AWS classic ELB mode (TCP & HTTP) configs for new protocols

We have been using the Classic AWS ELB for a long time and planning to migrate to the new version of the ELB (NLB / ALB). But so far the old classic ELB works fine, although it has some weaknesses and we have to go-around them.

Currently the classic ELB support 2 modes: TCP and HTTP. Both support HTTPS terminating by importing a SSL Certificate in AWS Certificate Manager and config the SSL in ELB.

For most of our services, config ELB as HTTP works fine. But, Classic ELB does NOT support upgradable protocols, including websocket and http2 . For these new protocols, you have to either upgrade to new LBs (NLB/ALB) or configure the ELB as TCP mode.

However, after configuring as TCP mode, ELB will NOT pass the headers to the backend servers. The headers include x-forwarded-proto which tells the real protocol (https) to the backend services. Without it, backend server will judge the current request is a normal http request, and breaks the login process.

For example, when user accesses https://server.com, since he is a new user it is expected that he will be redirected to https://server.com/login

To resolve this we have several choices. Forus we use a Nginx to ADD the needed headers before the server, like this:

An example of nginx conf:

location / {
    proxy_pass         http://127.0.0.1:8080/;
    proxy_redirect     off;
    proxy_set_header   Host             $host;
    proxy_set_header   X-Real-IP        $remote_addr;
    proxy_set_header  x-forwarded-proto  https;
}

Summary, if you have to use Classic ELB:

For a normal http service (No websocket, http2), just use Classic ELB with HTTP mode.

For a mixed http service (Http with websocket):

• if you do not heed https (Who do not needed it today), just use Classic ELB with TCP mode
• if you need https, use Classic ELB with TCP mode, with the SSL Certificate configured. And also a Nginx instance as internal to add the needed x-forwarded-proto header. Of course, some backend servers support setting the protocol (https) manually, then for this case you do not need Nginx, just add the config to the backend services to force the https as protocol.