CLB supports custom configurations, allowing you to set the configuration parameters for a single CLB instance, such as client_max_body_size and ssl_protocols, so as to meet your unique needs.
Note:
Each region can have up to 200 entries of custom configurations.
Each instance can be bound to only one entry of custom configuration.
Custom configurations are valid only for layer-7 HTTP/HTTPS CLB (former Application CLB) listeners.
CLB Custom Configuration Parameters
CLB custom configuration supports the following configurations:
Timeout period of obtaining client request headers. Status code 408 is returned in case of timeout.
client_header_buffer_size
4k
1-256k
Size of the default buffer where client request headers are stored.
client_body_timeout
60 seconds
30-120 seconds
Timeout period of obtaining a client request body, which is not the time for obtaining the entire body but refers to the idle period without data transmission. Status code 408 is returned in case of timeout.
client_max_body_size
60M
1-10240M
If you set this field to a value in the range of 1-256 MB, there are no other requirements.
The maximum value of this field is 10240 MB (or 10 GB). If you set this field to a value greater than 256 MB, you must set proxy_request_buffering to off.
keepalive_timeout
75 seconds
0-900 seconds
Hold time of the client-server persistent connection. If this field is set to 0, persistent connection is prohibited. If you want to set this parameter to over 900, submit a ticket. The maximum value allowed is 3600.
add_header
Custom
-
Headers returned to the client. Set this field in the format of add_header xxx yyy.
For example, you can set it to add_header Access-Control-Allow-Methods 'POST, OPTIONS'; add_header Access-Control-Allow-Origin *; for cross-region scenarios.
more_set_headers
Custom
-
Headers returned to the client. Set this field in the format of more_set_headers "A:B".
proxy_connect_timeout
4 seconds
4-120 seconds
Timeout period of connecting to a real server.
proxy_read_timeout
60 seconds
30-3600 seconds
Timeout period of reading a real server response.
proxy_send_timeout
60 seconds
30-3600 seconds
Timeout period of sending a request to a real server.
server_tokens
off
on, off
on: displays version information.
off: hides version information.
keepalive_requests
100
[1-10000]
Maximum number of requests that can be sent over the client-server persistent connection.
proxy_buffer_size
16k
[1-32]k
Size of server response headers, which is the size of a single buffer set in proxy_buffer by default. To use proxy_buffer_size, proxy_buffers must be set at the same time.
proxy_buffers
4 16k
Quantity: 3-8; size: 4-16k
Buffer quantity and size.
proxy_request_buffering
off
on, off
on: caches the client request body. The CLB instance caches the request and forwards it to the backend CVM instance in multiple parts after the request is completely received.
off: does not cache the client request body. After receiving a request, the CLB instance directly forwards it to the backend CVM instance, which increases pressure on the performance of the backend CVM instance.
proxy_set_header
X-Real-Port $remote_port
X-Real-Port $remote_port
X-clb-lbid $lbid
Stgw-request-id $stgw_request_id
X-Forwarded-Port $vport
X-Method $request_method
X-Uri $uri
X-Real-Port $remote_port: client port.
X-clb-lbid $lbid: CLB LBID, which is the identifier of a CLB instance.
Stgw-request-id $stgw_request_id: request ID (used in CLB only).
X-Forwarded-Port: CLB listener port.
X-Method: client request method.
X-Uri: client request URI.
send_timeout
60 seconds
1-3600 seconds
Timeout period of data transfer from the server to the client, which is the time interval between two consecutive data transfer actions, not the entire request transfer period.
ssl_verify_depth
5
[1,10]
Verification depth of the client certificate chain.
proxy_redirect
http:// https://
http:// https://
If the real server returns a redirect or refresh request (status code 301 or 302), proxy_redirect will reset http to https in the HTTP header Location or Refresh for safe redirection.
ssl_early_data
off
on, off
Enables or disables TLS 1.3 0-RTT. Only when the value of ssl_protocols contains TLSv1.3, ssl_early_data can take effect. You shall consider the risk of replay attacks before enabling ssl_early_data.
http2_max_field_size
4k
[1-256]k
Maximum size of request headers after HPACK compression.
proxy_intercept_errors
off
on, off
When configuring error_page, proxy_intercept_errors must be set to on in advance.
error_page
-
error_page code [ =
[response]] uri
A predefined URI is shown for the specific error code. The default response code is 302. The URI must start with /.
proxy_ignore_client_abort
off
on, off
Whether to disconnect the CLB instance from the real server when the client terminates its connection with the CLB instance without waiting for a response.
l7_toa
off
on, off
Switch of TOA After TOA is enabled, the client source IP and port in the TOA are added to $remote_addr and $remote_port separately. In this case, the IP information of TOA is passed through to X-Forwarded-For and X-Real-IP.
Note: This parameter is only available for IPv4 CLB instances.
l7_toa_proxy_transparent
off
on, off
When it is off, when a new connection is set up between a CLB and real server, the 4-tuple source IP address received is encapsulated as the client source IP and sent to the real server.
When it is on, the client source IP in TOA is encapsulated as the client source IP and sent to the real server. If long connection is enabled, IPs within the 100.127.0.0/16 range are used.
Note: This parameter is only available for IPv4 CLB instances.
Note:
Requirement on the value of proxy_buffer_size and proxy_buffers: 2 * max(proxy_buffer_size, proxy_buffers.size) ≤ (proxy_buffers.num - 1) * proxy_buffers.size; For example, if proxy_buffer_size is 24 KB and proxy_buffers is 8 8 KB, then 2 * 24 KB = 48 KB ≤ (8 - 1) * 8 KB = 56 KB, meeting the requirement. Therefore, there will be no configuration error.
ssl_ciphers Configuration Instructions
The ssl_ciphers encryption suite being configured must be in the same format as that used by OpenSSL. The algorithm list is one or more <cipher strings>; multiple algorithms should be separated with ":"; "!" indicates not to enable an algorithm, and "+" indicates to move an algorithm to the last place.
The encryption algorithm for default forced disabling is: !aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!DHE.
1. Log in to the CLB console and click Custom Configuration in the left sidebar.
2. Select a region at the top of the Custom Configuration page, and click Create.
3. On the Create custom configuration page, enter the configuration name and code configuration items, each item ending with a semicolon (;). After filling in all the information, click Completed.
4. Return to the Custom Configuration page. Click Bind to Instance on the right.
5. In the pop-up window, select a CLB instance to bind, and click Submit.
6. On the Custom Configuration page, click the configured ID to go to its details page. You can check the bound instance on the Bind Instance tab.
7. (Optional) You can now view the corresponding custom configuration information on the instance list page.
Note:
If Bind Custom Configurations is not displayed on the instance list, click
in the top-right corner. In the pop-up Customize List Field dialog box, select Bind Custom Configurations, and click OK. You should see the column displayed.
Check below for the sample codes of default configuration. When you try to copy the codes, make sure there is no blank line at the end.
