Configuring HTTP and HTTPS Listeners

Download

Focus Mode

Font Size

Last updated: 2025-06-30 16:50:21

Listener Overview
After creating a Global Accelerator instance, you need to configure a listener for the instance. The listener is responsible for listening to client requests and distributing traffic to backend endpoints.
The following needs to be configured for a Global Accelerator listener:
1. The listening protocol and listening port. The listening port of the listener, also known as the frontend port, is used to receive requests and forward them to the backend server.
2. The listening policies, such as the load balancing policy and session persistence.
3. An added endpoint group. You need to create an endpoint group and add endpoints to it.
Supported Protocol Types
Global Accelerator supports listening to layer-4 and layer-7 requests from clients and distributes these requests to backend endpoints, which then handle the requests. The difference between a layer-4 and a layer-7 listener primarily lies in whether a layer-4 protocol or a layer-7 protocol is used to forward traffic when a user request arrives. For example, layer-4 forwarding is performed on requests with layer-4 protocols such as TCP and UDP, and layer-7 forwarding is performed on requests with layer-7 protocols such as HTTP and HTTPS.
Layer-4 Protocol: Transport layer protocol, which mainly accepts requests through VIP + Port and distributes traffic to the backend server.
Layer-7 Protocol: Application layer protocol, which distributes traffic based on application layer information such as URL and HTTP header.
Tencent Cloud Global Accelerator supports forwarding requests with the following protocols:
TCP (transport layer)
UDP (transport layer)
HTTP (application layer)
HTTPS (application layer)
Protocol Category
Protocol
Description
Use Cases
Layer-4 protocol
TCP
A connection-oriented and reliable transport layer protocol.
The source and terminal of the transmission need to perform a three-way handshake to establish a connection before transmitting the data.
Support session persistence based on the client IP address (the source IP address).
Support obtaining the client source IP address.
It is suitable for scenarios with high requirements on reliability and data accuracy but low requirements on transmission speed, such as file transfer, email sending and receiving, and remote login. For more information, see Configuring TCP and UDP Listeners.
﻿
UDP
A connectionless transport layer protocol.
The source and terminal of the transmission do not establish a connection and do not need to maintain the connection status.
Each UDP connection can only be point-to-point.
Support one-to-one, one-to-many, many-to-one and many-to-many interactive communications.
Support session persistence based on the client IP address (the source IP address).
It is suitable for scenarios with high requirements on transmission efficiency but relatively low requirements on accuracy, such as instant messaging and online video. For more information, see Configuring TCP and UDP Listeners.
Layer-7 protocol
HTTP
An application layer protocol.
Support forwarding based on the domain name and URL of a request.
Applications that need to identify the content of requests, such as Web applications, App services.
﻿
HTTPS
An encrypted application layer protocol.
Support forwarding based on the domain name and URL of a request.
With the unified certificate management service, you can upload and replace a certificate in the Global Accelerator console.
Support one-way authentication and two-way authentication.
HTTP applications that require encrypted transmission.
Supported Port Range
Port Type
Description
Limit
Listening port (frontend port)
The listening port is the port used for Global Accelerator to receive requests and forward them to endpoints. The range of ports you can configure is from 1 to 64999.
For one Global Accelerator instance:
A listening port of the UDP protocol category can be duplicated with a listening port of the TCP protocol category. For example, you can create the listener TCP: 80 and the listener UDP: 80 at the same time.
Listening ports of the same protocol category cannot be duplicated. TCP, TCP SSL, HTTP, and HTTPS are all in the TCP category. For example, you cannot create the listener TCP: 80 and the listener HTTP: 80 at the same time.
Endpoint port (backend port)
The endpoint port can be configured for a layer-7 listener. It is the port through which the backend server provides services, and it receives and handles traffic from Global Accelerator.
The range of endpoint ports you can configure is from 1 to 64999.
For one Global Accelerator instance:
Service ports of different listening protocols can be duplicated. For example, the listener HTTP: 80 and the listener HTTPS: 443 can be bound to the same port of a backend server at the same time.
Health check port
The health check port is used for Global Accelerator to send probe requests to the backend server to confirm whether the server is running normally. If the port responds normally, the server is considered healthy. The range of health check ports you can configure is from 1 to 64999.
-
You need to create a listener for a Global Accelerator instance to listen to user requests and forward traffic to backend endpoints. Global Accelerator (GA) supports the TCP, UDP, HTTP, and HTTPS protocols. This section describes how to configure and operate HTTP and HTTPS listeners.
Operation Guide
Prerequisites
You have completed the creation of a Global Accelerator instance.
Creating Listeners
1. Log in to the Global Acceleration Console.
2. On the instance list page, click the target Instance ID and go to the instance details page.
3. Click Add Listener on the listener tab.
4. Configure a listener.
Configuration Type
Configuration Item
Description
Basic Configuration
Listener name
Start with an uppercase or lowercase letter or a Chinese character.
Support 2 to 128 characters in length.
Support digits, periods (.), hyphens (-), and underscores (_).
﻿
Protocol
Support selecting TCP, UDP, HTTP, and HTTPS.
Hypertext Transfer Protocol (HTTP): An application layer protocol, with plaintext transmission and no encryption. It is suitable for non-sensitive information transmission scenarios, such as ordinary web page browsing and data scraping.
Hypertext Transfer Protocol Secure (HTTPS): With HTTP and SSL/TLS encryption, it provides data encryption and identity authentication. It is suitable for scenarios that require secure transmission, such as online payment and login authentication.
﻿
Port
The supported port range is from 1 to 64999.
﻿
SSL parsing method
Authentication methods for HTTPS listeners and clients.
One-way authentication: The client verifies the server side's identity, but the server side does not verify the client's. If you select this authentication method, you only need to upload the server certificate to Global Accelerator.
