We just released it last night at https://www.ritani.com.
You'll need a version of nginx that supports spdy and proxy_protocol. We are on 1.6.2.
Through the AWS CLI add and attach the proxy_protocol to your ELB.
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-proxy-protocol.html#enable-proxy-protocol-cli
Through the AWS Web UI for that ELB, remove any 443 listeners. Add a new listener as TCP 443 -> TCP 443.
In your nginx config server block:
listen 443 ssl spdy proxy_protocol;
add_header Alternate-Protocol 443:npn-spdy/3;
all the standard ssl directives...
To get ocsp stapling to work I had to use three certs. The standard way of concatenating my.crt and my.intermediate.crt didn't work. I had to break them out as follows.
ssl_certificate /etc/nginx/ssl/my.crt;
ssl_certificate_key /etc/nginx/ssl/my.private.key;
ssl_trusted_certificate /etc/nginx/ssl/my.intermediate.crt;
Lastly, swap any instances of $remote_addr
with $proxy_protocol_addr
. $remote_addr is now the elb and $proxy_protocol_addr is the remote client's ip.