Join Log in
Score:0
Debabrata Mondal avatar Server

Secure websocket connection to server running on EC2 fails

us flag
Debabrata Mondal

I have a node.js websocket server running on an EC2 instance on port 8080. Normal websocket connections (ws://) work fine but when I'm trying to make a secure connection (wss://), the websocket connection fails.

I realise that wss requests are sent to port 443, so I'm using ALB to forward requests on port 443 to port 8080. Since I'm very new to AWS I don't know if I'm doing this properly. Here's what I have done.

  1. Node.js server listening on port 8080 in an EC2 instance.
  2. These are the inbound security rules to that EC2 instance

Inbound security rules

  1. An application load balancer with listener HTTPS: 443 It forwards it to my EC2 instance on port 8080 using HTTPS protocol. I have also attached an SSL certificate to the ALB.

I just cannot figure out what I'm doing wrong. Any help is appreciated.

UPDATE:

  1. I have created two security groups (ec2-sg and alb-sg) and configured them such that ec2-sg receives traffic from alb-sg.

Inbound security rules (alb-sg)

Outbound security rule (alb-sg)

Inbound security rules (ec2-sg)

However, I cannot get it to work. The target group passes the health check, I have enabled sticky session but the websocket connection keeps failing. The normal ws connection which used to work has also stopped working. This leads me to believe that I'm messing something up with the ALB (since it is working without the load balancer)

Update 2:

I enabled access logs for my load balancer. Here's the log:

https 2021-10-08T08:55:39.157549Z app/alb-latest/3e73469ba9514449 167.94.138.60:32854 172.31.93.226:8080 -1 -1 -1 502 - 41 1215 
"GET https://3.208.76.74:443/ HTTP/1.1" "-" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:us-east-1:144045735746:targetgroup/ec2-8080-server/2cbf4f7eb51c201e 
"Root=1-6160078b-606aed86364c5e3f7db627f1" "-" "arn:aws:acm:us-east-1:144045735746:certificate/53a04011-1ea7-4689-b6c6-a7372e42191d" 0 2021-10-08T08:55:39.156000Z 
"forward" "-" "-" "172.31.93.226:8080" "-" "-" "-"

ALB Basic configuration 1

ALB Basic configuration 2

ALB Listeners I have also enabled group-level stickiness on the target group for 1 day

Target group details

803
0 + 0
Tim avatar
gp flag
Tim
Are the ALB and the EC2 instance both in the same security group? Generally you should have one SG for each, and the EC2 SG should allow ingress from the ALB SG.
0
Reply
Debabrata Mondal avatar
us flag
Debabrata Mondal
@Tim They were in the same security group, yes. I have changed that now but it still does not work. Could you take a look at the updates i posted?
0
Reply
Tim avatar
gp flag
Tim
Your security groups look ok to me, though I can't check things like IDs. Two things to do 1) Enable access logs on ALB and target and check that requests hit the ALB and the server - if it's easier you can install a standard web server on port 80 for testing. Then once that's done 2) Edit your post to show the important parts of the ALB configuration.
0
Reply
Debabrata Mondal avatar
us flag
Debabrata Mondal
@Tim I have edited the post. Do you need any other info?
0
Reply
Tim avatar
gp flag
Tim
Read my last comment again. Don't just give us the logs, you need to understand them, check the logs on the web server, and make sure the request is getting through. If it's not you could set up Nginx / Apache and try it with a more widely understood protocol to check things are generally working. I think you might be best off getting a professional in, we can provide help but I think you need more help than we can give.
0
Reply
cn flag
shearn89
Your ALB SG is only allowing port 8080 outbound to another SG - it won't be able to send the response to your client. Remove the outbound rule and focus on inbound rules for now - security groups are stateful so the outbound is not required and adds complication.
0
Reply
Debabrata Mondal avatar
us flag
Debabrata Mondal
Thank you @shearn89 that makes a lot sense!
0
Reply
Score:0
avatar Server
cn flag
shearn89

Just copying and pasting my comment into an answer in case it solves the issue.

The ALB SG is only allowing port 8080 outbount to another SG. This means it won't be able to send the response to the client, which will be listening on some random port that is not 8080. Best approach is to remove the outbound rules and focus on inbound rules - security groups are stateful so outbound rules are not necessarily required and add complication!

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.