Has anyone managed to get SPDY to work behind an Amazon ELB?

StackOverflow https://stackoverflow.com/questions/19983678

Question

We've been using nginx compiled with the spdy module for some time now and despite only being draft 2 of the specs are quite pleased with its performance.

However we now have the need to horizontally scale and have put our EC2 instances behind an Elastic Load Balancer.

Since ELB doesn't support the NPN protocol we have set the listeners to the following:

SSL 443 -> SSL 443

We have also enabled the new proxy-protocol as described here:

http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-proxy-protocol.html

Everything works completely fine with this configuration. Our app is successfuly loadbalanced across our instances.

However when running http://spdycheck.org/ it reports that SPDY is not enabled. Yet if I point spdycheck to the elastic IP of a single instance, it correctly reports SPDY as being enabled.

Any help would be greatly appreciated.

Was it helpful?

Solution

Doing SSL -> SSL doesnt send the whole TCP packets to your webserver. AWS decypts the packets using the certificate and re-encrypt it. Your backend only receives the modified packets. The viable option is to change the protocols to TCP but you will need nginx proxy patch for http headers or to work better.

I'm having same problem as well and waiting for either AWS to enable NPN negotiaition on ELBs or nginx add the accept-proxy patch to its module.

OTHER TIPS

We just released it last night at https://www.ritani.com. You'll need a version of nginx that supports spdy and proxy_protocol. We are on 1.6.2.

Through the AWS CLI add and attach the proxy_protocol to your ELB. http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-proxy-protocol.html#enable-proxy-protocol-cli

Through the AWS Web UI for that ELB, remove any 443 listeners. Add a new listener as TCP 443 -> TCP 443.

In your nginx config server block:

listen 443 ssl spdy proxy_protocol;

add_header Alternate-Protocol 443:npn-spdy/3;

all the standard ssl directives...

To get ocsp stapling to work I had to use three certs. The standard way of concatenating my.crt and my.intermediate.crt didn't work. I had to break them out as follows.

ssl_certificate /etc/nginx/ssl/my.crt;

ssl_certificate_key /etc/nginx/ssl/my.private.key;

ssl_trusted_certificate /etc/nginx/ssl/my.intermediate.crt;

Lastly, swap any instances of $remote_addr with $proxy_protocol_addr. $remote_addr is now the elb and $proxy_protocol_addr is the remote client's ip.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top