I'm using Amazon ELB and have https setup with a certificate, however I need to support many domains (several thousand). Is there a way to have an ELB forward port 443 to the resolving EC2 instance(s) and let them handle https? or would there be an alternative way to support this? From what I've seen it looks like you can only one listener to 443 with a single certificate associated.
It is possible to do this now.
You need AWS ACM certificates. Assuming you already have one:
Select your load balancer and Under "Listeners", check the https listener and open the certificate selector on "View/edit certificates".
Then in the selection menu use the '+' or '-' buttons to add or remove ACM certificates from said balancer:
The short answer to your question is no, an ELB can only have 1 associated certificate. Assuming you aren't in a situation where a wildcard cert would work (e.g. *.example.com) you won't be able to use ELB the way that the GUI makes it seem like it should work. This is because ELB does not support SNI which is what makes something like apache able to bind multiple SSL domains to a single host.
That said, there is a workaround. You can forward 443 through your ELB directly to the assigned server. This is done by setting up port 443 in TCP pass-through mode rather than in HTTPS mode. To do that:
Go to the AWS console and select the ELB you want to edit.
Choose "Listeners" tab.
Select "Edit"
Change the "Load Balancer and Instance Protocols to "TCP" (see screenshot)
Set the Load Balancer and Instance Ports to 443
Alternatively, if you don't yet have an HTTPS listener, choose "Add" in step 3.
Note, setting it up this way will force your EC2 Instances to encrypt/decrypt traffic which will be an additional load on your EC2 CPU.
Related
Greetings!!
I am using an EC2 machine and running an application in 3000 port in EC2. We have created an autoscaling group and added an Elastic load balancer to it.
I want to use HTTPS connection. Instead of using SSL certificate, we have added a Cloudfront. Cloudfront provides the HTTPS url. In Security group we have opened PORT 80, 443 and 3000
Please help me, is there any best way to achieve this requirement.
I want to use HTTPS connection. Instead of using SSL certificate, we have added a Cloudfront. Cloudfront provides the HTTPS url. In Security group we have opened PORT 80, 443 and 3000
Please help me, is there any best way to achieve this requirement.
As you already have an ELB, you can use AWS ACM to get free SSL & attach to your ELB. This way you get HTTPS
I have a Route 53 domain, which maps to a load-balancer, which maps to a NodeJS Express server (check it out here). But it is currently using HTTP, so I want to switch over to HTTPS. I also have an ACM SSL certificate ready to go.
I have tried adding a listener to the load-balancer...
However, when I entered the address in the browser, it times out.
So, I tried editing the security group corresponding to this load-balancer...
But it still times out.
Thanks for any help.
Extra references:
here is the video I have been watching
here is the AWS docs article I have been reading
P.S. