AWS ALB returns 464 for wss:// requests.

Question

I have an alb listening on http:80 and https:443. http redirects to https.
(user) -https-> ALB -http-> target_group:4000-> target:4000.
I am able to connect via https to my targets.
When I try to connect via wss: I get a 464 error.
I can connect via 
```
curl -i -N -H "Connection: Upgrade" -H "Upgrade: websocket" -H "Host: my_app.com" -H "Origin: https://my_app.com/live/websocket" https://my_app.com/live/websocket
```
and I see the connection on my target.
What am I missing?

TLS version and cipher headers: Off
HTTP client keepalive duration: 3600 seconds
WAF fail open: Off (No WAF enabled)
HTTP/2: On
Connection idle timeout: 60 seconds
Desync mitigation mode: Defensive
Drop invalid header fields: Off
X-Forwarded-For header: Append
Client port preservation: On
Preserve host header: Off

Leo K · Accepted Answer

It's mentioned here: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-troubleshooting.html#http-464-issues that the ALB isn't able to take a text-based HTTP/1.1 request and send it to a target group that uses the binary HTTP/2 protocol. If your clients aren't able to use HTTP/2 for some reason, it's probably best to set the target group to use HTTP/1.1 to match the requests.

All the protocol version combinations for ALBs are listed here: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html#target-group-protocol-version

Leo K · Answer

You're showing that the load balancer is enabled for HTTP/2. What's the corresponding protocol version selected for the target group?

AWS ALB returns 464 for wss:// requests.

Relevant content