I want to deploy SPDY, but I'm using Amazon's ELB TCP routing. The ELB also handles the secure connections for us. How can this be configured on the jetty side?
Asked
Active
Viewed 2,652 times
2 Answers
7
Unfortunately, the answer is: you can't. Today, in order to deploy SPDY, your TLS termination server (which in this case is the ELB), needs to be able to negotiate SPDY over TLS "Next Protocol Negotiation" (NPN). NPN is an extension to TLS and requires a recent version of OpenSSL or other libraries.. ELB does not support NPN negotiation.
The solution is to proxy the entire TCP stream through ELB down to your application server, which could then handle the NPN and TLS handshake. Jetty can do that, or you can use a tool like HAProxy, which is now NPN capable: http://www.igvita.com/2012/10/31/simple-spdy-and-npn-negotiation-with-haproxy/
igrigorik
- 346
- 2
- 3
-
Actually, the NPN support in Jetty is done via a custom SSL provider on the java bootclasspath. If you can terminate the connection directly to Jetty/Java then you should be able to do this. – joakime Jan 24 '13 at 15:52
-
One potential issue with the suggestion to tunnel everything to the server is that you will no longer get the X-Forwarded-For header to identify the IP of the client. If that is important to your application then this solution doesn't work. – greggles Jul 22 '13 at 22:37
-
You can still get that information through ELB's support for PROXY protocol. It's just no longer in a header. – Christopher Smith Aug 09 '14 at 07:16
4
SPDY is supported now on ELB with use of proxy_protocol.
It's a bit fiddly to set up however, you need to add the ProxyProtocol policy to you ELB and set the listeners to TCP 443 -> TCP 443
This will pass the connection (along with the proxy-protocol header) through the ELB untouched to your servers.
Nginx has just added proxy-protocol support in version 1.5.12, so I simply listen as follows:
listen 443 ssl proxy_protocol spdy
Then set the real_ip to the passed through proxy_protocol ip and voila, SPDY behind ELB.
I should mention that this means you decode the SSL certificates on your webserver rather than using ELB as you would with HTTPS listeners. But for me this is fine.
It would be great if Amazon could add better controls for adding policies using the web gui as doing it via command line is a pain.
https://forums.aws.amazon.com/thread.jspa?threadID=90109&start=25&tstart=0
Mike Averto
- 481
- 1
- 3
- 9
-
Mike, per your comment on SSL, is there any way to terminate the SLL on ELB with TCP and proxy_protocol enabled? – John Mark Mitchell Feb 09 '15 at 10:09