Menu
We've been using nginx compiled with the spdy module for some time now and despite only being draft 2 of the specs are quite pleased with its performance.
However we now have the need to horizontally scale and have put our EC2 instances behind an Elastic Load Balancer.
Since ELB doesn't support the NPN protocol we have set the listeners to the following:
SSL 443 -> SSL 443
We have also enabled the new proxy-protocol as described here:
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-proxy-protocol.html
Everything works completely fine with this configuration. Our app is successfuly loadbalanced across our instances.
However when running http://spdycheck.org/ it reports that SPDY is not enabled. Yet if I point spdycheck to the elastic IP of a single instance, it correctly reports SPDY as being enabled.
Any help would be greatly appreciated.
400
You can use Amazon Elastic Compute Cloud (Amazon EC2) instances or IP addresses (for example with AWS Fargate) as gRPC targets, with support for gRPC health checks for the target groups.
Within a target group, ALB will use gRPC specific health checks to determine availability of targets and provide gRPC specific access logs to monitor your traffic. This release also provides customers the ability to configure HTTP/2 as the protocol for your target groups.
In AWS, it is recommended to design the applications for multiple availability zones for HA to make sure the application works even after a AZ failure. ELB is having redundancy within the AZ, so it won't fail but risk is high if you don't go with multiple AZ setup.
Unlike a Classic Load Balancer or an Application Load Balancer, a Network Load Balancer can't have application layer (layer 7) HTTP or HTTPS listeners. It only supports transport layer (layer 4) TCP listeners. HTTP and HTTPS traffic can be routed to your environment over TCP.
Doing SSL -> SSL doesnt send the whole TCP packets to your webserver. AWS decypts the packets using the certificate and re-encrypt it. Your backend only receives the modified packets. The viable option is to change the protocols to TCP but you will need nginx proxy patch for http headers or to work better.
I'm having same problem as well and waiting for either AWS to enable NPN negotiaition on ELBs or nginx add the accept-proxy patch to its module.
67
We just released it last night at https://www.ritani.com. You'll need a version of nginx that supports spdy and proxy_protocol. We are on 1.6.2.
Through the AWS CLI add and attach the proxy_protocol to your ELB. http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-proxy-protocol.html#enable-proxy-protocol-cli
Through the AWS Web UI for that ELB, remove any 443 listeners. Add a new listener as TCP 443 -> TCP 443.
In your nginx config server block:
listen 443 ssl spdy proxy_protocol;
add_header Alternate-Protocol 443:npn-spdy/3;
all the standard ssl directives...
To get ocsp stapling to work I had to use three certs. The standard way of concatenating my.crt and my.intermediate.crt didn't work. I had to break them out as follows.
ssl_certificate /etc/nginx/ssl/my.crt;
ssl_certificate_key /etc/nginx/ssl/my.private.key;
ssl_trusted_certificate /etc/nginx/ssl/my.intermediate.crt;
Lastly, swap any instances of $remote_addr with $proxy_protocol_addr. $remote_addr is now the elb and $proxy_protocol_addr is the remote client's ip.
42
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
