Ssl – Cannot establish Websocket on AWS

amazon-web-servicesload balancingsslwebsocket

I have a webserver running on an EC2 instance behind an AWS load balancer under a custom domain for using https.

Curl requests to the webserver work as expected, including over https. But establishing a websocket connection fails with the following error (in Chrome):

WebSocket connection to 'wss://sub.foo.com/' failed: Unknown reason

While this is a cryptic error message, my guess is that this has to do with AWS, because:

Establishing the socket with the server running on localhost works fine
Establishing the socket with the server running on AWS by bypassing the load balancer works fine

I use Clojure's http-kit for the webserver, but suspect it doesn't matter.

Amazon says its load balancers support websockets, so what am I doing wrong?

Best Answer

This ended up being something completely unrelated: a browser extension. The uBlock Origin browser extension seems to not like secure websocket connections being made across domains (in this case, from localhost to my server on AWS behind my custom domain as I was testing).

Related Solutions

EC2 WebSocket – Cannot Get WebSocket Connection Working with EC2 and Application Load Balancer

The ALB does not use a host name for the health check. Thus, if your server does not support requests without host names, the health check will fail, resulting in 5xx errors when accessing the ALB.

Check the target group the ALB is using for health check errors
Check your application server logs for health check related errors

If your server does not support this you have two options:

Use a proxy (e.g. nginx) on your server that can handle requests without host name, and handle the problem there
Override the ALB health check port, redirecting it to something that returns HTTP 200 all the time (e.g. an Apache running on the same host, but on another port).

Tomcat servlet will not complete websocket connection

Well the fix was very simple. I changed the reverseproxy to use the un-secure websocket connection to my tomcat server

this caused a failure in SSL proxy authentication

# websocket proxy
<Location "/admin/AdminConsole">
  ProxyPass  wss://localhost:8080/admin/AdminConsole
  ProxyPassReverse  wss://localhost:8080/admin/AdminConsole
  Require all granted
</Location>

this circumvents the need for SSL proxy authentication

# websocket proxy
<Location "/admin/AdminConsole">
  ProxyPass  ws://localhost:8080/admin/AdminConsole
  ProxyPassReverse  ws://localhost:8080/admin/AdminConsole
  Require all granted
</Location>

From the client I am using the secure websocket address which apache now proxys to a unsecure websocket. This is ok because I'm secure across the internet, and only unsecure on my local host.

here is the connection address on the client

WSuri = new URI("wss://"+host+"/admin/AdminConsole?userName="+userName+"&source=app");

Still odd that apache 2.2 had no problem, but 2.4.6 does. Though I read a few posts that indicated 2.4.6 had problems with secure proxy.

Best Answer

Related Solutions

EC2 WebSocket – Cannot Get WebSocket Connection Working with EC2 and Application Load Balancer

Tomcat servlet will not complete websocket connection

Related Topic