Thanks to http://garthkerr.com/multiple-ssl-domains-on-elb-with-nginx/
If you are also (likely) handling standard requests over port 80, you do not need to enable Proxy Protocol for non-secure traffic. The HTTP traffic can remain unaffected while adding HTTPS to an existing ELB.
First, we need an ELB instance. If you do not already have a load balancer, you can create one using the AWS console, or by following these instructions for AWS CLI. http://docs.aws.amazon.com/cli/latest/reference/elb/create-load-balancer.html In the example, we use acme-balancer as the ELB name and we are forwarding to backend port 9443.
The listener port should be created using the TCP protocol for both the Load Balancer Protocol and the Instance Protocol. The application layer protocol (HTTPS) is not handled until we reach the nginx instance. In most cases, the public port should be the standard 443.
# create proxy protocol policy
aws elb create-load-balancer-policy \
--load-balancer-name acme-balancer \
--policy-name EnableProxyProtocol \
--policy-type-name ProxyProtocolPolicyType \
--policy-attributes AttributeName=ProxyProtocol,AttributeValue=True
# add policy to elb
aws elb set-load-balancer-policies-for-backend-server \
--load-balancer-name acme-balancer \
--instance-port 9443 \
--policy-names EnableProxyProtocol
# results
aws elb describe-load-balancers --load-balancer-name acme-balancer
If you have multiple server blocks running on the same port (virtual hosts), any port that includes proxy_protocol in your nginx configuration will enable proxy protocol handling for ALL traffic on this port, not just the particular server block.
You do not need to seperate the blocks, but is good for testing ;)
# block for proxy traffic
server {
# port elb is forwarding ssl traffic to
listen 9443 ssl proxy_protocol;
# sets the proper client ip
real_ip_header proxy_protocol;
# aws vpc subnet ip range
set_real_ip_from 10.0.0.0/16;
server_name acme.com www.acme.com;
ssl on;
ssl_certificate /etc/ssl/acme/acme.com.crt;
ssl_certificate_key /etc/ssl/acme/acme.com.key;
}
# block for direct traffic
server {
listen 443 ssl;
server_name acme.com www.acme.com;
ssl on;
ssl_certificate /etc/ssl/acme/acme.com.crt;
ssl_certificate_key /etc/ssl/acme/acme.com.key;
}