CLB supports custom configurations, allowing you to set the configuration parameters for a single CLB instance, such as client_max_body_size
and ssl_protocols
, so as to meet your unique needs.
Note:
- Each region can have up to 200 entries of custom configurations.
- Custom configurations are limited to 64K bytes.
- Currently, each instance can be bound to only one entry of custom configuration.
- Custom configurations are valid only for layer-7 HTTP/HTTPS CLB (former Application CLB) listeners.
Currently, CLB custom configuration supports the following fields:
Configuration Field | Default Value/Recommended Value | Parameter Range | Description |
---|---|---|---|
ssl_protocols | TLSv1 TLSv1.1 TLSv1.2 | TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 | Version of TLS protocol used |
ssl_ciphers | See further below. | See further below. | Encryption suite |
client_header_timeout | 60s | [30-120]s | Timeout period of obtaining a client request header; in case of timeout, a 408 error will be returned. |
client_header_buffer_size | 4k | [1-256]k | Size of default buffer where a client request header is stored. |
client_body_timeout | 60s | [30-120]s | Timeout period of obtaining a client request body, which is not the time for obtaining the entire body but refers to the idle period without data transmission; in case of timeout, a 408 error will be returned. |
client_max_body_size | 60M | [1-10240]M |
|
keepalive_timeout | 75s | [0-900]s | Client-server persistent connection hold time; if it is set to 0, persistent connection is prohibited. If you want to set it to over 900, please submit an application(https://console.intl.cloud.tencent.com/workorder/category?level1_id=6&level2_id=163&source=0&data_title=%E8%B4%9F%E8%BD%BD%E5%9D%87%E8%A1%A1%20LB&step=1). The maximum value you can set is 3600. |
add_header | Custom | - | Specific header field returned to the client in the format of add_header xxx yyy . |
more_set_headers | Custom | - | Specific header field returned to the client in the format of more_set_headers "A:B" . |
proxy_connect_timeout | 4s | [4-120]s | Timeout period of upstream backend connection. |
proxy_read_timeout | 60s | [30-3600]s | Timeout period of reading upstream backend response. |
proxy_send_timeout | 60s | [30-3600]s | Timeout period of sending a request to the upstream backend. |
server_tokens | on | on, off |
|
keepalive_requests | 100 | [1-10000] | Maximum number of requests that can be sent over the client-server persistent connection. |
proxy_buffer_size | 4k | [1-64]k | Size of server response header, which is the size of a single buffer set in proxy_buffer by default; to use proxy_buffer_size , proxy_buffers must be set at the same time. |
proxy_buffers | 8 4k | [3-8] [4-8]k | Buffer quantity and size. |
proxy_request_buffering | on | on, off |
|
proxy_set_header | X-Real-Port $remote_port |
|
|
send_timeout | 60s | [1-3600]s | Timeout period of data transfer from the server to the client, which is the time interval between two consecutive data transfer actions, not the entire request transfer period. |
ssl_verify_depth | 1 | [1, 10] | Verification depth of the client certificate chain. |
proxy_redirect | http:// https:// | http:// https:// | If the upstream server returns a request to redirect or refresh, for example, HTTP response code 301 or 302, proxy_redirect will reset http to https in the "Location" or "Refresh" field in the HTTP header for safe redirection. |
ssl_early_data | off | on, off | Enables or disables TLS 1.3 0-RTT. Only when the field value of ssl_protocols contains TLSv1.3 , ssl_early_data can take effect. You shall consider the risk of replay attacks before enabling ssl_early_data . |
http2_max_field_size | 4k | [1-256]k | Restricts the maximum size of the request header compressed in HPACK. |
error_page | - | error_page code [ = [ response]] uri | A predefined URL will be shown for the specific error code. The default response code defaults to 302. The URI must start with / . |
Note:Requirements on the value of
proxy_buffer_size
andproxy_buffers
: 2 * max (proxy_buffer_size, proxy_buffers.size) ≤ (proxy_buffers.num - 1)* proxy_buffers.size; For example, ifproxy_buffer_size
is "24k",proxy_buffers
is "8 8k"; then 2 * 24k = 48k, (8 - 1)* 8k = 56k; and 48k ≤ 56k, so there will be no configuration error.
The ssl_ciphers encryption suite being configured must be in the same format as that used by OpenSSL. The algorithm list is one or more <cipher strings="">
; multiple algorithms should be separated with ":"; ALL represents all algorithms, "!" indicates not to enable an algorithm, and "+" indicates to move an algorithm to the last place.
The encryption algorithm for default forced disabling is: !aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!DHE
.
Default value:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!DHE:3DES;
Parameter range:
ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-AES-128-CBC-SHA:ECDH-RSA-AES128-SHA256:DH-RSA-AES128-SHA256:DH-RSA-CAMELLIA128-SHA:DH-DSS-AES256-GCM-SHA384:DH-RSA-AES256-SHA256:AES256-SHA256:SEED-SHA:CAMELLIA256-SHA:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:DH-RSA-AES128-SHA:DH-RSA-AES128-GCM-SHA256:DH-DSS-AES128-SHA:ECDH-RSA-AES128-SHA:DH-DSS-CAMELLIA256-SHA:SRP-AES-256-CBC-SHA:DH-DSS-AES128-SHA256:SRP-RSA-AES-256-CBC-SHA:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:DH-DSS-AES256-SHA256:ECDH-ECDSA-AES256-SHA384:AES128-SHA:DH-DSS-AES128-GCM-SHA256:AES128-SHA256:DH-RSA-SEED-SHA:ECDH-ECDSA-AES128-SHA:IDEA-CBC-SHA:AES128-GCM-SHA256:DH-RSA-CAMELLIA256-SHA:CAMELLIA128-SHA:DH-RSA-AES256-GCM-SHA384:SRP-RSA-AES-128-CBC-SHA:SRP-DSS-AES-128-CBC-SHA:ECDH-RSA-AES128-GCM-SHA256:DH-DSS-CAMELLIA128-SHA:DH-DSS-SEED-SHA:AES256-SHA:DH-RSA-AES256-SHA:kEDH+AESGCM:AES256-GCM-SHA384:DH-DSS-AES256-SHA:HIGH:AES128:AES256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!DHE
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
client_header_timeout 60s;
client_header_buffer_size 4k;
client_body_timeout 60s;
client_max_body_size 60M;
keepalive_timeout 75s;
add_header xxx yyy;
more_set_headers "A:B";
proxy_connect_timeout 4s;
proxy_read_timeout 60s;
proxy_send_timeout 60s;
Was this page helpful?