13

We've been using nginx compiled with the spdy module for some time now and despite only being draft 2 of the specs are quite pleased with its performance.

However we now have the need to horizontally scale and have put our EC2 instances behind an Elastic Load Balancer.

Since ELB doesn't support the NPN protocol we have set the listeners to the following:

SSL 443 -> SSL 443

We have also enabled the new proxy-protocol as described here:

http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-proxy-protocol.html

Everything works completely fine with this configuration. Our app is successfuly loadbalanced across our instances.

However when running http://spdycheck.org/ it reports that SPDY is not enabled. Yet if I point spdycheck to the elastic IP of a single instance, it correctly reports SPDY as being enabled.

Any help would be greatly appreciated.

4

2 回答 2

8

执行 SSL -> SSL 不会将整个 TCP 数据包发送到您的网络服务器。AWS 使用证书解密数据包并重新加密。您的后端只接收修改后的数据包。可行的选择是将协议更改为 TCP,但您将需要nginx 代理补丁来获取 http 标头或更好地工作。

我也遇到了同样的问题,等待 AWS 在 ELB 上启用 NPN 协商或 nginx 将 accept-proxy 补丁添加到其模块中。

于 2013-12-11T13:27:37.887 回答
6

我们昨晚刚刚在https://www.ritani.com发布了它。你需要一个支持 spdy 和 proxy_protocol 的 nginx 版本。我们在 1.6.2。

通过 AWS CLI 添加 proxy_protocol 并将其附加到您的 ELB。 http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-proxy-protocol.html#enable-proxy-protocol-cli

通过该 ELB 的 AWS Web UI,删除任何 443 个侦听器。添加一个新的侦听器作为 TCP 443 -> TCP 443。

在您的 nginx 配置服务器块中:

listen 443 ssl spdy proxy_protocol;

add_header Alternate-Protocol 443:npn-spdy/3;

all the standard ssl directives...

为了让 ocsp 装订工作,我必须使用三个证书。连接 my.crt 和 my.intermediate.crt 的标准方法不起作用。我不得不将它们分解如下。

ssl_certificate /etc/nginx/ssl/my.crt;

ssl_certificate_key /etc/nginx/ssl/my.private.key;

ssl_trusted_certificate /etc/nginx/ssl/my.intermediate.crt;

$remote_addr最后,交换with的任何实例$proxy_protocol_addr。$remote_addr 现在是 elb,$proxy_protocol_addr 是远程客户端的 ip。

于 2015-01-29T20:46:59.790 回答