Steps to enable the proxy protocol for Nginx when using AWS's ELB service
- 2020-05-15 02:33:34
- OfStack
When using aws cloud services, 90% will use ELB services as a load balancing solution. Using ELB is much more convenient than setting up load balancing yourself.
The main benefits are:
1. The health status of the instance can be monitored at any time;
2. When the server is not working properly, the alarm policy of ELB will automatically send an email to inform the operation and maintenance personnel
3. When the server load reaches the threshold value, auto scanning will automatically add new servers to the cluster, and at the same time, it will automatically close the redundant instances after the load drops
4. The monitoring indicators of ELB can help judge the performance of the server
AWS ELB nginx enables the proxy protocol
When using the aws elb server for websocket load balancing, you can only use tcp mode.
The proxy protocol is an Internet protocol used to transfer connection information from the source of the request connection to the target to which the request connection is made. Elastic Load Balancing USES the agent protocol version 1, which USES a user-readable header format.
By default, when using the transport control protocol (TCP) or secure socket layer (SSL) for the front-end and back-end connections, your load balancer forwards the request to the back-end instance without modifying the request header. If you enable the proxy protocol, a user-readable header containing the connection information (such as the source IP address, the destination IP address, and the port number) is added to the request header. This header is then sent to the backend instance as part 1 of the request.
You can enable the proxy protocol on ports that use the SSL and TCP protocols. You can use the proxy protocol to capture the client's source IP when using a non-HTTP protocol, or when HTTPS is used and the SSL connection is not terminated on the load balancer.
Agency protocol header
When you use a load balancer configured for TCP/SSL connections, the proxy protocol header helps identify the IP address of the client. Because the load balancer intercepts traffic between the client and your back-end instance, your back-end instance access log will contain the IP address of the load balancer instead of the IP address of the original client. You can parse the first line of the request to retrieve the client's IP address and port number.
The proxy address in the IPv6 header is the public IPv6 address of the load balancer. This IPv6 address matches the IP address resolved from the DNS name starting with ipv6 or dualstack of the load balancer. If the client connects using IPv4, the address in the proxy header is the private IPv4 address of the load balancer and cannot be resolved by DNS lookup outside the EC2-Classic network.
The agent line ends with a carriage return and a newline ("\r\n") and has the following form:
PROXY_STRING + single space + INET_PROTOCOL + single space + CLIENT_IP + single space + PROXY_IP + single space + CLIENT_PORT + single space + PROXY_PORT + "\r\n"
Example:
PROXY TCP4 198.51.100.22 203.0.113.7 35646 80\r\n
Install the AWS CLI tool
Enabling the agent protocol is not supported by the AWS administrative console, so it needs to be enabled from the command line.
# sudo apt-get install python-pip
# sudo pip install awscli
Configure the authorization connection parameters file.
# sudo vi ~/.aws/config
[default]
aws_access_key_id = YOU_ACCESS_ID
aws_secret_access_key = YOU_SECRET_ID
output = json OR bson OR text
region = PREFERRED_AWS_REGION
Like this, aws_access_key_id, aws_secret_access_key, region according to your aws instance.
AWS ELB enables the agency protocol
View the policies supported by ELB. The response contains the name and description of the supported policy type.
# aws elb describe-load-balancer-policy-types
{
"PolicyTypeDescriptions": [
...
{
"PolicyAttributeTypeDescriptions": [
{
"Cardinality": "ONE",
"AttributeName": "ProxyProtocol",
"AttributeType": "Boolean"
}
],
"PolicyTypeName": "ProxyProtocolPolicyType",
"Description": "Policy that controls whether to include the IP address and port of the originating
request for TCP messages. This policy operates on TCP/SSL listeners only"
},
...
]
}
Create policies that enable the proxy protocol
# aws elb create-load-balancer-policy --load-balancer-name YOU_ELB_NAME --policy-name EnableProxyProtocol --policy-type-name ProxyProtocolPolicyType --policy-attributes AttributeName=ProxyProtocol,AttributeValue=True
This command creates a policy named EnableProxyProtocol and assigns the following ELB attribute "AttributeName=ProxyProtocol & AttributeValue=True".
Enable the above policy on the specified port
# aws elb set-load-balancer-policies-for-backend-server --load-balancer-name YOU_ELB_NAME --instance-port 80 --policy-names EnableProxyProtocol
# aws elb set-load-balancer-policies-for-backend-server --load-balancer-name YOU_ELB_NAME --instance-port 81 --policy-names EnableProxyProtocol
# aws elb set-load-balancer-policies-for-backend-server --load-balancer-name YOU_ELB_NAME --instance-port 443 --policy-names EnableProxyProtocol
This command replaces the currently enabled policy group. Therefore, the -- policy-names option must specify both the policy you are adding to the list and any currently enabled policies.
See if it is enabled
# aws elb describe-load-balancers --load-balancer-name YOU_ELB_NAME | jq '.LoadBalancerDescriptions[].BackendServerDescriptions'
[
{
"PolicyNames": [
"EnableProxyProtocol"
],
"InstancePort": 80
},
{
"PolicyNames": [
"EnableProxyProtocol"
],
"InstancePort": 81
},
{
"PolicyNames": [
"EnableProxyProtocol"
],
"InstancePort": 443
}
]
You can do this if you want to disable the proxy protocol, and you can see if it is disabled in step 4.
# aws elb set-load-balancer-policies-for-backend-server --load-balancer-name YOU_ELB_NAME --instance-port 80 --policy-names "[]"
Configure nginx to accept proxy headers
The main purpose of enabling nginx is to get the actual client IP address. Otherwise, they are all the Intranet IP address of ELB.
PROXY TCP4 198.51.100.22 203.0.113.7 35646 80\r\n
When nginx is enabled, the $proxy_protocol_addr variable will be the real client IP.
If there is no reverse generation, nginx can be configured like this:
PROXY TCP4 198.51.100.22 203.0.113.7 35646 80\r\n