You can create a TCP SSL listener to a CLB instance to forward encrypted TCP requests from the client. TCP SSL is applicable to scenarios where ultra-high performance and large-scale TLS offloading are required. For TCP SSL listeners, the real server can directly get the real client IP.
TCP SSL listener is currently supported only for CLB but not classic CLB.
You need to create a CLB instance first.
Step 1. Configure a listener
- Log in to the CLB console and click Instance Management on the left sidebar.
- Select a region in the top-left corner of the CLB instance list page and click Configure Listener in the Operation column on the right.
- Under TCP/UDP/TCP SSL/QUIC Listener, click Create and configure the TCP SSL listener in the Create Listener pop-up window.
a. Basic configuration
b. Health check
|Listener Protocol and Ports
- Listener protocol: TCP SSL is used in this example.
- Listener port: a port used to receive requests and forward them to the real server. Port range: 1-65535.
- The listener port must be unique in the same CLB instance.
|SSL parsing method
||One-way authentication and mutual authentication are supported.
||You can select an existing certificate in the SSL Certificates Service or upload a certificate
||For TCP SSL listeners, CLB supports two scheduling algorithms: weighted round robin (WRR) and weighted least connections (WLC).
- WRR: requests are sequentially delivered to different real servers according to their weights. Scheduling is done based on the number of new connections, where servers with higher weights will undergo more polls (i.e., a higher probability), while servers with the same weight process the same number of connections.
- WLC: loads of servers are estimated according to the number of active connections to the servers. Scheduling is done based on server loads and weights. If their weights are the same, servers with fewer active connections will undergo more polls (i.e., a higher probability).
For more information, see Health Check Configuration.
c. Session persistence (not supported currently)
TCP SSL listeners don't support session persistence currently.
Step 2. Bind a real server
- On the Listener Management page, click the created listener
TCP SSL:9000 to view the bound real servers on the right of the listener.
- Click Bind, select the target real server, configure the server port and weight in the pop-up window.
Default port: enter the Default Port first and then select the CVM instance. The port of every CVM instance is the default port.
Step 3. Configure a security group (optional)
You can configure a CLB security group to isolate public network traffic. For more information, see CLB Security Group Configuration.
Step 4. Modify and delete a listener (optional)
If you need to modify or delete a created listener, click the listener on the Listener Management page and click for modification or for deletion.