When using the AWS Cloud Service, 90% uses the ELB service as a load-balanced solution, and using Elb is much more convenient than building load balancing yourself. The main benefits of
are:
1. Can monitor the health status of the instance at any time;
2. When the server is not normal, the ELB alert policy will automatically send messages to notify the Operators
3. When the server load reaches the threshold, the new server is automatically joined to the cluster through the auto scanning, and the redundant instance
4 is automatically closed when the load is lowered. ELB's monitoring indicators help determine server performance better
AWS Elb nginx Enable Agent protocol
to use the AWS Elb Server for WebSocket load Balancing, only TCP mode is used. The
Proxy protocol is an Internet protocol that is used to pass connection information from the source of the request connection to the destination to which the request is connected. Elastic Load Balancing uses the proxy Protocol version 1, which uses the user-readable header format.
By default, when you use Transmission Control Protocol (TCP) or Secure Sockets Layer (SSL) for front-end and back-end connections, your load Balancer forwards the request to the backend instance without modifying the request header. If you enable the proxy protocol, a user-readable header is added to the request header, which contains connection information, such as the source IP address, destination IP address, and port number. The header is then sent as part of the request to the backend instance.
You can enable the proxy protocol on ports that use SSL and TCP protocols. When using a non-HTTP protocol, or when using HTTPS and not terminating an SSL connection on a load balancer, you can use the proxy protocol to capture the source IP of the client.
Agent protocol Header
When you use a load balancer configured for a TCP/SSL connection, the agent protocol header helps identify the client's IP address. Because the load balancer blocks traffic between the client and your backend instance, the access log for your backend instance will contain the IP address of the load balancer instead of the original client's IP address. You can parse the first line of the request to retrieve the client's IP address and port number. The proxy address in the
IPV6 header is the public IPv6 address of the load balancer. This IPv6 address matches the IP address of the DNS name resolved from the load balancer at the beginning of IPv6 or Dualstack. If the client uses IPV4 to connect, the address in the proxy header is the private IPv4 address of the load balancer and cannot be resolved by DNS lookup outside the Ec2-classic network.
The proxy agreement line ends with a carriage return and a newline character ("\ r \ n") and has the following form:
Proxy_string + Single spaces + Inet_protocol + single spaces + client_ip + single spaces + proxy_ip + single spaces + client_p ORT + Single spaces + Proxy_port + "\ r \ n"
Instance:
PROXY TCP4 198.51.100.22 203.0.113.7 35646 80\r\n
Installing the AWS CLI Tool
The AWS Management console does not support enabling the proxy protocol, so it needs to be enabled through the command line.
# sudo apt-get install python-pip
# sudo pip install awscli
Configure the authorization connection parameter file.
[Default]
aws_access_key_id = you_access_id
aws_secret_access_key = you_secret_id
output = JSON or Bson or text
Region = Preferred_aws_region
Like this, aws_access_key_id, Aws_secret_access_key, region are filled in according to your AWS example.
AWS Elb Enable Agent protocol
view the policies supported by ELB. The response contains the name and description of the supported policy type.
# AWS Elb Describe-load-balancer-policy-types
{
"policytypedescriptions": [
...
] {"
policyattributetypedescriptions": [
{"
cardinality": "One",
"AttributeName": "Proxyprotocol",
"AttributeType": "Boolean"
}
],
"policytypename": "Proxyprotocolpolicytype",
" Description ":" Policy that controls whether to include the IP addresses and port of the originating
request for TCP mes Sages. This policy operates on TCP/SSL listeners only "
},
...
]
}
To create a policy that enables proxy protocols
# AWS Elb Create-load-balancer-policy--load-balancer-name You_elb_name--policy-name EnableProxyProtocol-- Policy-type-name Proxyprotocolpolicytype--policy-attributes Attributename=proxyprotocol,attributevalue=true
This command creates a policy named Enableproxyprotocol and assigns the following Elb properties "Attributename=proxyprotocol & Attributevalue=true".
Enable the above policy on the specified port
# AWS Elb Set-load-balancer-policies-for-backend-server--load-balancer-name you_elb_name--instance-port 80-- Policy-names Enableproxyprotocol
# AWS Elb Set-load-balancer-policies-for-backend-server--load-balancer-name You_elb_name--instance-port Bayi--policy-names enableproxyprotocol
# AWS Elb Set-load-balancer-policies-for-backend-server--load-balancer-name you_elb_name--instance-port 443--policy-names Enableproxyprotocol
This command overrides the currently enabled policy group. Therefore, the--policy-names option must specify both the policies that you are adding to the list and any currently enabled policies.
see whether to enable
# AWS Elb Describe-load-balancers--load-balancer-name You_elb_name | JQ '. Loadbalancerdescriptions[]. Backendserverdescriptions '
[
{
policynames]: [
"Enableproxyprotocol"
],
"Instanceport" : "
policynames": [
"Enableproxyprotocol"
],
"Instanceport": Bayi
},
{
"Policynames": [
"Enableproxyprotocol"
],
"Instanceport": 443
}
]
If you want to disable the proxy protocol, you can do so, and the 4th step is to see if it is disabled.
# AWS Elb Set-load-balancer-policies-for-backend-server--load-balancer-name you_elb_name--instance-port 80-- Policy-names "[]"
Configure Nginx Accept Agent Protocol headers
Nginx Enable this primary purpose is to obtain the real client IP address. Otherwise, are ELB intranet IP address.
Set_real_ip_from 127.0.0.1; set_real_ip_from 10.0.0.0/8; Real_ip_header proxy_
Protocol
Real_ip_recursive on;
server {Listen proxy_protocol;
Listen 443 Proxy_protocol SSL;
. Location/{Proxy_set_header Host $host;
Proxy_set_header X-real-ip $proxy _protocol_addr;
Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;
Proxy_set_header X-forwarded-proto TCP;
Proxy_set_header X-nginx-proxy true;
...
}
Set_real_ip_from 127.0.0.1;
Set_real_ip_from 10.0.0.0/8;
Real_ip_header Proxy_protocol;
Real_ip_recursive on;
server {Listen proxy_protocol;
Listen 443 Proxy_protocol SSL;
. Location/{Proxy_set_header Host $host;
Proxy_set_header X-real-ip $proxy _protocol_addr;
Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;
Proxy_set_header X-forwarded-proto TCP;
Proxy_set_header X-nginx-proxy true;
...
}
When Nginx has the agent protocol enabled, $proxy _PROTOCOL_ADDR variable will be the real client IP.
If there is no inverse generation, Nginx can be configured to:
Log_format elb_log ' $proxy _protocol_addr-$remote _user [$time _local] ' $request ' $status $body _bytes_sent ' $http _ Referer "", "$http _user_agent";
Set_real_ip_from 172.31.0.0/20;
Set_real_ip_from 10.0.0.0/8;
Real_ip_header Proxy_protocol;