Date
1 - 6 of 6
Any downsides to ELB 443 running in Secure TCP mode?
|
Dr Nic Williams
Pivotal WS runs behind ELBs that pipe websockets traffic through port 4443 in Secure TCP mode - because ELBs in HTTPS mode do not respect the websocket handshake upgrade.
We tried running port 443 in Secure TCP and avoid the additional port 4443 (which cannot be accessed from inside client company's network - they only allow outbound access to :80 and :443). And it works. What are the downsides to running :443 as Secure TCP rather than HTTPS? Nic |
|
|
|
Aaron Huber
With SSL instead of HTTPS you lose the X-Forwarded headers which would be
needed for the apps to know if the traffic came in as secure, which would only be an issue if you're allowing both 80 and 443 and the apps need to be able to tell the difference. Otherwise it would be identical as far as I'm aware. Using HTTPS allows them to inject the headers into the protocol. http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/using-elb-listenerconfig-quickref.html Aaron -- View this message in context: http://cf-bosh.70367.x6.nabble.com/cf-bosh-Any-downsides-to-ELB-443-running-in-Secure-TCP-mode-tp590p591.html Sent from the CF BOSH mailing list archive at Nabble.com. |
|
|
|
James Bayer
the x-forwarded-proto header is pretty important for large public clouds as
most of them enable http and https that i'm aware of. in this situation, i'm not sure how we forego the header when it's also important to allow plain http traffic on port 80. On Wed, Aug 19, 2015 at 10:47 PM, aaron_huber <aaron.m.huber(a)intel.com> wrote: With SSL instead of HTTPS you lose the X-Forwarded headers which would be -- Thank you, James Bayer |
|
|
|
Mike Jacobi
I ran into the same issue. My solution was to run wss on 8080. Yes, it's weird to run SSL on 8080, but it was allowed out the firewall.
Date: Wed, 19 Aug 2015 22:30:03 -0700 From: drnic(a)starkandwayne.com To: cf-bosh(a)lists.cloudfoundry.org Subject: [cf-bosh] Any downsides to ELB 443 running in Secure TCP mode? Pivotal WS runs behind ELBs that pipe websockets traffic through port 4443 in Secure TCP mode - because ELBs in HTTPS mode do not respect the websocket handshake upgrade. We tried running port 443 in Secure TCP and avoid the additional port 4443 (which cannot be accessed from inside client company's network - they only allow outbound access to :80 and :443). And it works. What are the downsides to running :443 as Secure TCP rather than HTTPS? Nic |
|
|
|
Mike Jacobi
Point being: If you want or need to keep 443 as HTTPS, perhaps you can find another allowed egress port and move wss there.
From: sushiandbeer(a)outlook.com To: cf-bosh(a)lists.cloudfoundry.org Date: Thu, 20 Aug 2015 16:45:44 -0700 Subject: [cf-bosh] Re: Any downsides to ELB 443 running in Secure TCP mode? I ran into the same issue. My solution was to run wss on 8080. Yes, it's weird to run SSL on 8080, but it was allowed out the firewall. Date: Wed, 19 Aug 2015 22:30:03 -0700 From: drnic(a)starkandwayne.com To: cf-bosh(a)lists.cloudfoundry.org Subject: [cf-bosh] Any downsides to ELB 443 running in Secure TCP mode? Pivotal WS runs behind ELBs that pipe websockets traffic through port 4443 in Secure TCP mode - because ELBs in HTTPS mode do not respect the websocket handshake upgrade. We tried running port 443 in Secure TCP and avoid the additional port 4443 (which cannot be accessed from inside client company's network - they only allow outbound access to :80 and :443). And it works. What are the downsides to running :443 as Secure TCP rather than HTTPS? Nic |
|
|
|
Dr Nic Williams
Unfortunately the employees are behind a firewall that only allows egress 80 and 443; they don't have a particular dislike to 4443. They dislike all of the ports :)
On Thu, Aug 20, 2015 at 4:50 PM, Mike Jacobi <sushiandbeer(a)outlook.com> wrote: Point being: If you want or need to keep 443 as HTTPS, perhaps you can find another allowed egress port and move wss there. |
|
|