What’s the options if you must provide a static IP endpoint for your service behind AWS ELB

amazon-elbamazon-web-services

I have a web service with few EC2 servers behind a AWS ELB. As I understand, there is no way an ELB endpoint can have a static IP, because it is a DNS-based load balancing solution, and that is a design decision made by ELB team.

However, one of the 3rd party partners that we integrated with require IP of our servers due to their internal infrastructure limit (ya, I know).

After some research, I plan to prepare a SSL pass-through reverse proxy behind a static IP and pass requests to our ELB endpoint. This server will only be used by that client. I will probably use HAProxy because proxy server need to resolve IP of ELB dynamically.

Pros :

No changes to the infrastructure behind the AWS ELB.
No additional SSL certification required.

Cons :

Introduce single point of failure, but only affect that client.
The client need to assign the IP for our domain name by themselves, or we set up another domain name point to this server.
No previous experience set up such reserve proxy.

This is the only way I came up without change our infrastructure, I would like to hear your input, what would you do if you are in this situation ?

Best Answer

In the end, I go with the TCP SSL pass-through reverse proxy solution, here is my HAProxy config :

global
    log /dev/log local0
    log /dev/log local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

defaults
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    option tcplog
    log-format %ci:%cp\ [%t]\ %ft\ %b/%s/%si\ %Tw/%Tc/%Tt\ %B\ %ts\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq
    log global

resolvers dns
    nameserver google 8.8.8.8

# pass 80 port request to AWS ELB
listen http-proxy
    bind *:80
    mode tcp
    server elb my.elb.amazonaws.com:80 check resolvers dns

# pass 443 port request to AWS ELB
listen https-proxy
    bind *:443
    mode tcp
    server elb my.elb.amazonaws.com:443 check resolvers dns

Some explanation :

The proxy listen connections from port 80 and 443, then pass to the ELB endpoint.
HAProxy will resolve the IP dynamically with DNS I specify
Use TCP mode so there is no need to create extra SSL certification for the proxy

I did some tests and it works well.

However I did notice a downside (or just didn't know how to solve it)

Unable to put real client IP into HTTP header because it is in TCP mode

This may cause problems if you want to allow some IPs to access certain service.

Related Solutions

Nginx AWS ELB – How to Set Real IP from AWS ELB Load Balancer Address

If you can guarantee that all requests will be coming from ELB (I'm not familiar with it), you could try:

real_ip_header X-Forwarded-For;
set_real_ip_from 0.0.0.0/0;

That should tell nginx to trust an X-Forwarded-For header from anyone. The downside is that if anyone directly accesses your server, they would be able to spoof an X-Forwarded-For header and nginx would use the wrong client ip address.

Providing a static IP for resources behind AWS Elastic Load Balancer (ELB)

In the end, I implemented the requirement of our partner as follows:

launch an instance in AWS
allocate and attach an Elastic IP (EIP) to it
Installed Apache
(in our case, installed our SSL certificate)
Configured Apache as a reverse proxy server, forwarding to a CNAME that pointed to our ELB

Here's a sample Apache virtual host configuration. I turned off NameVirtualHost and specified the address of our EIP. I also disabled a default host. If the partner desires, I will add a <Directory> block that accepts requests only from their IP range.

<IfModule mod_ssl.c>
# Catch non-SSL requests and redirect to SSL
<VirtualHost 12.34.567.890:80>
  ServerName our-static-ip-a-record.example.com
  Redirect / https://our-elb-cname.example.com       
</VirtualHost>
# Handle SSL requests on the static IP
<VirtualHost 12.34.567.890:443>
  ServerAdmin monitor@example.com
  ServerName our-static-ip-a-record.example.com

  # SSL Configuration
  SSLEngine on
  SSLProxyEngine on
  SSLProxyCACertificateFile /etc/apache2/ssl/gd_bundle.crt
  SSLCertificateFile    /etc/apache2/ssl/example.com.crt    
  SSLCertificateKeyFile /etc/apache2/ssl/private.key
  # Additional defaults, e.g. ciphers, defined in apache's ssl.conf

  # Where the magic happens
  ProxyPass / https://our-elb-cname.example.com/
  ProxyPassReverse / https://our-elb-cname.example.com/

  # Might want this on; sets X-Forwarded-For and other useful headers
  ProxyVia off

  # This came from an example I found online, handles broken connections from IE
  BrowserMatch "MSIE [2-6]" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
  # MSIE 7 and newer should be able to use keepalive
  BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>

Hope this saves someone else some time in the future :-)

Best Answer

Related Solutions

Nginx AWS ELB – How to Set Real IP from AWS ELB Load Balancer Address

Providing a static IP for resources behind AWS Elastic Load Balancer (ELB)

Related Topic