WebSockets: wss from client to Amazon AWS EC2 instance through ELB

XDR picture XDR · Sep 8, 2014 · Viewed 15.2k times · Source

How can I connect over ssl to a websocket served by GlassFish on an Amazon AWS EC2 instance through an ELB?

I am using Tyrus 1.8.1 in GlassFish 4.1 b13 pre-release as my websocket implementation.

Port 8080 is unsecured, and port 8181 is secured with ssl.

  • ELB dns name: elb.xyz.com
  • EC2 dns name: ec2.xyz.com
  • websocket path: /web/socket

I have successfully used both ws & wss to connect directly to my EC2 instance (bypassing my ELB). i.e. both of the following urls work:

  • ws://ec2.xyz.com:8080/web/socket
  • wss://ec2.xyz.com:8181/web/socket

I have successfully used ws (non-ssl) over my ELB by using a tcp 80 > tcp 8080 listener. i.e. the following url works:

  • ws://elb.xyz.com:80/web/socket

I have not, however, been able to find a way to use wss though my ELB.

I have tried many things.

I assume that the most likely way of getting wss to work through my ELB would be to create a tcp 8181 > tcp 8181 listener on my ELB with proxy protocol enabled and use the following url:

  • wss://elb.xyz.com:8181/web/socket

Unfortunately, that does not work. I guess that I might have to enable the proxy protocol on glassfish, but I haven't been able to find out how to do that (or if it's possible, or if it's necessary for wss to work over my ELB).

Another option might be to somehow have ws or wss run over an ssl connection that's terminated on the ELB, and have it continue unsecured to glassfish, by using an ssl > tcp 8080 listener. That didn't work for me, either, but maybe some setting was incorrect.

Does anyone have any modifications to my two aforementioned trials. Or does anyone have some other suggestions?

Thanks.

Answer

guillaumepiot picture guillaumepiot · May 5, 2016

I had a similar setup and originally configured my ELB listeners as follows:

  • HTTP 80 HTTP 80
  • HTTPS 443 HTTPS 443

Although this worked fine for the website itself, the websocket connection failed. In the listener, you need to allow all secure TCP connection as opposed to SSL only to allow wss to pass through as well:

  • HTTP 80 HTTP 80
  • SSL (Secure TCP) 443 SSL (Secure TCP) 443

I would also recommend raising the Idle timeout of the ELB.