0

I have ELB balancing TCP traffic to my Node.js processes. When ELB is balancing TCP connections it does not send the X-Forwarded-Proto header like it does with http connections. But I still need to know if the connection is using SSL/TLS so I can respond with a redirect from my Node process if it is not a secure connection.

Is there a way to make ELB send this header when balancing TCP connections?

Thanks

boom
  • 10,856
  • 9
  • 43
  • 64
  • For anyone else who lands here with this problem. I found a very simple solution to this problm here: http://stackoverflow.com/a/33530080/949845 – boom Jul 27 '16 at 05:40

1 Answers1

0

You can configure proxy protocol for your ELB to get connection related information. In case of HTTP the ELB adds headers telling about the client information, in case of TCP however, AWS ELB simply passes through the headers from the client without any modifications, this causes the back end server to lose client connection information as it is happening in your case.

To enable proxy control for your ELB, you will have to do it via API, there is currently no way to do it via UI.

http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-proxy-protocol.html

The above doc is a step-by-step guide on how to do this, I don't want to paste the same here as that information might change over time.

EDIT:

As it turns out, Amazon implements Version 1 of the proxy protocol only which does not give away SSL information. It does however give port numbers which was requested by the client and a process can be developed stating something like if the request was over port 443 then it was SSL. I don't like it as it is indirect, requires hardocoding and coordination between devops and developers... seems to be the only way for now...lets hope AWS ELB starts supporting Version 2 of the proxy protocol which does have SSL info soon.

Sumit Maingi
  • 2,173
  • 3
  • 24
  • 44
  • From what I've been reading, proxy protocol forwards ip/port of the client connection. You're saying it would send more than that, allowing me to see if the connection is using SSL/TLS? What exactly is sent with proxy protocol? Thanks very much for the help. – boom Jul 27 '16 at 04:57
  • the "protocol" part should tell you, to be honest I have not tried this myself. – Sumit Maingi Jul 27 '16 at 05:00
  • As I understand it a proxy protocol header looks somthing like `PROXY TCP4 198.51.100.22 203.0.113.7 35646 80\r\n` Would that say something lik `SSL4` instad of `TCP4` for a secure TCP connction over IPv4? – boom Jul 27 '16 at 05:07
  • 1
    My experience with the proxy protocol was limited to HAProxy, but as I just read through their documentation, they implement a slightly different version of the same... so you might not get SSL related information from enabling proxy as stated above, however you will get the requested port number of the load balancer, not the best solution but you can develop a process where you know if the client requested port number 443 it was using SSL. If you try this, please do update the header you get with SSL and without for future knowledge – Sumit Maingi Jul 27 '16 at 05:50
  • hey, what did you end up doing? can you update your findings here? – Sumit Maingi Jul 29 '16 at 04:45
  • Found a better solution, posted it as comment on my question but will post again so people don't miss it. http://stackoverflow.com/a/33530080/949845 – boom Aug 01 '16 at 17:00
  • cool, I thought though you wanted TCP incoming specifically... good that its solved though – Sumit Maingi Aug 02 '16 at 04:43
  • It does become TCP only because the insecure http connection gets redirected to https which is TCP. – boom Aug 02 '16 at 04:47