WebSockets:通过 ELB 从客户端到 Amazon AWS EC2 实例的 wss [英] WebSockets: wss from client to Amazon AWS EC2 instance through ELB
问题描述
如何通过 ssl 连接到 Amazon AWS EC2 实例上的 GlassFish 通过 ELB 提供的 websocket?
How can I connect over ssl to a websocket served by GlassFish on an Amazon AWS EC2 instance through an ELB?
我在 GlassFish 4.1 b13 预发布版中使用 Tyrus 1.8.1 作为我的 websocket 实现.
I am using Tyrus 1.8.1 in GlassFish 4.1 b13 pre-release as my websocket implementation.
端口 8080 不安全,端口 8181 使用 ssl 保护.
Port 8080 is unsecured, and port 8181 is secured with ssl.
- ELB dns 名称:elb.xyz.com
- EC2 dns 名称:ec2.xyz.com
- websocket 路径:/web/socket
我已经成功地使用了 ws &wss 直接连接到我的 EC2 实例(绕过我的 ELB).即以下两个网址都有效:
I have successfully used both ws & wss to connect directly to my EC2 instance (bypassing my ELB). i.e. both of the following urls work:
- ws://ec2.xyz.com:8080/web/socket
- wss://ec2.xyz.com:8181/web/socket
我已经通过使用 tcp 80 > tcp 8080 侦听器成功地在我的 ELB 上使用了 ws(非 ssl).即以下网址有效:
I have successfully used ws (non-ssl) over my ELB by using a tcp 80 > tcp 8080 listener. i.e. the following url works:
- ws://elb.xyz.com:80/web/socket
但是,我还没有找到通过 ELB 使用 wss 的方法.
I have not, however, been able to find a way to use wss though my ELB.
我尝试了很多东西.
我认为让 wss 通过我的 ELB 工作的最有可能的方法是在我的 ELB 上创建一个 tcp 8181 > tcp 8181 侦听器并启用代理协议并使用以下网址:
I assume that the most likely way of getting wss to work through my ELB would be to create a tcp 8181 > tcp 8181 listener on my ELB with proxy protocol enabled and use the following url:
- wss://elb.xyz.com:8181/web/socket
不幸的是,这不起作用.我想我可能必须在 glassfish 上启用代理协议,但我一直无法找到如何做到这一点(或者如果可能,或者 wss 是否有必要在我的 ELB 上工作).
Unfortunately, that does not work. I guess that I might have to enable the proxy protocol on glassfish, but I haven't been able to find out how to do that (or if it's possible, or if it's necessary for wss to work over my ELB).
另一种选择可能是以某种方式让 ws 或 wss 通过在 ELB 上终止的 ssl 连接运行,并通过使用 ssl > tcp 8080 侦听器继续对 glassfish 不安全.这对我也不起作用,但可能某些设置不正确.
Another option might be to somehow have ws or wss run over an ssl connection that's terminated on the ELB, and have it continue unsecured to glassfish, by using an ssl > tcp 8080 listener. That didn't work for me, either, but maybe some setting was incorrect.
有没有人对我前面提到的两个试验有任何修改.或者有人有其他建议吗?
Does anyone have any modifications to my two aforementioned trials. Or does anyone have some other suggestions?
谢谢.
推荐答案
我有一个类似的设置,最初将我的 ELB 监听器配置如下:
I had a similar setup and originally configured my ELB listeners as follows:
- HTTP 80 HTTP 80
- HTTPS 443 HTTPS 443
虽然这对网站本身来说效果很好,但 websocket 连接失败了.在侦听器中,您需要允许所有安全的 TCP 连接而不是 SSL 只允许 wss 通过:
Although this worked fine for the website itself, the websocket connection failed. In the listener, you need to allow all secure TCP connection as opposed to SSL only to allow wss to pass through as well:
- HTTP 80 HTTP 80
- SSL(安全 TCP)443 SSL(安全 TCP)443
我还建议提高 ELB 的空闲超时时间.
I would also recommend raising the Idle timeout of the ELB.
这篇关于WebSockets:通过 ELB 从客户端到 Amazon AWS EC2 实例的 wss的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
