Has anyone managed to get SPDY to work behind an Amazon ELB?
Asked Answered
R

2

13

We've been using nginx compiled with the spdy module for some time now and despite only being draft 2 of the specs are quite pleased with its performance.

However we now have the need to horizontally scale and have put our EC2 instances behind an Elastic Load Balancer.

Since ELB doesn't support the NPN protocol we have set the listeners to the following:

SSL 443 -> SSL 443

We have also enabled the new proxy-protocol as described here:

http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-proxy-protocol.html

Everything works completely fine with this configuration. Our app is successfuly loadbalanced across our instances.

However when running http://spdycheck.org/ it reports that SPDY is not enabled. Yet if I point spdycheck to the elastic IP of a single instance, it correctly reports SPDY as being enabled.

Any help would be greatly appreciated.

Rang answered 14/11, 2013 at 16:57 Comment(0)
L
8

Doing SSL -> SSL doesnt send the whole TCP packets to your webserver. AWS decypts the packets using the certificate and re-encrypt it. Your backend only receives the modified packets. The viable option is to change the protocols to TCP but you will need nginx proxy patch for http headers or to work better.

I'm having same problem as well and waiting for either AWS to enable NPN negotiaition on ELBs or nginx add the accept-proxy patch to its module.

Louie answered 11/12, 2013 at 13:27 Comment(1)
i have the same problem, has there been any update on either of these?Piccadilly
M
6

We just released it last night at https://www.ritani.com. You'll need a version of nginx that supports spdy and proxy_protocol. We are on 1.6.2.

Through the AWS CLI add and attach the proxy_protocol to your ELB. http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-proxy-protocol.html#enable-proxy-protocol-cli

Through the AWS Web UI for that ELB, remove any 443 listeners. Add a new listener as TCP 443 -> TCP 443.

In your nginx config server block:

listen 443 ssl spdy proxy_protocol;

add_header Alternate-Protocol 443:npn-spdy/3;

all the standard ssl directives...

To get ocsp stapling to work I had to use three certs. The standard way of concatenating my.crt and my.intermediate.crt didn't work. I had to break them out as follows.

ssl_certificate /etc/nginx/ssl/my.crt;

ssl_certificate_key /etc/nginx/ssl/my.private.key;

ssl_trusted_certificate /etc/nginx/ssl/my.intermediate.crt;

Lastly, swap any instances of $remote_addr with $proxy_protocol_addr. $remote_addr is now the elb and $proxy_protocol_addr is the remote client's ip.

Mulley answered 29/1, 2015 at 20:46 Comment(4)
Sapel, you now have ELB -> NGINX -> App supporting SLL and SPDY? If so, can you specify where the SSL is terminated?Gatto
SSL is terminated in NGINX. No longer in the load balancer.Mulley
Couldn't we just terminate on the app servers? Then it would be ELB -> App1 or ELB -> App2 . Do you run nginx on the app servers?Halleyhalli
I guess you could if your app server supports spdy and proxy_protocol. We run nginx in front of them and proxy_pass specific paths to the app server.Mulley

© 2022 - 2024 — McMap. All rights reserved.