Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Has anyone managed to get SPDY to work behind an Amazon ELB?

We've been using nginx compiled with the spdy module for some time now and despite only being draft 2 of the specs are quite pleased with its performance.

However we now have the need to horizontally scale and have put our EC2 instances behind an Elastic Load Balancer.

Since ELB doesn't support the NPN protocol we have set the listeners to the following:

SSL 443 -> SSL 443

We have also enabled the new proxy-protocol as described here:

http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-proxy-protocol.html

Everything works completely fine with this configuration. Our app is successfuly loadbalanced across our instances.

However when running http://spdycheck.org/ it reports that SPDY is not enabled. Yet if I point spdycheck to the elastic IP of a single instance, it correctly reports SPDY as being enabled.

Any help would be greatly appreciated.

like image 400
Gordo Avatar asked Nov 14 '13 16:11

Gordo


People also ask

Does AWS WAF support gRPC?

You can use Amazon Elastic Compute Cloud (Amazon EC2) instances or IP addresses (for example with AWS Fargate) as gRPC targets, with support for gRPC health checks for the target groups.

Does AWS ALB support http2?

Within a target group, ALB will use gRPC specific health checks to determine availability of targets and provide gRPC specific access logs to monitor your traffic. This release also provides customers the ability to configure HTTP/2 as the protocol for your target groups.

Is AWS ELB redundant?

In AWS, it is recommended to design the applications for multiple availability zones for HA to make sure the application works even after a AZ failure. ELB is having redundancy within the AZ, so it won't fail but risk is high if you don't go with multiple AZ setup.

Does AWS ELB support HTTP?

Unlike a Classic Load Balancer or an Application Load Balancer, a Network Load Balancer can't have application layer (layer 7) HTTP or HTTPS listeners. It only supports transport layer (layer 4) TCP listeners. HTTP and HTTPS traffic can be routed to your environment over TCP.


2 Answers

Doing SSL -> SSL doesnt send the whole TCP packets to your webserver. AWS decypts the packets using the certificate and re-encrypt it. Your backend only receives the modified packets. The viable option is to change the protocols to TCP but you will need nginx proxy patch for http headers or to work better.

I'm having same problem as well and waiting for either AWS to enable NPN negotiaition on ELBs or nginx add the accept-proxy patch to its module.

like image 67
oBa Avatar answered Oct 08 '22 18:10

oBa


We just released it last night at https://www.ritani.com. You'll need a version of nginx that supports spdy and proxy_protocol. We are on 1.6.2.

Through the AWS CLI add and attach the proxy_protocol to your ELB. http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-proxy-protocol.html#enable-proxy-protocol-cli

Through the AWS Web UI for that ELB, remove any 443 listeners. Add a new listener as TCP 443 -> TCP 443.

In your nginx config server block:

listen 443 ssl spdy proxy_protocol;

add_header Alternate-Protocol 443:npn-spdy/3;

all the standard ssl directives...

To get ocsp stapling to work I had to use three certs. The standard way of concatenating my.crt and my.intermediate.crt didn't work. I had to break them out as follows.

ssl_certificate /etc/nginx/ssl/my.crt;

ssl_certificate_key /etc/nginx/ssl/my.private.key;

ssl_trusted_certificate /etc/nginx/ssl/my.intermediate.crt;

Lastly, swap any instances of $remote_addr with $proxy_protocol_addr. $remote_addr is now the elb and $proxy_protocol_addr is the remote client's ip.

like image 42
sapel Avatar answered Oct 08 '22 18:10

sapel