How can I setup SPDY with Jetty behind Amazon's ELB?

I want to deploy SPDY, but I'm using Amazon's ELB TCP routing. The ELB also handles the secure connections for us. How can this be configured on the jetty side?


Solution 1:

Unfortunately, the answer is: you can't. Today, in order to deploy SPDY, your TLS termination server (which in this case is the ELB), needs to be able to negotiate SPDY over TLS "Next Protocol Negotiation" (NPN). NPN is an extension to TLS and requires a recent version of OpenSSL or other libraries.. ELB does not support NPN negotiation.

The solution is to proxy the entire TCP stream through ELB down to your application server, which could then handle the NPN and TLS handshake. Jetty can do that, or you can use a tool like HAProxy, which is now NPN capable: http://www.igvita.com/2012/10/31/simple-spdy-and-npn-negotiation-with-haproxy/

Solution 2:

SPDY is supported now on ELB with use of proxy_protocol.

It's a bit fiddly to set up however, you need to add the ProxyProtocol policy to you ELB and set the listeners to TCP 443 -> TCP 443

This will pass the connection (along with the proxy-protocol header) through the ELB untouched to your servers.

Nginx has just added proxy-protocol support in version 1.5.12, so I simply listen as follows:

listen 443 ssl proxy_protocol spdy

Then set the real_ip to the passed through proxy_protocol ip and voila, SPDY behind ELB.

I should mention that this means you decode the SSL certificates on your webserver rather than using ELB as you would with HTTPS listeners. But for me this is fine.

It would be great if Amazon could add better controls for adding policies using the web gui as doing it via command line is a pain.

https://forums.aws.amazon.com/thread.jspa?threadID=90109&start=25&tstart=0