Search code examples
amazon-web-servicessslmeteorelastic-load-balancermeteor-up

Meteor on AWS using Mup - SSL with ELB


I'm migrating my Meteor app to AWS, want to use ACM issued SSL cert attached to ELB. My current setup is:

  • ELB with ACM SSL cert(verified that load balancing and HTTPS is working on simple HTTP server inside EC ubuntu machine)
  • Meteor up is deployed on EC2 machine using Mup (Please see my mup.js which works well with SSL cert physically available from file system)

I want to stop using reverse proxy from mup.js config completely and let ELB run all SSL stuff. Problem is that ELB is not able to communicate with Meteor up, have tried different ROOT_URLs but none are working:

What should I put for ROOT_URL and is it game changer in accepting requests? i.e. if I have wrong ROOT_URL, will Meteor still be able to accept incoming requests?

  • Mup version: 1.4.3
  • Meteor version: 1.6.1

Mup config

module.exports = {
  servers: {
    one: {
      host: 'ec2-111111.compute-1.amazonaws.com',
      username: 'ubuntu',
      pem: 'path to pem'
    }
  },
  meteor: {
    name: 'my-app',
    path: 'path',
    servers: {
      one: {}
    },
    buildOptions: {
      serverOnly: true,
    },
    env: {
      ROOT_URL: 'https://ec2-111111.compute-1.amazonaws.com',
      MONGO_URL: 'mongo url',
    },
    dockerImage: 'abernix/meteord:node-8.9.1-base',
    deployCheckWaitTime: 30,
  },
  proxy: {
    domains: 'ec2-111111.compute-1.amazonaws.com,www.ec2-111111.compute-1.amazonaws.com',
    ssl: {
      crt: './cert.pem',
      key: './key.pem'
    }
  }
};

Solution

  • Resolved, first and general issue was that I was using classic ELB, which doesn't support WebSockets and was preventing DDP connection. Newer Application Load Balancer which comes with WebSocket and Sticky Sessions helped. More on the diff here: https://aws.amazon.com/elasticloadbalancing/details/#details

    Another issue more specific to my use case was having no endpoint for ELB health check, I was hiding/securing everything behind basic_auth, health check was getting 403 unauthorized failing and not registering EC2 instance in ELB. Make sure you have endpoint for health check that returns 200 OK, and also revisit your security groups - check out inbound rules and make sure ELB has access to corresponding ports to EC2 instance(80, 443 etc.).