Mutual authentication: The client and server side verify each other's identities, and the client needs to provide a certificate for the server side to verify. If you select this authentication method, you need to upload both the server certificate and the CA certificate to Global Accelerator.
﻿
Server certificate
A digital certificate issued by a certificate authority (CA) to a website. It is used to verify the server's identity and establish an encrypted connection. After you select one-way authentication and complete the upload, Global Accelerator will return this certificate to the client for establishing an encrypted connection.
﻿
Client CA certificate
A certificate held by a root CA or an intermediate CA. It is used to issue and verify the legitimacy of the server certificate. After you upload it, Global Accelerator will use this certificate to verify the legitimacy of the client.
Note:
You only need to upload the client CA certificate when you select mutual authentication as the authentication mode.
﻿
TLS security policy group
When creating an HTTPS listener, you can select different TLS security policy groups (tls_policy_1.0-2, tls_policy_1.1-2, tls_policy_1.2, and tls_policy_1.2_strict) as needed. Different policy groups contain different TLS versions and cipher suites. For more information, see TLS Security Policy Group.
Advanced Configuration
Obtaining client source IP address
After it is enabled, the X-Forwarded-For, X-Forwarded-lP, X-Forwarded-Proto, and X-Real-IP fields will be carried by default.
﻿
Idle connection timeout
Specify the idle connection timeout. If there is no data interaction during the timeout period, Global Accelerator will interrupt the current connection and establish a new connection when the next request arrives.
Default value: 10s.
Configuration range: from 10s to 900s.
﻿
Connection request timeout
Specify the connection request timeout. It is the maximum waiting time required for a client to establish a connection with a server. If no connection is established after this time period, the connection request is considered timed out.
Default value: 60s.
Configuration range: From 1s to 180s.
5. Configure an endpoint group.
When creating a listener, you can create the default endpoint group for it to receive the traffic forwarded by the listener to the backend. When configuring the endpoint group, you need to add endpoints to it and enable health check as needed.
Note:
The node group configured when a listener is first created is the default endpoint group. For a UDP listener, you can only create one default endpoint group, and cannot create any custom endpoint group.
Configuration Type
Configuration Item
Description
Endpoint Group
Node group name
Start with an uppercase or lowercase letter or a Chinese character.
Support 2 to 128 characters in length.
Support digits, periods (.), hyphens (-), and underscores (_).
﻿
Region
The region of the endpoint group. Global Accelerator will forward traffic from the acceleration region to the region of the endpoint group.
Note:
If the acceleration region and the region of the endpoint group are the same, it might cause poor acceleration.
﻿
Backend service type
An endpoint is the backend origin server that eventually provides services. The endpoint type can be a custom domain name or a custom IP address.
﻿
Backend service
The backend origin server that eventually provides services. You can add up to 4 endpoints to an endpoint group. You can enter custom IP addresses or custom domain names. For example:
10.1.1.1
192.168.0.0
1.1.1.1
example.com
﻿
Weight
Endpoint node weight. The value range of the weight is from 1 to 100. Global Accelerator will distribute business traffic to backend servers according to the endpoint weight you configure.
﻿
Origin-pull protocol
The protocol used when Global Accelerator performs origin-pull to an endpoint.
HTTP as the listening protocol: Only HTTP can be selected as the origin-pull protocol.
HTTPS as the listening protocol: HTTP or HTTPS can be selected as the origin-pull protocol.
﻿
Port mapping
You can configure the mapping relationship between the listening port and the backend service port. Based on the configuration, Global Accelerator will forward data packets to the port corresponding to the endpoint.
Listening port: Cannot be modified. It is consistent with the listener port.
Endpoint port: Can be modified. The configuration range is from 1 to 64999.
﻿
Health check
Enabled: Global Accelerator will check the availability of the backend origin server according to the configured health check parameters.
Disabled: Global Accelerator will not perform health checks or detection on the origin server.
﻿
Protocol check
The network protocol used for Global Accelerator to check whether the backend server is available. For HTTP and HTTPS listeners, only the HTTP protocol can be used for health checks.
﻿
Response timeout
The maximum time that Global Accelerator waits for the server to respond after sending a health check request to the backend server. If no response is received after the timeout, this check is determined as failed.
Default value: 2s.
Configuration range: From 2s to 60s.
﻿
Health check interval
The time interval between two health checks.
Default value: 30s.
Configuration range: From 5s to 300s.
﻿
Unhealthy threshold
After the number of consecutive health check failures reaches this threshold, the backend server will be marked as unhealthy and removed from the traffic distribution pool.
Default value: 3 times.
Configuration range: From 1 to 10 times.
﻿
Health threshold
After the number of consecutive health check successes reaches this threshold, an unhealthy server will be re-marked as healthy and its traffic distribution will be recovered.
Default value: 3 times.
Configuration range: From 1 to 10 times.
﻿
Domain name check
Refer to the domain name of the request during a health check.
﻿
Path check
Specify the URL path (such as /checkHealth) of the health check. Global Accelerator will send an HTTP request to this path and determine whether the service is healthy based on the returned status code.
﻿
Request method
It can be the HEAD method or the GET method:
HEAD: Only request the response header. It is lightweight and efficient.
GET: Obtain the full response. It is suitable for scenarios where content integrity needs to be checked.
﻿
Status code for monitoring
The health check accesses the specified path (such as /health) through a HEAD or GET request. If the returned status code is within the preset range and has not timed out, the service will be marked as healthy. Otherwise, the isolation mechanism will be triggered. You can configure the following status codes for monitoring:
http_2xx, http_3xx, http_4xx, and http_5xx.
Documentation
﻿Certificate Management﻿
﻿Forwarding Policy﻿
﻿TLS Security Policy Group﻿
﻿
﻿
﻿

