0

Environment Setup:

I have a Spring Boot application behind an AWS ALB (Application Load Balancer). The ALB is configured to front HTTPs to the world with a Spring boot application as a target running on HTTP.

Connection Diagram:

HTTPS 443 -> ALB -> HTTP 8080 -> Spring Boot

The Problem:

As the application is running on HTTP internally (8080) but is served on HTTPs via the load balancer I'm unable to use ws://example.com protocol t due to MIXED content restrictions in the browser. I also cannot use 'wss://example.com' as the end server (Spring Boot) is running over HTTP is does not accept the connection.

The Question:

The only solution I have found is to move the end application to use HTTPs with a self-signed certificate. Is there an alternative solution thereby keeping the application running on HTTP but to accept the WSS connection?

Johnny.Minty
  • 143
  • 1
  • 10

2 Answers2

2

  • Configuring load balancer to forward HTTPS traffic to HTTP will not work for the websockets. Instead, you have to configure it to forward SSL (Secure TCP) to TCP. This will work for HTTP/HTTPS traffic because HTTP is a protocol over TCP and HTTPS is HTTP with a TLS, and it will allow the websocket traffic to pass.

  • Configure the ELB to use proxy protocol. using AWS CLI.

    First, create the new policy:

aws elb create-load-balancer-policy \ --load-balancer-name $ALB_NAME
--policy-name $ALB_NAME-proxy-protocol \ --policy-type-name ProxyProtocolPolicyType \ --policy-attributes AttributeName=ProxyProtocol,AttributeValue=True

Second, attach it to the load balancer. run this once for each port that the instance is listening on:

aws elb set-load-balancer-policies-for-backend-server
--load-balancer-name $ALB_NAME \ --instance-port 8080 \ --policy-names $ALB_NAME-proxy-protocol

Asri Badlah
  • 1,949
  • 1
  • 9
  • 20
0

Please be aware that simultaneously HTTPS + wss / ws works good in apache and in AWS ALB too.

  1. user's browser -> apache web server (HTTPS/wss) -> app_instance (HTTP)
  2. user's browser -> ALB (HTTPS/wss) -> appinstance (HTTP)

Regarding mixed content issue , it depends on application code. Some apps support (ALB as https -> app as http), some apps not - that's question to developer for the specific app code. About websocket , i give you example for apache , you just need to add additional rewriterule to enable use websocket only if needed. https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html

ProxyPass / "http://example.com:8080/"

RewriteEngine on
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteRule ^/(.*) "ws://example.com:8080/$1" [P,L]

AWS ALB support target as HTTP and add additional rule like if needed websocket protocol (HTTP 101 code) use ws://example.com:8080/ . So do similar in AWS ALB (sorry, i cannot give screenshots from AWS).

trix0gen
  • 11
  • 2