Https/http Monitoring FAQ

Nobody gets to live life backwards. Look ahead, that ' s where your The future lies.

Location:newport,nj,u.s

The first time in the process of learning IntelliJ idea, the configuration of the Web. xml file is not very familiar with the HTTP listener situation, so consult the documentation to understand the principle for future review.

1. Why are some parameters in the response header of the backend server removed after the request has been forwarded through a seven-tier load balancer?

In order to achieve session retention, load Balancing modifies the Date , Server ,, X-Pad and X-Accel-Redirect equal parameter values in the back-end server response header.

Solution:

• Add a prefix to a custom message header, such as xl-server or xl-date , to avoid load balancing processing.

• Change layer seven HTTP listener to four layer TCP listener.

2. Why has the transfer-encoding:chunked field been added to the header of the HTTP request?

After the domain name is resolved to a seven-tier load-balanced service address, a field is added to the header of the HTTP request when the domain name is accessed from the local host Transfer-Encoding: chunked , but there is no such field when accessing the back-end server directly from the local host.

Because the seven-tier load balancer is based on the Tengine reverse proxy implementation. The Transfer-Encoding field indicates how the Web server encodes the response message body, such as Transfer-Encoding: chunked indicating that the Web server has made a chunked transfer of the response message body.

Description: in a four-tier load balancing service, load balancing forwards traffic only and does not exist for this field.

3. Why is HTTP listener access normal but HTTPS listener open URL does not load style?

Phenomenon:

Create HTTP and HTTPS listeners separately, and two listeners using the same back-end server. HTTP access to the listening port corresponding to the site, the site normal display, but the use of HTTPS listening access, the site layout shows confusion.

Reason:

Load balancing By default is not blocked by the JS file load transmission, possible reasons:

• Certificate and browser security level incompatibility are caused.

• A certificate is an informal third-party certificate that needs to be contacted by the certificate Publisher to check for certificate issues.

Solution :

1. When you open the Web site, follow the browser prompts to load the script.

2. Add the corresponding certificate to the client.

4. What port does HTTPS monitor use?

HTTPS snooping has no special requirements for ports, we recommend that you use port 443.

5. What types of certificates are supported for load balancing?

Support for uploading server certificates and CA certificates in PEM format.

The server certificate needs to upload the certificate contents and the private key, and the CA certificate only needs to upload the certificate content.

6. Does load balancing support certificates created by Keytool?

Support.

However, before uploading the certificate, you need to convert the certificate to PEM format, see conversion certificate format for details. (Do note later)

7. Can I use a certificate in the PKCS#12 (PFX) format? you can.

However, before uploading the certificate, you need to convert the certificate to PEM format, see conversion certificate format for details. (Do note later)

8. How many certificates can I upload for an account?

You can upload up to 100 certificates per account, including CA certificates and server certificates.

9. Why do keyencryption errors occur when you add a certificate?

This error is caused by a wrong private key content. For a description of the private key format, see certificate requirements. (Do note later)

10. How many certificates can be bound by an HTTPS listener?

If using HTTPS one-way authentication, a listener can only bind one server certificate, if using HTTPS bidirectional authentication, a listener needs to bind a server certificate and a CA certificate.

11. What are the SSL protocol versions supported by load Balancer HTTPS?

TLSV1, TLSv1.1 and TLSv1.2.

12. Why does the HTTPS protocol actually generate more traffic than Bill traffic?

The HTTPS protocol uses some traffic for the protocol handshake, so it actually generates more traffic than Bill traffic.

What is the hold time for HTTPS session ticket?

The HTTPS session ticket hold time is 300 seconds.

14. Can I upload a certificate containing the DH parameters field?

The ECDHE algorithm cluster used by HTTPS monitoring supports forward secrecy, and does not support uploading of the security-enhanced parameter files required by the DHE algorithm cluster, i.e. uploading of certificates with fields in the PEM certificate file is not supported BEGIN DH PARAMETERS .

Does HTTPS snooping support SNI?

SNI (server Name Indication) is an SSL/TLS extension that addresses a server that uses multiple domain names and certificates, and currently load-balanced HTTPS snooping does not support SNI functionality.

If you have related requirements, you can use TCP snooping instead and implement SNI functionality on the back-end server.

What is the HTTP protocol version of HTTP/HTTPS monitoring access back-end server?

http/1.0.

17. Can the backend server get the protocol version of the client Access Http/https listener?

OK.

18. When a request is reached through a load balancer to the backend server, if the client is actively disconnected and a load-balanced connection is not received before the reply from the backend server, does load balancing disconnect the backend server at the same time?

Load balancing does not disconnect from the back-end server during the read and write process.

Does Http/https monitor support Websocket/ssl WebSocket?

All regions have supported the WSS/WS protocol, see the WS/WSS protocol Support FAQ for details.

What is the timeout period for HTTP/HTTPS connections?

• The number of requests for HTTP long Connections is limited to a maximum of 100 consecutive requests, and exceeding the limit will close the connection.

• The timeout between HTTP long connections two HTTP/HTTPS requests is 15 seconds (there is an error of 1-2 seconds), and after the TCP connection is closed, if the user has long connection usage requirements, try to keep a heartbeat request within 13 seconds.

• Load balancer and backend an ECS instance the time-out period of the TCP three handshake completion process is 5 seconds, the next ECS instance is selected after time-out, and the upstream response time of the query access log can be located.

• Load balancer waits for an ECS instance to reply to a request with a response time of 60 seconds, which typically returns a 504 response code or 408 response code to the client, and the upstream response time of the query access log can be located.

• The HTTPS session is reused over a period of 300 seconds, after which the same client needs to re-complete the SSL handshake process.

21. Does load balancing support configuring domain names and URL forwarding policies?

Support, see Configuring the Domain name URL forwarding policy for details.

22. How many domain names and URL forwarding rules can be added per listener?

You can add up to 20 forwarding rules per listener.

Https/http Monitoring FAQ