Help and Support

Was this page helpful?

You can also Contact sales or Submit a Ticket for help.

Help us improve! Rate your documentation experience in 5 mins.

Feedback

tencent cloud

Global Application Acceleration Platform

Configuring HTTP and HTTPS Listeners

Listener Overview

Supported Protocol Types

Supported Port Range

Operation Guide

Prerequisites

Creating Listeners

Documentation

Help and Support

Protocol Category	Protocol	Description	Use Cases
Layer-4 protocol	TCP	A connection-oriented and reliable transport layer protocol. The source and terminal of the transmission need to perform a three-way handshake to establish a connection before transmitting the data. Support session persistence based on the client IP address (the source IP address). Support obtaining the client source IP address.	It is suitable for scenarios with high requirements on reliability and data accuracy but low requirements on transmission speed, such as file transfer, email sending and receiving, and remote login. For more information, see Configuring TCP and UDP Listeners.
Layer-4 protocol		UDP	A connectionless transport layer protocol. The source and terminal of the transmission do not establish a connection and do not need to maintain the connection status. Each UDP connection can only be point-to-point. Support one-to-one, one-to-many, many-to-one and many-to-many interactive communications. Support session persistence based on the client IP address (the source IP address).	It is suitable for scenarios with high requirements on transmission efficiency but relatively low requirements on accuracy, such as instant messaging and online video. For more information, see Configuring TCP and UDP Listeners.
Layer-7 protocol	HTTP	An application layer protocol. Support forwarding based on the domain name and URL of a request.	Applications that need to identify the content of requests, such as Web applications, App services.
Layer-7 protocol		HTTPS	An encrypted application layer protocol. Support forwarding based on the domain name and URL of a request. With the unified certificate management service, you can upload and replace a certificate in the Global Accelerator console. Support one-way authentication and two-way authentication.	HTTP applications that require encrypted transmission.

