Configuring a TCP SSL Listener
Last updated: 2019-11-05 15:25:05PDF
TCP SSL Listener Overview
You can create a TCP SSL listener to a CLB instance to forward encrypted TCP requests from the client. TCP SSL is applicable to scenarios where ultra-high performance and large-scale TLS offloading are required. For TCP SSL listeners, the real server can directly get the real client IP.
The TCP SSL listener feature is currently in beta test and only available to public network CLB but not private network CLB or classic CLB. If you want to use it, please submit a ticket for application.
You need to create a CLB instance first.
Configuring a TCP SSL Listener
Step 1. Open the "Listener Management" page
- Log in to the CLB Console.
- Select Instance Management on the left sidebar.
- In the instance list, click the ID of the instance to be configured to enter the instance details page.
- Click the Listener Management tab or click Configure Listener in the "Operation" column.
- The "Listener Management" page is as shown below:
Step 2. Configure a listener
Click Create in TCP/UDP/TCP SSL Listener and configure a TCP SSL listener in the pop-up window.
1. Basic configuration
|Listener protocol and listening port||Listener protocol and listening port.
|SSL parsing method||One-way authentication and mutual authentication are supported||One-way authentication|
|Server certificate||You can select an existing certificate in the SSL certificate service or upload a certificate||Select the existing certificate cc/UzxFoXsE|
|Balancing method||For TCP SSL listeners, CLB supports two scheduling algorithms: weighted round robin (WRR) and weighted least connections (WLC).
The specific configuration of the created TCP SSL listener is as shown below:
2. Health check
|Health check status||Health check can be enabled or disabled. In TCP SSL listeners, CLB instances send SYN packets to the specified server port to perform health checks.||Enabled|
|Response timeout period||2s|
|Unhealthy threshold||3 times|
|Healthy threshold||3 times|
The specific configuration of health check is as shown below:
3. Session persistence (not supported currently)
Step 3. Bind a real server
- On the "Listener Management" page, click the created listener
TCP SSL:9000to view the bound real servers on the right of the listener.
- Click Bind and select the real server to be bound and configure the server port and weight in the pop-up window.
- Add Port: In the "Selected" box on the right, click Add Port to add multiple ports for the same CVM instance, such as ports 80, 81, and 82.
- Default Port: Enter the "Default Port" first and then select the CVM instance. The port of every CVM instance is the default port.
After these three steps are completed, the TCP SSL listener rule has been configured as shown below:
Step 4. Security group (optional)
You can configure a CLB security group to isolate public network traffic. For more information, see Configuring a CLB Security Group.
Step 5. Modify/delete a listener (optional)
If you need to modify or delete a created listener, click the listener on the "Listener Management" page and select Modify or Delete.