Random EC2 notes
- Comments welcome!! This is my first foray into EC2 land, so there may be better ways of doing these things.
Load Balancer
- The health check interval is only valid to 1/10 of a minute
- If you put "0.33" for example, saving the LB will fail with "Error: MalformedInput: undefined"
- You need to open the port you're using for health checks in you Security Group or the check will fail
- I don't yet know how to restrict access to -only- the internal LB addresses, so I used "10.0.0.0/8" to at least restrict to the internal network.
- Combined with the User-Agent check below, it's OK security.
The HTTP health checker doesn't like anything except 200s.
If you have a password-protected site, allow the load balancer with something like this:
# Let the health checker check our health SetEnvIf User-Agent ^ELB-HealthChecker IsHealthCheck=1 ... <Location /> ... AuthType Basic AuthName Restricted AuthUserFile /etc/apache2/htpasswd Require valid-user Order deny,allow Deny from all Allow from env=IsHealthCheck </Location>
If you setup your LB to handle SSL, and forward 80 and 443 to your webserver on port 80, you can use these headers to determine whether the original incoming connection was over SSL:
X-Forwarded-Port: 443 X-Forwarded-Proto: https
- If you're performing IP-based authorization on your webservers, you'll need something like mod_extract_forwarded to process the X-Forwarded-For headers for you:
- http://www.openinfo.co.uk/apache/
Comments