Port Type	Description	Limit
Listening port (frontend port)	The listening port is the port used for Global Accelerator to receive requests and forward them to endpoints. The range of ports you can configure is from 1 to 64999.	For one Global Accelerator instance: A listening port of the UDP protocol category can be duplicated with a listening port of the TCP protocol category. For example, you can create the listener TCP: 80 and the listener UDP: 80 at the same time. Listening ports of the same protocol category cannot be duplicated. TCP, TCP SSL, HTTP, and HTTPS are all in the TCP category. For example, you cannot create the listener TCP: 80 and the listener HTTP: 80 at the same time.
Endpoint port (backend port)	The endpoint port can be configured for a layer-7 listener. It is the port through which the backend server provides services, and it receives and handles traffic from Global Accelerator. The range of endpoint ports you can configure is from 1 to 64999.	For one Global Accelerator instance: Service ports of different listening protocols can be duplicated. For example, the listener HTTP: 80 and the listener HTTPS: 443 can be bound to the same port of a backend server at the same time.
Health check port	The health check port is used for Global Accelerator to send probe requests to the backend server to confirm whether the server is running normally. If the port responds normally, the server is considered healthy. The range of health check ports you can configure is from 1 to 64999.	-

Configuration Type	Configuration Item	Description
Basic Configuration	Listener name	Start with an uppercase or lowercase letter or a Chinese character. Support 2 to 128 characters in length. Support digits, periods (.), hyphens (-), and underscores (_).
		Protocol	Support selecting TCP, UDP, HTTP, and HTTPS. Hypertext Transfer Protocol (HTTP): An application layer protocol, with plaintext transmission and no encryption. It is suitable for non-sensitive information transmission scenarios, such as ordinary web page browsing and data scraping. Hypertext Transfer Protocol Secure (HTTPS): With HTTP and SSL/TLS encryption, it provides data encryption and identity authentication. It is suitable for scenarios that require secure transmission, such as online payment and login authentication.
		Port	The supported port range is from 1 to 64999.
		SSL parsing method	Authentication methods for HTTPS listeners and clients. One-way authentication: The client verifies the server side's identity, but the server side does not verify the client's. If you select this authentication method, you only need to upload the server certificate to Global Accelerator. Mutual authentication: The client and server side verify each other's identities, and the client needs to provide a certificate for the server side to verify. If you select this authentication method, you need to upload both the server certificate and the CA certificate to Global Accelerator.
		Server certificate	A digital certificate issued by a certificate authority (CA) to a website. It is used to verify the server's identity and establish an encrypted connection. After you select one-way authentication and complete the upload, Global Accelerator will return this certificate to the client for establishing an encrypted connection.
		Client CA certificate	A certificate held by a root CA or an intermediate CA. It is used to issue and verify the legitimacy of the server certificate. After you upload it, Global Accelerator will use this certificate to verify the legitimacy of the client. Note: You only need to upload the client CA certificate when you select mutual authentication as the authentication mode.
		TLS security policy group	When creating an HTTPS listener, you can select different TLS security policy groups (tls_policy_1.0-2, tls_policy_1.1-2, tls_policy_1.2, and tls_policy_1.2_strict) as needed. Different policy groups contain different TLS versions and cipher suites. For more information, see TLS Security Policy Group.
Advanced Configuration	Obtaining client source IP address	After it is enabled, the X-Forwarded-For, X-Forwarded-lP, X-Forwarded-Proto, and X-Real-IP fields will be carried by default.
		Idle connection timeout	Specify the idle connection timeout. If there is no data interaction during the timeout period, Global Accelerator will interrupt the current connection and establish a new connection when the next request arrives. Default value: 10s. Configuration range: from 10s to 900s.
		Connection request timeout	Specify the connection request timeout. It is the maximum waiting time required for a client to establish a connection with a server. If no connection is established after this time period, the connection request is considered timed out. Default value: 60s. Configuration range: From 1s to 180s.