0

I have a node.js websocket server running on an EC2 instance on port 8080. Normal websocket connections (ws://) work fine but when I'm trying to make a secure connection (wss://), the websocket connection fails.

I realise that wss requests are sent to port 443, so I'm using ALB to forward requests on port 443 to port 8080. Since I'm very new to AWS I don't know if I'm doing this properly. Here's what I have done.

  1. Node.js server listening on port 8080 in an EC2 instance.
  2. These are the inbound security rules to that EC2 instance

Inbound security rules

  1. An application load balancer with listener HTTPS: 443 It forwards it to my EC2 instance on port 8080 using HTTPS protocol. I have also attached an SSL certificate to the ALB.

I just cannot figure out what I'm doing wrong. Any help is appreciated.

UPDATE:

  1. I have created two security groups (ec2-sg and alb-sg) and configured them such that ec2-sg receives traffic from alb-sg.

Inbound security rules (alb-sg)

Outbound security rule (alb-sg)

Inbound security rules (ec2-sg)

However, I cannot get it to work. The target group passes the health check, I have enabled sticky session but the websocket connection keeps failing. The normal ws connection which used to work has also stopped working. This leads me to believe that I'm messing something up with the ALB (since it is working without the load balancer)

Update 2:

I enabled access logs for my load balancer. Here's the log:

https 2021-10-08T08:55:39.157549Z app/alb-latest/3e73469ba9514449 167.94.138.60:32854 172.31.93.226:8080 -1 -1 -1 502 - 41 1215 
"GET https://3.208.76.74:443/ HTTP/1.1" "-" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:us-east-1:144045735746:targetgroup/ec2-8080-server/2cbf4f7eb51c201e 
"Root=1-6160078b-606aed86364c5e3f7db627f1" "-" "arn:aws:acm:us-east-1:144045735746:certificate/53a04011-1ea7-4689-b6c6-a7372e42191d" 0 2021-10-08T08:55:39.156000Z 
"forward" "-" "-" "172.31.93.226:8080" "-" "-" "-"

ALB Basic configuration 1

ALB Basic configuration 2

ALB Listeners I have also enabled group-level stickiness on the target group for 1 day

Target group details

Debabrata Mondal
  • 1
  • 2
  • Are the ALB and the EC2 instance both in the same security group? Generally you should have one SG for each, and the EC2 SG should allow ingress from the ALB SG. – Tim Oct 07 '21 at 08:48
  • @Tim They were in the same security group, yes. I have changed that now but it still does not work. Could you take a look at the updates i posted? – Debabrata Mondal Oct 08 '21 at 06:43
  • Your security groups look ok to me, though I can't check things like IDs. Two things to do 1) Enable access logs on ALB and target and check that requests hit the ALB and the server - if it's easier you can install a standard web server on port 80 for testing. Then once that's done 2) Edit your post to show the important parts of the ALB configuration. – Tim Oct 08 '21 at 07:04
  • @Tim I have edited the post. Do you need any other info? – Debabrata Mondal Oct 08 '21 at 09:18
  • Read my last comment again. Don't just give us the logs, you need to understand them, check the logs on the web server, and make sure the request is getting through. If it's not you could set up Nginx / Apache and try it with a more widely understood protocol to check things are generally working. I think you might be best off getting a professional in, we can provide help but I think you need more help than we can give. – Tim Oct 08 '21 at 20:38
  • Your ALB SG is only allowing port 8080 outbound to another SG - it won't be able to send the response to your client. Remove the outbound rule and focus on inbound rules for now - security groups are stateful so the outbound is not required and adds complication. – shearn89 Jan 12 '22 at 10:15
  • Thank you @shearn89 that makes a lot sense! – Debabrata Mondal Jan 14 '22 at 06:46

1 Answers1

0

Just copying and pasting my comment into an answer in case it solves the issue.

The ALB SG is only allowing port 8080 outbount to another SG. This means it won't be able to send the response to the client, which will be listening on some random port that is not 8080. Best approach is to remove the outbound rules and focus on inbound rules - security groups are stateful so outbound rules are not necessarily required and add complication!

shearn89
  • 3,143
  • 2
  • 14
  • 39