nginxload-balancingelastic-load-balancer

NGINX Load Balancing a Turn Server


I am attempting to put a Load Balancer in front of a Turn Server for use with WebRTC. I am using one turn server in my examples below until I get the load balancer working. The turn server requires multiple ports including one UDP as listed below:

I have attempted to place an Amazon Elastic Load Balancer (AWS ELB) in front of the Turn Server, but it does not support the UDP port. So I am now running Ubuntu on an EC2 Instance with all these ports open and I have installed NGINX.

I've edited the /etc/nginx/nginx.conf file and added a "stream" section to it with both upstream and servers for each port. However, it does not appear to be passing the traffic correctly.

stream {
    # IPv4 Section
    upstream turn_tcp_3478 {
        server 192.168.1.100:3478;
    }
    upstream turn_tcp_3479 {
        server 192.168.1.100:3479;
    }
    upstream turn_upd_3478 {
        server 192.168.1.100:3478;
    }

    # IPv6 Section
    upstream turn_tcp_ipv6_3478{
        server [2600:myaw:esom:e:ipv6:addr:eswo:ooot]:3478;
    }
    upstream turn_tcp_ipv6_3479{
        server [2600:myaw:esom:e:ipv6:addr:eswo:ooot]:3479;
    }
    upstream turn_udp_ipv6_3478{
        server [2600:myaw:esom:e:ipv6:addr:eswo:ooot]:3478;
    }

    server {
        listen 3478; # tcp

        proxy_pass turn_tcp_3478;
    }
    server {
        listen 3479; # tcp
        proxy_pass turn_tcp_3479;
    }
    server {
        listen 3478 udp;
        proxy_pass turn_upd_3478;
    }
    server {
        listen [::]:3478;
        proxy_pass turn_tcp_ipv6_3478;
    }
    server {
        listen [::]:3479;
        proxy_pass turn_tcp_ipv6_3479;
    }
    server {
        listen [::]:3478 udp;
        proxy_pass turn_udp_ipv6_3478;
    }
}

I have also created a custom load balancer configuration file at /etc/nginx/conf.d/load-balancer.conf and placed the following in it.

upstream turn_http {
    server 192.168.1.100;
}
upstream turn_https {
    server 192.168.1.100:443;
}

upstream turn_status {
    server 192.168.1.100:8080;
}

upstream turn_ipv6_http {
    server [2600:myaw:esom:e:ipv6:addr:eswo:ooot]:80;
}
upstream turn_ipv6_https {
    server [2600:myaw:esom:e:ipv6:addr:eswo:ooot]:443;
}

server {
    listen 80; 

    location / {
        proxy_pass http://turn_http;
    }
}

server {
    listen 443 ssl;

    server_name turn.awesomedomain.com;
    ssl_certificate /etc/ssl/private/nginx.ca-bundle;
    ssl_certificate_key /etc/ssl/private/nginx.key;

    location / {
        proxy_pass https://turn_https;
    }
}

server {
    listen 8080;

    location / {
        proxy_pass http://turn_status;
    }
}

server {
    listen [::]:80; 

    location / {
        proxy_pass http://turn_ipv6_http;
    }
}

server {
    listen [::]:443 ssl;

    server_name turn.awesomedomain.com;
    ssl_certificate /etc/ssl/private/nginx.ca-bundle;
    ssl_certificate_key /etc/ssl/private/nginx.key;

    location / {
        proxy_pass https://turn_ipv6_https;
    }
}

The http and https traffic appear to be working fine based on the custom load-balancer.conf file.

I am unsure why the TCP/UDP Ports I have configured in the ngnix.conf file are not working as intended.


Solution

  • Your configuration of the NGINX Load Balancer is fine.

    I suggest verifying the following:

    1. The security groups in your Amazon EC2 Turn Server instance should have matching inbound ports with your Load Balancer configuration.
    2. Check the configuration files on your turn server and verify that the ports it is listening to are the same ports as you are forwarding on your load balancer. For example, you have TCP 3479 being forwarded on your NGINX config. You need to make sure that the turn server is listening to that port.
    3. Lastly, you may also need to setup some IP Tables similar to what you have setup on your Turn Server. Review your Turn Server's configuration and see if you need to do any iptables or ip6table configuration on the Load Balancer.