Configuring Websockets behind an AWS ELB

2015-07-20

Recently at work, we were trying to get an application that uses websockets working on an AWS instance behind an ELB (load balancer) and nginx on the instance.

If you’re either not using a secure connection or handling the cryptography on the instance (either in nginx or Flask), it works right out of the box. But if you want the ELB to handle TLS termination it doesn’t work nearly as well… Luckily, after a bit of fiddling, I got it working.

Update 2018-05-31: A much easier solution, [https://aws.amazon.com/blogs/aws/new-aws-application-load-balancer/](just use an ALB):

WebSocket allows you to set up long-standing TCP connections between your client and your server. This is a more efficient alternative to the old-school method which involved HTTP connections that were held open with a “heartbeat” for very long periods of time. WebSocket is great for mobile devices and can be used to deliver stock quotes, sports scores, and other dynamic data while minimizing power consumption. ALB provides native support for WebSocket via the ws:// and wss:// protocols.

Performance problems with Flask and Docker

2015-04-03

I had an interesting problem recently on a project I was working on. It’s a simple Flask-based webapp, designed to be deployed to AWS using Docker. The application worked just fine when I was running it locally, but as soon as I pushed the docker container…

Latency spikes. Bad enough that the application was failing AWS’s healthy host checks, cycling in and out of existence¹:

A "one" line echo server using let in Racket

2014-11-13

A recent post on Reddit caught my attention: A “One” Line Echo Server Using “let” in Python (original article). The basic idea is that you can use Python’s lambda with default arguments as a let, which in turn allows you to write a simple echo server in ~~one line~~ a nicely functional style.

Large scale asynchronous DNS scans

2013-09-27

On Monday we laid out a framework for converting structures into bytes. On Wednesday, we used that to enhance Racket’s UDP and DNS capabilities. Today, we’re going to take that all one step further and scan large portions of the Internet. The end goal will be to look for DNS-based on a worldwide scale.

Extending Racket's DNS capabilities

2013-09-25

As I mentioned on Monday, I wrote my DNS-based censorship around the world–and to do that, I need a fair bit of control over the DNS packets that I’m sending back and over parsing the ones that I get back.

ISMA 2013 AIMS-5 - DNS Based Censorship

2013-02-09

I gave a presentation about research that I’m just starting out studying DNS-based censorship in specific around the world. In particularly, preliminary findings in China have confirmed that the Great Firewall is responding via packet injection to many queries for either Facebook or Twitter (among others). Interestingly, the pool of IPs that they return is consistent yet none of the IPs seem to resolve to anything interesting. In addition, there is fallout in South Korea where some percentage of packets go through China and thus have the same behaviors.

AIMS-5 - Day 3

2013-02-09

Yesterday was the third and final day of AIMS-5. With the main topic being Detection of Censorship, Filtering, and Outages, many of these talks were much more in line with what I know and what I’m working on. I gave my presentation as well, you can see it (along with a link to my slides) down below.

AIMS-5 - Day 2

2013-02-08

Today’s agenda had discussions on Mobile Measurements and IPv6 Annotations, none of which are areas that I find myself particularly interested in. Still, I did learn a few things.

AIMS-5 - Workshop on Active Internet Measurements

2013-02-07

Yesterday was the first of three days for the fifth annual ISC/CAIDA Workshop I went to in Baltimore back in October at least, but even the ones that weren’t have still been interesting.

I’ll be presenting on Friday and I’ll share my slides when I get that far (they aren’t actually finished yet). I’ll be talking about new work that I’m just getting off the ground focusing specifically on DNS-based censorship. There is a lot of interesting ground to cover there and this should be only the first in a series of updates about that work (I hope).

Scanning for DNS resolvers

2013-01-31

For a research project I’m working on, it has become necessary to scan potentially large IPv4 prefixes in order to find any DNS revolvers that I can and classify them as either open (accepting queries from anyone) or closed.

Disclaimer: This is a form of port scanning and thus has associated ethical and legal considerations. Use it at your own risk.

This project is available on GitHub: jpverkamp/dnsscan