How is Elastic Beanstalk forwarding traffic on port 80 to the app at port 8080 without nginx/apache

amazon-web-serviceselastic-beanstalknetworking

This is the weirdest thing ever. I've configured my AWS Elastic Beanstalk environment's proxy server setting to none instead of nginx or apache, to reduce the server overhead, and since I don't need the caching.

However, the most peculiar thing happened. The server is able to accept connections on port 80 and forward them to my Node.js app running on 8080, even though no service is apparently listening on port 80! I verified with the following commands:

sudo lsof -i :80 – no output
sudo iptables -L – no forward rules
sudo netstat -an | grep :80 | grep LISTEN – no processes listening on port 80

Running curl http://localhost/ on the actual server works, so this is not a case of tricky Elastic Load Balancer forwarding rules.

How does AWS do it? How do they forward traffic without a process listening on :80 or an iptables forward rule?

Best Answer

It's a NAT rule.

iptables -L -t nat

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:http redir ports 8080
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:http redir ports 8080
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:http redir ports 8080

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:http redir ports 8080
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:http redir ports 8080
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:http redir ports 8080

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Thanks to @slims_s from reddit.

Related Solutions

Elastic Beanstalk – How to Force HTTPS

I think you need to specify what Elastic Beanstalk environment that you use (see: Supported Platforms), because different environment has different configuration.

Basically, you need to customize:

Elastic Load Balancer:
- Listen on port 80 and proxy it to EC2 instance port 80.
- Listen on port 443 and proxy it to EC2 instance port 443.
EC2 Web Server/Proxy:
- Listen on port 80 and response with redirect to HTTPS.
- Listen on port 443 and serve the request.

To customized it, you can use CLI or .ebextensions.

You can check on Enable HTTPS and HTTP-Redirect on AWS Elastic Beanstalk. It tells you how to configure Elastic Beanstalk Single Docker Container serve HTTPS and HTTP (redirect to HTTPS). You can adjust the config as your need.

Iptables – Opensuse port forwarding 80 to 8080 not working

Try below iptables rules, it should work for you

sudo iptables -I INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 8080 -j ACCEPT
sudo iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-port 8080

Also SuSEfirewall2 regenerates the iptables on each boot. So if you want to save rules then you can add "custom rules" using the file: /etc/sysconfig/scripts/SuSEfirewall2-custom

Best Answer

Related Solutions

Elastic Beanstalk – How to Force HTTPS

Iptables – Opensuse port forwarding 80 to 8080 not working

Related Topic