w3hello.com logo
Home PHP C# C++ Android Java Javascript Python IOS SQL HTML videos Categories
Proxy Protocol on Elastic Load Balancing non-terminated SSL connection

The proxy protocol (version 1) injects a single line into the data stream at the beginning of the connection, before SSL is negotiated by your server. You don't get this information "over" an SSL connection; you get the information prior to SSL handshaking. Your server has to implement this capability and specifically be configured so that it can accept and understand it. For an IPv4 connection, it looks like this:

PROXY TCP4 source-ip dest-ip source-port dest-port

The standard for the protocol is here:

http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt

Additional info in the ELB docs here:

http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/TerminologyandKeyConcepts.html#proxy-protocol


Regarding Apache support, at least at the time AWS announced support for the proxy protocol...

neither Apache nor Nginx currently support the Proxy Protocol header inserted by the ELB

http://aws.typepad.com/aws/2013/07/elastic-load-balancing-adds-support-for-proxy-protocol.html?ref_=9

That is subject to change, of course, but I didn't successfully google for any Apache support of the proxy protocol. Of course, since Apache is open source, you could presumably hack it in there, though I am unfamiliar with the Apache source code.

Realizing that you don't want to change what you're doing now, I still would suggest that depending on your motivation for not wanting to change, there may still be a relatively simple solution. It's a change, but not involving SSL on ELB. What about running HAProxy behind ELB to terminate the SSL in front of Apache? Since HAProxy 1.5 can terminate SSL and appears to be able to translate the proxy protocol string from ELB into an X-Forwarded-For header, as well as generate X-SSL headers to give your application information about the client's SSL cert (perhaps that's your motivation for terminating SSL at the app server instead of on the ELB?) ... so this might be an alternative.

Otherwise, I don't have suggestions unless Apache implements support in the future, or we can find some documentation to indicate that they already have.





© Copyright 2018 w3hello.com Publishing Limited. All rights reserved.