client_max_body_size and ssl_protocols, so as to meet your unique needs.

    Note:

    • Each region can have up to 200 entries of custom configurations.
    • Custom configurations are limited to 64K bytes.
    • Currently, each instance can be bound to only one entry of custom configuration.
    • Custom configurations are valid only for layer-7 HTTP/HTTPS CLB (former Application CLB) listeners.

    CLB Custom Configuration Parameters

    Currently, CLB custom configuration supports the following fields:

    Configuration Field Default Value/Recommended Value Parameter Range Description
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 Version of TLS protocol used
    ssl_ciphers See further below. See further below. Encryption suite
    client_header_timeout 60s [30-120]s Timeout period of obtaining a client request header; in case of timeout, a 408 error will be returned.
    client_header_buffer_size 4k [1-256]k Size of default buffer where a client request header is stored.
    client_body_timeout 60s [30-120]s Timeout period of obtaining a client request body, which is not the time for obtaining the entire body but refers to the idle period without data transmission; in case of timeout, a 408 error will be returned.
    client_max_body_size 60M [1-10240]M
    • Default configuration range: 1 MB – 256 MB; it can be directly configured.
    • Maximum size: 2,048 MB; if client_max_body_size is more than 256 MB, the value of proxy_request_buffering must be "off".
    keepalive_timeout 75s [0-900]s Client-server persistent connection hold time; if it is set to 0, persistent connection is prohibited. If you want to set it to over 900, please submit an application(https://console.cloud.tencent.com/workorder/category?level1_id=6&level2_id=163&source=0&data_title=%E8%B4%9F%E8%BD%BD%E5%9D%87%E8%A1%A1%20LB&step=1). The maximum value you can set is 3600.
    add_header Custom - Specific header field returned to the client in the format of add_header xxx yyy.
    more_set_headers Custom - Specific header field returned to the client in the format of more_set_headers "A:B".
    proxy_connect_timeout 4s [4-120]s Timeout period of upstream backend connection.
    proxy_read_timeout 60s [30-3600]s Timeout period of reading upstream backend response.
    proxy_send_timeout 60s [30-3600]s Timeout period of sending a request to the upstream backend.
    server_tokens on on, off
    • on: displays version information;
    • off: hides version information.
    keepalive_requests 100 [1-10000] Maximum number of requests that can be sent over the client-server persistent connection.
    proxy_buffer_size 4k [1-64]k Size of server response header, which is the size of a single buffer set in proxy_buffer by default; to use proxy_buffer_size, proxy_buffers must be set at the same time.
    proxy_buffers 8 4k [3-8] [4-8]k Buffer quantity and size.
    proxy_request_buffering on on, off
    • on: caches the client request body; the CLB instance caches the request and forwards it to the backend CVM instance in multiple parts after the request is completely received.
    • off: does not cache the client request body; after receiving a request, the CLB instance directly forwards it to the backend CVM instance, which increases pressure on the backend CVM performance.
    proxy_set_header X-Real-Port $remote_port
    • X-Real-Port $remote_port
    • X-clb-stgw-vip $server_addr
    • Stgw-request-id $stgw_request_id
    • X-Forwarded-Port $vport
    • X-Method $request_method
    • X-Uri $uri
    • X-Forwarded-Proto
    • X-Real-Port $remote_port: client port.
    • X-clb-stgw-vip $server_addr: CLB VIP.
    • Stgw-request-id $stgw_request_id: request ID (used in CLB only).
    • X-Forwarded-Port: CLB listener port.
    • X-Method: client request method.
    • X-Uri: client request URI.
    • X-Forwarded-Proto: protocol for the CLB listener port (supported by default).
    send_timeout 60s [1-3600]s Timeout period of data transfer from the server to the client, which is the time interval between two consecutive data transfer actions, not the entire request transfer period.
    ssl_verify_depth 1 [1, 10] Verification depth of the client certificate chain.
    proxy_redirect http:// https:// http:// https:// If the upstream server returns a request to redirect or refresh, for example, HTTP response code 301 or 302, proxy_redirect will reset http to https in the "Location" or "Refresh" field in the HTTP header for safe redirection.
    ssl_early_data off on, off Enables or disables TLS 1.3 0-RTT. Only when the field value of ssl_protocols contains TLSv1.3, ssl_early_data can take effect. You shall consider the risk of replay attacks before enabling ssl_early_data.
    http2_max_field_size 4k [1-256]k Restricts the maximum size of the request header compressed in HPACK.
    error_page - error_page code [ = [ response]] uri A predefined URL will be shown for the specific error code. The default response code defaults to 302. The URI must start with /.
    Note:

