Configuring a TCP SSL Listener

Last updated: 2021-03-12 14:31:26

    TCP SSL Listener Overview

    You can add a TCP SSL listener to a CLB instance to forward encrypted TCP requests from the client. The TCP SSL protocol is suitable for scenarios that require ultra-high performance and large-scale TLS offloading. With a TCP SSL listener, the backend server can directly obtain the real IP of the client.


    TCP SSL listener is currently only supported for CLB, but not classic CLB.


    You need to create a CLB instance first.

    Configuring a TCP SSL Listener

    Step 1. Open the "Listener Management" page

    1. Log in to the CLB Console.
    2. Select Instance Management on the left sidebar.
    3. In the instance list, click the ID of the instance to be configured to enter the instance details page.
    4. Click the Listener Management tab or click Configure Listener in the "Operation" column.
    5. The "Listener Management" page is as shown below:

    Step 2. Configure a listener

    Click Create in TCP/UDP/TCP SSL Listener and configure a TCP SSL listener in the pop-up window.

    1. Basic configuration

    Configuration Item Description Example
    Name Listener name test-tcpssl-9000    
    Listener protocol and listening port Listener protocol and listening port.
  • Listener protocol: CLB supports various protocols, including TCP, UDP, TCP SSL, HTTP, and HTTPS. TCP SSL is used in this example.
  • Listening port: A port used to receive requests and forward them to the real server. Port range: 1-65535.
  • The listener port must be unique in the same CLB instance.
  • TCP SSL:9000
    SSL parsing method One-way authentication and mutual authentication are supported One-way authentication
    Server certificate You can select an existing certificate in the SSL certificate service or upload a certificate Select the existing certificate cc/UzxFoXsE
    Balancing method For TCP SSL listeners, CLB supports two scheduling algorithms: weighted round robin (WRR) and weighted least connections (WLC).
  • WRR: Requests are sequentially delivered to different real servers according to their weights. Scheduling is done based on the number of new connections, where servers with higher weights will undergo more polls (i.e., a higher probability), while servers with the same weight process the same number of connections.
  • WLC: Loads of servers are estimated according to the number of active connections to the servers. Scheduling is done based on server loads and weights. If their weights are the same, servers with fewer active connections will undergo more polls (i.e., a higher probability).
  • WRR

    The specific configuration of the created TCP SSL listener is as shown below:

    2. Health check

    Configuration Item Description Example
    Health check status Health check can be enabled or disabled. In TCP SSL listeners, CLB instances send SYN packets to the specified server port to perform health checks. Enabled
    Response timeout period
  • Maximum response timeout period for health checks.
  • If a real server fails to respond correctly within the timeout period, it is considered abnormal.
  • Value range: 2-60s. Default value: 2s.
  • 2s
    Check interval
  • Interval between two health checks.
  • Value range: 5-300s. Default value: 5s.
  • 5s
    Unhealthy threshold
  • If the health check results received n times (n is the entered number) in a row are failures, the instance will be considered unhealthy, and the status displayed in the console will be Abnormal.
  • Value range: 2-10. Default value: 3.
  • 3 times
    Healthy threshold
  • If the health check results received n times (n is the entered number) in a row are successes, the instance will be considered healthy, and the status displayed in the console will be Healthy.
  • Value range: 2-10. Default value: 3.
  • 3 times

    The specific configuration of health check is as shown below:

    3. Session persistence (not supported currently)

    Step 3. Bind a real server

    1. On the "Listener Management" page, click the created listener TCP SSL:9000 to view the bound real servers on the right of the listener.
    2. Click Bind and select the real server to be bound and configure the server port and weight in the pop-up window.
      1. Add Port: In the "Selected" box on the right, click Add Port to add multiple ports for the same CVM instance, such as ports 80, 81, and 82.
      2. Default Port: Enter the "Default Port" first and then select the CVM instance. The port of every CVM instance is the default port.

    After these three steps are completed, the TCP SSL listener rule has been configured as shown below:

    Step 4. Security group (optional)

    You can configure a CLB security group to isolate public network traffic. For more information, see Configuring a CLB Security Group.

    Step 5. Modify/delete a listener (optional)

    If you need to modify or delete a created listener, click the listener on the "Listener Management" page and select Modify or Delete.