AWS/ELB

From Ever changing code
< AWS
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Use Nginx to preserve headers/client IP when working with ELB

If you configure ELB for Http/s then ELB injects X-Forwarded-For: client-ip-address header that has orginal client IP address this is an application layer mode. But if you decide to use TCP load balancing ELB is not not aware of any headers. For this we going to use Nginx to proxy_websocket connections L4 TCP.

HAproxy developed Proxy Protocol to solve this problem, so we are going to configure the Proxy_Protocol on our load balancer, then configure nginx for the proxy protocol. Proxy protoclol allows to confiure additional header including a client IP.

R53 -> ELB -> Nginx
              / \
           app1 app2


sudo apt-get install nginx
systemctl status nginx
tail -f /var/log/nginx/access.log
pip install awscli==1.6.6
aws configure
aws elb describe-load-balancer-policy-types
#  <serach for policy ProxyProtocol>
#  "AttributeName": "ProxyProtocol"
#  "Policy that controls whether to include the IP address and port of the orginiating request for TCP messages. 
#  This policy operates on TCP listeners only."

aws elb create-load-balancer-policy                   --load-balancer-name "<LOAD BALANCER NAME>" \
        --policy-name "<free_form_POLICY_NAME>" --policy-type-name ProxyProtocolPolicyType \
        --policy-attributes AttributeName=Proxy Protocol, AttributeValue-true

# check the policy got attached
aws elb describe-load-balancer-policies               --load-balancer-name "<LOAD BALANCER NAME>"

# attach policy to a port/listener
aws elb set-load-balancer-policies-for-backend-server --load-balancer-name "<LOAD BALANCER NAME>" \
        --instance-port 80 --policy-names linuxacademy-protocol-policy 

# Configure Nginx to grab extra headers and put in access.log file
sudo vi /etc/nginx/nginx.conf
# change
server {
  listen   80; -> 80 proxy_protocol;
# add
  set_real_ip_from <vpc_cidr>;   #allow header modifications if request comes from this range
  real_ip_header proxy_protocol;
# update access logs
http {
  logh_format main '$remote_address -> '$proxy_protocol_addr

systemctl restart nginx