I have:
ELB 1 with few ec2 instances attached:
- example.com
- subdomain1.example.com
- subdomain2.example.com
ELB 2 with few ec2 instances attached:
- subdomain3.example.com
subdomain4.example.com
All domains\subdomains should have https.
It is okay for me to keep non-secure connection between instances and load balancer.
Is this possible to have more than one subdomains on one loadbalancer or I have to keep one loadbalancer for one subdomain?
If all domains and subdomains should have HTTPS, your best move is to deploy a SSL certificate for those domains/subdomains in the ELB and configure SSL termination at it. That being said, you are able to add multiple SANs (Subject Alternative Names) to your SSL certificates, making your ELB respond to multiple domains/subdomains over HTTPS.
This way, the traffic between your ELBs and your instances won't be over HTTPS, but you said that is not a problem. Actually, this is pretty much the default configuration on ELBs when HTTPS is needed.
Related
I am very new to load balancers. I have just set one up that listens on SSL. I also created an EC2 instance and added it to the target group of the "Application Load Balancer". The target group is also connected by SSL.
I have installed apache on the EC2 instance and placed an index.html file in the /var/www/html directory.
I would have thought typing the load balancer associated domain address (www.example.com) would route me to the index.html file of the EC2 instance (which is the only target). However I am getting a Bad Gateway 502 error.
Initially I only had SSH inbound rule on the EC2. I opened up 443 for HTTPS but that didn't make a difference.
Do I need to install a certificate for the SSL on the EC2 as well as the load balancer? And do I need to open any additional ports?
Very new to this all and not sure how the load balancer communicates with the EC2 instance. Hoping that it would be internal so that the EC2 instance was not at all exposed in isolation.
So many things can go wrong here but (assuming that you have correctly configured the load balancer) I think what you have should work if you add HTTP listener to your load balancer, change your target group's protocol to HTTP (because the load balancer talks to the EC2 over HTTP), and then, add something like this to your .htaccess:
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule . https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]
You can read more here.
Install the SSL certificate on the load balancer instead of the EC2. The EC2 does not need its own SSL certificate.
Here are the steps to add HTTPS to a application load balancer:
When you try to set up HTTPS inbound to the load balancer it will give you a section called "ACM" click into that to get a SSL certificate
The ACM page will give you a section to create a new SSL certificate. You will need to input the domain name and some details, afterwards it will give you a CNAME record. You need to go to your domain's DNS settings to add that new CNAME record.
Once you create a SSL certificate with ACM you'll be able to use that on the load balancer, go back to the HTTPS listener and use that new SSL certificate
Then make sure your load balancer security group allows inbound to 443 port.
After that https should work on the load balancer
Note:
I would only set up https after I get http working first on the load balancer and it is directing to the right ec2.
Since the target group for http and https is the same, you want to make sure the target group is working before messing around with https.
That way you won't have two problems to deal with at the same time (https + incorrectly configured target groups/http). It'll allow to tackle each item step by step.
Hope that helps!
I'm trying to figure out the best way to manage HTTPS for an EB docker application.
At the moment I'm using the following approach.
ELB accepts HTTPS connections on 443, and forwards to HTTP port 80 on the instance.
ELB accepts HTTP connections on 80, and forwards to HTTP port 8080 on the instance.
Instance accepts HTTP connections on port 80 and forwards to docker app.
Instance accepts HTTP connections on port 8080 and redirects them to HTTPS.
This all works reasonably well. It means the docker app doesn't have to worry about redirects at all. It just listens on port 80, and does it's thing. The ELB and docker host do the rest.
My only concern with this setup, is the docker app doesn't know that it's running secure. If within my application I check for this, it'll fail.
I want to completely separate my docker app from domain names, and SSL certificates that may change, so I would prefer to continue terminating the original HTTPS connection at the ELB. I'm wondering if there is some way I can get the docker host (or ELB) to forward (re-encrypt) request in HTTPS protocol, but using a self-signed certificate, so I can keep it completely generic.
Just to be clear, this would only be between the ELB and/or docker host, and my docker app, not to the browser.
If I create a non-expiring self-signed certificate, and then register this with the web-server in the docker app (currently using Apache2, but could potentially use nginx), and then simply tell the ELB, or docker host to forward requests as HTTPS, will this work? Or would it fall over at some point because the certificate isn't trusted?
Or is there some way to be able to terminate a HTTPS connection at the docker app web-server without actually needing to pre-generate a certificate (I'm guessing no on this, as presumably it'd need to generate a certificate on the fly or something).
Is there a recommended best practice way to do this kind of thing?
A common solution when you have a load balancer terminating client connections and forwarding to backend is for the load balancer to add headers onto the backend requests to fill in any information stripped by having the load balancer there.
ELB has a page on this and uses the following headers:
X-Forwarded-For - The client IP
X-Forwarded-Proto - The scheme/protocol
X-Forwarded-Port - The incoming port.
You would generally not allow these headers directly from the client, unless they were a trusted client. I assume ELB takes care of that for you.
We have the ssl certs from symantec and have added them to the LB in aws which is currently holding one ec2 instance. We are also using route53 for dns. https://domain.com isn't working, port 80 is ok. I've verified my security groups are allowing 443 for ec2 and lb.
I've been using www.wormly.com to test SSL and notice that the domain.com fails but the FQDN of the load balancer passes "green" for the certs but not the domain.com...
Does the csr need to use the FQDN of the aws load balancer?
There were residual dns records that had to be updated on godaddy unbeknownst to me due to my not having initially purchased the domain.
I have installed an SSL on ELB. I have one EC2 instance in the ELB and can access the website via the SSL fine (IIS Windows 2008 server).
The confusion is when I am in NON HTTPS and I perform a redirect in my app to the HTTPS area, I get an error.
Doing some digging in the listeners area, I can see Port 443 on the ELB forwards to port 80 on the instances which makes sense, but then how do I handle this scenario?
For now, I have 'hacked' it by adding a self signed cert on my instance and then forwarding 443 from ELB to 443 on the instance, but this kind of defies the point?!
Any advice on how this should be structured would be great!
You have both port 80 and 443 on you load balancer forwarding to port 80 on your instance, so you need to figure out how to tell them apart.
The ELB sets a header value so you can tell these two types of requests apart.
Take a look at http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/TerminologyandKeyConcepts.html#x-forwarded-headers but the value you want to check is X-Forwarded-Proto - this should have http or https, and obviously if it's http you would then redirect to https.
I am trying to add SSL support for my site which is on AWS infrastructure.
I am using (Ubuntu, Apache, cake-php).
I installed the certificate from go daddy on AWS ELB per this guide.
When I test my domain via HTTPS it works fine, but the site is also available via HTTP.
I would like to redirect all calls to HTTP, but per the guide instructions the ELB and EC2 communicate via HTTP, so the protocol identified by my EC2 is on port 80, so the EC2 has no way to redirect the user, because all communication to it from ELB is over port 80.
If I change ELB-EC2 settings to HTTPS, it does not work anymore, I assume some configuration is required (on ELB,EC2?) but I could not find any documentation on the above.
Any input, links etc. would be greatly appreciated!
Thanks
ELB sets X-Forwarded-Proto header, you can use it to detect if original request was to HTTP and redirect to HTTPS then.
Take a look at ELB docs.