I could be possible, but I won't recommend that - you'll need to supply
correct certificates to the ELB and effectively implement
man-in-the-middle scenario. Also, if you'd be using certificate
authentication, the ELB would need to handle that part, which might be
too difficult to configure. Anyway, tunneling the connection through ELB
directly to the application server seems to be better alternative here.
Regards,
Pavel
On 08/09/14 22:30, Ross Goldberg wrote:
> Pavel,
>
> Thanks for the info.
>
> Is it possible to use ws or wss over an ssl connection from the client
> to the elb, terminate the ssl connection on the elb but not terminate
> the websocket, and then have the ws protocol connect unsecurely from
> the elb to my glassfish server? (i.e. the ws protocol would go from
> the client to my glassfish server, but the ssl would only be between
> the client and my elb)
>
> I doubt that this is possible, but I figured I should ask to make sure.
>
> Thanks again,
>
> Ross
>
> On Mon, Sep 8, 2014 at 3:30 AM, Pavel Bucek <pavel.bucek_at_oracle.com
> <mailto:pavel.bucek_at_oracle.com>> wrote:
>
> Hi Ross,
>
> I don't know much about AWS and ELB, but.. Tyrus is integrated to
> Glassfish via Servlet layer, so if standard request can reach
> Glassfish, websocket upgrade request should be able to reach it too.
>
> I haven't found anything specific to websocket in ELB manual, but
> that does mean it does not need additional configuration. You
> might want to ask on sone ELB/AWS forum, since it seems that you
> are dealing with configuration issue - I believe that Glassfish
> does not need to know about the real origin of the connection (in
> terms of tcp address and port), so there should not be anything
> special required on appserver side.
>
> Only issue I can see is the SSL part of your scenario, especially
> if you use certificate authentication. Again, this is more AWS/ELB
> config issue and does not really have anything to do with Tyrus -
> it should be similar to any other requests.
>
> Anyway, if you manage to solve your problem, feel free to post the
> solution (or link to your blogpost) here, it might be useful for
> others..
>
> Thanks,
> Pavel
>
>
> On 07/09/14 23:01, Ross Goldberg wrote:
>
> How can I allow a web socket client to connect to tyrus 1.8.1
> on glassfish 4.1 b13 using wss through a load balancer
> (specifically an amazon aws elb)?
>
> ws works properly through the elb, and both ws & wss work when
> connecting directly to the glassfish server (circumventing the
> elb).
>
> When I try to open a web socket using wss from chrome to
> glassfish through my elb, however, I get the following error
> in the chrome developer console:
>
> WebSocket connection to 'wss://<host>:<port>/<path>' failed:
> Error in connection establishment: net::ERR_TIMED_OUT
>
> Where <host>, <port> & <path> are the host, port & path of my
> web socket server endpoint, respectively.
>
> My elb can accept connections from the client as either: http,
> https, tcp, or ssl.
>
> It can also connect to my glassfish server using one of those
> four protocols.
>
> ws works through the elb using: client > tcp > elb > tcp >
> glassfish
>
> ws does not work through the elb using other protocol
> combinations that I've tried (but I haven't tried all 16
> combinations).
>
> Should I also use (client > tcp > elb > tcp > glassfish) to
> pass wss from the client through the elb to glassfish, and
> terminate the ssl connection on glassfish rather than on the
> elb? (I assume that this is correct, but I could be wrong)
>
> The other option would be to terminate the client ssl
> connection on the elb, and to either communicate between the
> elb & glassfish using a different ssl connection, or to not
> encrypt between the elb & glassfish.
>
> I have setup the proxy protocol on the elb, so that glassfish
> can obtain the actual ip address of the client instead of the
> ip address of the elb, which might be necessary to establish
> ssl from the client to glassfish through the elb.
>
> I do not know if glassfish / tyrus will automatically read the
> client ip address from the proxy protocol header instead of
> the ip address of the elb, or if I must configure glassfish
> and/or tyrus to use the proxy protocol.
>
> I can supply more information if you need it.
>
> Thanks.
>
>
>