Elastic Load Balancing
Developer Guide (API Version 2012-06-01)
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

Configure Proxy Protocol Support for Your Load Balancer

Proxy Protocol is an Internet protocol used to carry connection information from the source requesting the connection to the destination for which the connection was requested. Elastic Load Balancing uses Proxy Protocol version 1, which uses a human-readable header format.

By default, when you use Transmission Control Protocol (TCP) or Secure Sockets Layer (SSL) for both front-end and back-end connections, your load balancer forwards the request to the back-end instances without modifying the request headers. If you enable Proxy Protocol, a human-readable header is added to the request header with connection information such as the source IP address, destination IP address, and port numbers. The header is then sent to the back-end instance as part of the request.

You can enable Proxy Protocol on ports that use either the SSL and TCP protocols. You can use Proxy Protocol to capture the source IP of your client when you are using a non-HTTP protocol, or when you are using HTTPS and not terminating the SSL connection on your load balancer.

Note

The AWS Management Console does not support enabling Proxy Protocol.

Proxy Protocol Header

The Proxy Protocol header helps you identify the IP address of a client when you use a load balancer configured for TCP/SSL connections. Because load balancers intercept traffic between clients and your back-end instances, the access logs from your back-end instance contain the IP address of the load balancer instead of the originating client. You can parse the first line of the request to retrieve your client's IP address and the port number.

The address of the proxy in the header for IPv6 is the public IPv6 address of your load balancer. This IPv6 address matches the IP address that is resolved from your load balancer's DNS name, which begins with either ipv6 or dualstack. If the client connects with IPv4, the address of the proxy in the header is the private IPv4 address of the load balancer, which is not resolvable through a DNS lookup outside of the EC2-Classic network.

The Proxy Protocol line is a single line that ends with a carriage return and line feed ("\r\n"), and has the following form:

PROXY_STRING + single space + INET_PROTOCOL + single space + CLIENT_IP + single space + PROXY_IP + single space + CLIENT_PORT + single space + PROXY_PORT + "\r\n"

Example: IPv4

The following is an example of the Proxy Protocol line for IPv4.

PROXY TCP4 198.51.100.22  203.0.113.7  35646  80\r\n

Example: IPv6 (EC2-Classic only)

The following is an example of the IPv6 Proxy Protocol line for IPv6.

PROXY TCP6 2001:DB8::21f:5bff:febf:ce22:8a2e 2001:DB8::12f:8baa:eafc:ce29:6b2e 35646  80\r\n

Prerequisites for Enabling Proxy Protocol

Before you begin, do the following:

  • Confirm that your load balancer is not behind a proxy server with Proxy Protocol enabled. If Proxy Protocol is enabled on both the proxy server and the load balancer, the load balancer adds another header to the request, which already has a header from the proxy server. Depending on how your back-end instance is configured, this duplication might result in errors.

  • Confirm that your back-end instances can process the Proxy Protocol information.

Enable Proxy Protocol Using the AWS CLI

To enable Proxy Protocol, you need to create a policy of the type ProxyProtocolPolicyType and then set the policy to the back-end instance port.

Use the following procedure to create a new policy for your load balancer of type ProxyProtocolPolicyType, set the newly created policy to the back-end instance on port 80, and verify that the policy is enabled.

To enable proxy protocol for your load balancer

  1. (Optional) Use the following describe-load-balancer-policy-types command to list the policies supported by Elastic Load Balancing:

    aws elb describe-load-balancer-policy-types

    The response includes the names and descriptions of the supported policy types. The following shows the output for the ProxyProtocolPolicyType type:

    {
        "PolicyTypeDescriptions": [
            ...
            {
                "PolicyAttributeTypeDescriptions": [
                    {
                        "Cardinality": "ONE",
                        "AttributeName": "ProxyProtocol",
                        "AttributeType": "Boolean"
                    }
                ],
                "PolicyTypeName": "ProxyProtocolPolicyType",
                "Description": "Policy that controls whether to include the IP address and port of the originating 
    request for TCP messages. This policy operates on TCP/SSL listeners only"
            },
            ...
        ]
    }
  2. Use the following create-load-balancer-policy command to create a policy that enables Proxy Protocol:

    aws elb create-load-balancer-policy --load-balancer-name my-loadbalancer --policy-name my-ProxyProtocol-policy --policy-type-name ProxyProtocolPolicyType --policy-attributes AttributeName=ProxyProtocol,AttributeValue=true
  3. Use the following set-load-balancer-policies-for backend-server command to enable the newly created policy on the specified port. Note that this command replaces the current set of enabled policies. Therefore, the --policy-names option must specify both the policy that you are adding to the list and any currently enabled policies.

    aws elb set-load-balancer-policies-for-backend-server --load-balancer-name my-loadbalancer --instance-port 80 --policy-names my-ProxyProtocol-policy my-SSLNegotiation-policy
  4. (Optional) Use the following describe-load-balancers command to verify that Proxy Protocol is enabled:

    aws elb describe-load-balancers --load-balancer-name my-loadbalancer

    The response includes the following information, which shows that the my-ProxyProtocol-policy policy is associated with port 80.

    {
        "LoadBalancerDescriptions": [
            {
                ...
                "BackendServerDescriptions": [
                    {
                        "InstancePort": 80, 
                        "PolicyNames": [
                            "my-ProxyProtocol-policy"
                        ]
                    }
                ], 
                ...
            }
        ]
    }

Disable Proxy Protocol Using the AWS CLI

You can disable the policies associated with your back-end instance and then enable them at a later time.

To disable the Proxy Protocol policy

  1. Use the following set-load-balancer-policies-for-backend-server command to disable the Proxy Protocol policy by omitting it from the --policy-names option, but including the other policies that should remain enabled.

    aws elb-set-lb-policies-for-backend-server my-loadbalancer --instance-port 80 --policy-names my-SSLNegotiation-policy

    If there are no other policies to enable, specify an empty string with --policy-names option as follows:

    aws elb set-load-balancer-policies-for-backend-server --load-balancer-name my-loadbalancer --instance-port 80 --policy-names "[]"
  2. (Optional) Use the following describe-load-balancers command to verify that the policy is disabled:

    aws elb describe-load-balancers --load-balancer-name my-loadbalancer

    The response includes the following information, which shows that no ports are associated with a policy.

    {
        "LoadBalancerDescriptions": [
            {
                ...
                "BackendServerDescriptions": [],
                ...
            }
        ]
    }