Configuring Websockets behind an AWS ELB

Recently at work, we were trying to get an application that uses websockets working on an AWS instance behind an ELB (load balancer) and nginx on the instance.

If you’re either not using a secure connection or handling the cryptography on the instance (either in nginx or Flask), it works right out of the box. But if you want the ELB to handle TLS termination it doesn’t work nearly as well… Luckily, after a bit of fiddling, I got it working.

Update 2018-05-31: A much easier solution, https://aws.amazon.com/blogs/aws/new-aws-application-load-balancer/:

WebSocket allows you to set up long-standing TCP connections between your client and your server. This is a more efficient alternative to the old-school method which involved HTTP connections that were held open with a “heartbeat” for very long periods of time. WebSocket is great for mobile devices and can be used to deliver stock quotes, sports scores, and other dynamic data while minimizing power consumption. ALB provides native support for WebSocket via the ws:// and wss:// protocols.


Performance problems with Flask and Docker

I had an interesting problem recently on a project I was working on. It’s a simple Flask-based webapp, designed to be deployed to AWS using Docker. The application worked just fine when I was running it locally, but as soon as I pushed the docker container…

Latency spikes. Bad enough that the application was failing AWS’s healthy host checks, cycling in and out of existence1:


ISMA 2013 AIMS-5 - DNS Based Censorship

I gave a presentation about research that I’m just starting out studying DNS-based censorship in specific around the world. In particularly, preliminary findings in China have confirmed that the Great Firewall is responding via packet injection to many queries for either Facebook or Twitter (among others). Interestingly, the pool of IPs that they return is consistent yet none of the IPs seem to resolve to anything interesting. In addition, there is fallout in South Korea where some percentage of packets go through China and thus have the same behaviors.

AIMS-5 - Day 3

Yesterday was the third and final day of AIMS-5. With the main topic being Detection of Censorship, Filtering, and Outages, many of these talks were much more in line with what I know and what I’m working on. I gave my presentation as well, you can see it (along with a link to my slides) down below.


AIMS-5 - Day 2

Today’s agenda had discussions on Mobile Measurements and IPv6 Annotations, none of which are areas that I find myself particularly interested in. Still, I did learn a few things.


AIMS-5 - Workshop on Active Internet Measurements

Yesterday was the first of three days for the fifth annual ISC/CAIDA Workshop I went to in Baltimore back in October at least, but even the ones that weren’t have still been interesting.

I’ll be presenting on Friday and I’ll share my slides when I get that far (they aren’t actually finished yet). I’ll be talking about new work that I’m just getting off the ground focusing specifically on DNS-based censorship. There is a lot of interesting ground to cover there and this should be only the first in a series of updates about that work (I hope).


Scanning for DNS resolvers

For a research project I’m working on, it has become necessary to scan potentially large IPv4 prefixes in order to find any DNS revolvers that I can and classify them as either open (accepting queries from anyone) or closed.

Disclaimer: This is a form of port scanning and thus has associated ethical and legal considerations. Use it at your own risk. 

This project is available on GitHub: jpverkamp/dnsscan