I followed the guide at http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-proxy-protocol.html to enable the Proxy Protocol on both my TCP listeners (ports 80 and 443). I ran the following commands on one of my EC2 instances:
aws elb create-load-balancer-policy \
--load-balancer-name 'proxy-connect-test' \
--policy-name EnableProxyProtocol \
--policy-type-name ProxyProtocolPolicyType \
--policy-attributes AttributeName=ProxyProtocol,AttributeValue=true
echo "Enabling policy on :80"
aws elb set-load-balancer-policies-for-backend-server \
--load-balancer 'proxy-connect-test' \
--instance-port 80 --policy-names 'EnableProxyProtocol'
echo "Enabling policy on :443"
aws elb set-load-balancer-policies-for-backend-server \
--load-balancer 'proxy-connect-test' --instance-port 443 \
--policy-names 'EnableProxyProtocol'
I can confirm that the policies have been recorded by using describe-load-balancers:
"BackendServerDescriptions": [
{
"InstancePort": 80,
"PolicyNames": [
"EnableProxyProtocol"
]
},
{
"InstancePort": 443,
"PolicyNames": [
"EnableProxyProtocol"
]
}
],
But, when I make requests to either of those ports, I can't see the Proxy Protocol header when using tcpdump. I can make requests successfully through the back-end servers with both HTTP and HTTPS but I just don't seem to get the expected PROXY header.
I'm not using any other kind of proxy between my clients (openssl s_client, Firefox) and the backend web server (where tcpdump is observing the connection). The listeners are TCP:80 -> TCP:8080 and TCP:443 -> TCP:8443.
Do I have to do anything else to get the Proxy Protocol enabled on my ELB?
Best Answer
You have applied the policy to "instance ports" 80 and 443. The instance ports refer to the port on the back-end instances, so these should actually be set to 8080 and 8443 in the policy.