    Requirements on the value of proxy_buffer_size and proxy_buffers: 2 * max (proxy_buffer_size, proxy_buffers.size) ≤ (proxy_buffers.num - 1)* proxy_buffers.size; For example, if proxy_buffer_size is "24k", proxy_buffers is "8 8k"; then 2 * 24k = 48k, (8 - 1)* 8k = 56k; and 48k ≤ 56k, so there will be no configuration error.

    ssl_ciphers Configuration Instructions

    The ssl_ciphers encryption suite being configured must be in the same format as that used by OpenSSL. The algorithm list is one or more <cipher strings="">; multiple algorithms should be separated with ":"; ALL represents all algorithms, "!" indicates not to enable an algorithm, and "+" indicates to move an algorithm to the last place.
    The encryption algorithm for default forced disabling is: !aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!DHE.

    Default value:

    ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!DHE:3DES;
    

    Parameter range:

    ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-AES-128-CBC-SHA:ECDH-RSA-AES128-SHA256:DH-RSA-AES128-SHA256:DH-RSA-CAMELLIA128-SHA:DH-DSS-AES256-GCM-SHA384:DH-RSA-AES256-SHA256:AES256-SHA256:SEED-SHA:CAMELLIA256-SHA:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:DH-RSA-AES128-SHA:DH-RSA-AES128-GCM-SHA256:DH-DSS-AES128-SHA:ECDH-RSA-AES128-SHA:DH-DSS-CAMELLIA256-SHA:SRP-AES-256-CBC-SHA:DH-DSS-AES128-SHA256:SRP-RSA-AES-256-CBC-SHA:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:DH-DSS-AES256-SHA256:ECDH-ECDSA-AES256-SHA384:AES128-SHA:DH-DSS-AES128-GCM-SHA256:AES128-SHA256:DH-RSA-SEED-SHA:ECDH-ECDSA-AES128-SHA:IDEA-CBC-SHA:AES128-GCM-SHA256:DH-RSA-CAMELLIA256-SHA:CAMELLIA128-SHA:DH-RSA-AES256-GCM-SHA384:SRP-RSA-AES-128-CBC-SHA:SRP-DSS-AES-128-CBC-SHA:ECDH-RSA-AES128-GCM-SHA256:DH-DSS-CAMELLIA128-SHA:DH-DSS-SEED-SHA:AES256-SHA:DH-RSA-AES256-SHA:kEDH+AESGCM:AES256-GCM-SHA384:DH-DSS-AES256-SHA:HIGH:AES128:AES256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!DHE
    

    CLB Custom Configuration Examples

    1. Log in to the CLB Console and click Custom Configuration on the left sidebar.
    2. Click Create, fill in the configuration items and end them with ";".
    3. Click Completed.
    4. Click Bind to Instance.
    5. In the pop-up window, select a CLB instance of the same region, and click Submit.
    6. You can now view the corresponding custom configuration information on the instance list page.

      Default configuration sample code:
      ssl_protocols   TLSv1 TLSv1.1 TLSv1.2;
      client_header_timeout   60s;
      client_header_buffer_size   4k;
      client_body_timeout    60s;
      client_max_body_size   60M;
      keepalive_timeout    75s;
      add_header     xxx yyy;
      more_set_headers      "A:B";
      proxy_connect_timeout    4s;
      proxy_read_timeout    60s;
      proxy_send_timeout    60s;