Pavel,
Thanks for the info.
Is it possible to use ws or wss over an ssl connection from the client to
the elb, terminate the ssl connection on the elb but not terminate the
websocket, and then have the ws protocol connect unsecurely from the elb to
my glassfish server? (i.e. the ws protocol would go from the client to my
glassfish server, but the ssl would only be between the client and my elb)
I doubt that this is possible, but I figured I should ask to make sure.
Thanks again,
Ross
On Mon, Sep 8, 2014 at 3:30 AM, Pavel Bucek <pavel.bucek_at_oracle.com> wrote:
> Hi Ross,
>
> I don't know much about AWS and ELB, but.. Tyrus is integrated to
> Glassfish via Servlet layer, so if standard request can reach Glassfish,
> websocket upgrade request should be able to reach it too.
>
> I haven't found anything specific to websocket in ELB manual, but that
> does mean it does not need additional configuration. You might want to ask
> on sone ELB/AWS forum, since it seems that you are dealing with
> configuration issue - I believe that Glassfish does not need to know about
> the real origin of the connection (in terms of tcp address and port), so
> there should not be anything special required on appserver side.
>
> Only issue I can see is the SSL part of your scenario, especially if you
> use certificate authentication. Again, this is more AWS/ELB config issue
> and does not really have anything to do with Tyrus - it should be similar
> to any other requests.
>
> Anyway, if you manage to solve your problem, feel free to post the
> solution (or link to your blogpost) here, it might be useful for others..
>
> Thanks,
> Pavel
>
>
> On 07/09/14 23:01, Ross Goldberg wrote:
>
>> How can I allow a web socket client to connect to tyrus 1.8.1 on
>> glassfish 4.1 b13 using wss through a load balancer (specifically an amazon
>> aws elb)?
>>
>> ws works properly through the elb, and both ws & wss work when connecting
>> directly to the glassfish server (circumventing the elb).
>>
>> When I try to open a web socket using wss from chrome to glassfish
>> through my elb, however, I get the following error in the chrome developer
>> console:
>>
>> WebSocket connection to 'wss://<host>:<port>/<path>' failed: Error in
>> connection establishment: net::ERR_TIMED_OUT
>>
>> Where <host>, <port> & <path> are the host, port & path of my web socket
>> server endpoint, respectively.
>>
>> My elb can accept connections from the client as either: http, https,
>> tcp, or ssl.
>>
>> It can also connect to my glassfish server using one of those four
>> protocols.
>>
>> ws works through the elb using: client > tcp > elb > tcp > glassfish
>>
>> ws does not work through the elb using other protocol combinations that
>> I've tried (but I haven't tried all 16 combinations).
>>
>> Should I also use (client > tcp > elb > tcp > glassfish) to pass wss from
>> the client through the elb to glassfish, and terminate the ssl connection
>> on glassfish rather than on the elb? (I assume that this is correct, but I
>> could be wrong)
>>
>> The other option would be to terminate the client ssl connection on the
>> elb, and to either communicate between the elb & glassfish using a
>> different ssl connection, or to not encrypt between the elb & glassfish.
>>
>> I have setup the proxy protocol on the elb, so that glassfish can obtain
>> the actual ip address of the client instead of the ip address of the elb,
>> which might be necessary to establish ssl from the client to glassfish
>> through the elb.
>>
>> I do not know if glassfish / tyrus will automatically read the client ip
>> address from the proxy protocol header instead of the ip address of the
>> elb, or if I must configure glassfish and/or tyrus to use the proxy
>> protocol.
>>
>> I can supply more information if you need it.
>>
>> Thanks.
>>
>
>