Difference between revisions of "AWS/ELB"
< AWS
Jump to navigation
Jump to search
(Created page with "= Use Nginx to preserve headers/client IP when working with ELB = If you configure ELB for Http/s then headers forwardes but if you decide to use TCP load balancing <source...") |
|||
| (4 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
= Use Nginx to preserve headers/client IP when working with ELB = | = Use Nginx to preserve headers/client IP when working with ELB = | ||
If you configure ELB for Http/s then | If you configure ELB for [https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/x-forwarded-headers.html#x-forwarded-for Http/s then ELB injects] <code>X-Forwarded-For: client-ip-address</code> header that has orginal client IP address this is an application layer mode. But if you decide to use TCP load balancing ELB is not not aware of any headers. For this we going to use Nginx to proxy_websocket connections L4 TCP. | ||
HAproxy developed Proxy Protocol to solve this problem, so we are going to configure the Proxy_Protocol on our load balancer, then configure nginx for the proxy protocol. Proxy protoclol allows to confiure additional header including a client IP. | |||
<source> | |||
R53 -> ELB -> Nginx | |||
/ \ | |||
app1 app2 | |||
</source> | |||
<source lang=bash> | <source lang=bash> | ||
| Line 9: | Line 18: | ||
aws configure | aws configure | ||
aws elb describe-load-balancer-policy-types | aws elb describe-load-balancer-policy-types | ||
aws elb create-load-balancer-policy --load-balancer-name | # <serach for policy ProxyProtocol> | ||
aws elb describe-load-balancer-policies --load-balancer-name | # "AttributeName": "ProxyProtocol" | ||
aws elb set-load-balancer-policies-for-backend-server --load-balancer-name "<LOAD BALANCER NAME>" --instance-port 80 --policy-names linuxacademy-protocol-policy | # "Policy that controls whether to include the IP address and port of the orginiating request for TCP messages. | ||
# This policy operates on TCP listeners only." | |||
aws elb create-load-balancer-policy --load-balancer-name "<LOAD BALANCER NAME>" \ | |||
--policy-name "<free_form_POLICY_NAME>" --policy-type-name ProxyProtocolPolicyType \ | |||
--policy-attributes AttributeName=Proxy Protocol, AttributeValue-true | |||
# check the policy got attached | |||
aws elb describe-load-balancer-policies --load-balancer-name "<LOAD BALANCER NAME>" | |||
# attach policy to a port/listener | |||
aws elb set-load-balancer-policies-for-backend-server --load-balancer-name "<LOAD BALANCER NAME>" \ | |||
--instance-port 80 --policy-names linuxacademy-protocol-policy | |||
# Configure Nginx to grab extra headers and put in access.log file | |||
sudo vi /etc/nginx/nginx.conf | |||
# change | |||
server { | |||
listen 80; -> 80 proxy_protocol; | |||
# add | |||
set_real_ip_from <vpc_cidr>; #allow header modifications if request comes from this range | |||
real_ip_header proxy_protocol; | |||
# update access logs | |||
http { | |||
logh_format main '$remote_address -> '$proxy_protocol_addr | |||
systemctl restart nginx | systemctl restart nginx | ||
</source> | </source> | ||
Latest revision as of 00:29, 20 November 2019
Use Nginx to preserve headers/client IP when working with ELB
If you configure ELB for Http/s then ELB injects X-Forwarded-For: client-ip-address header that has orginal client IP address this is an application layer mode. But if you decide to use TCP load balancing ELB is not not aware of any headers. For this we going to use Nginx to proxy_websocket connections L4 TCP.
HAproxy developed Proxy Protocol to solve this problem, so we are going to configure the Proxy_Protocol on our load balancer, then configure nginx for the proxy protocol. Proxy protoclol allows to confiure additional header including a client IP.
R53 -> ELB -> Nginx
/ \
app1 app2
sudo apt-get install nginx
systemctl status nginx
tail -f /var/log/nginx/access.log
pip install awscli==1.6.6
aws configure
aws elb describe-load-balancer-policy-types
# <serach for policy ProxyProtocol>
# "AttributeName": "ProxyProtocol"
# "Policy that controls whether to include the IP address and port of the orginiating request for TCP messages.
# This policy operates on TCP listeners only."
aws elb create-load-balancer-policy --load-balancer-name "<LOAD BALANCER NAME>" \
--policy-name "<free_form_POLICY_NAME>" --policy-type-name ProxyProtocolPolicyType \
--policy-attributes AttributeName=Proxy Protocol, AttributeValue-true
# check the policy got attached
aws elb describe-load-balancer-policies --load-balancer-name "<LOAD BALANCER NAME>"
# attach policy to a port/listener
aws elb set-load-balancer-policies-for-backend-server --load-balancer-name "<LOAD BALANCER NAME>" \
--instance-port 80 --policy-names linuxacademy-protocol-policy
# Configure Nginx to grab extra headers and put in access.log file
sudo vi /etc/nginx/nginx.conf
# change
server {
listen 80; -> 80 proxy_protocol;
# add
set_real_ip_from <vpc_cidr>; #allow header modifications if request comes from this range
real_ip_header proxy_protocol;
# update access logs
http {
logh_format main '$remote_address -> '$proxy_protocol_addr
systemctl restart nginx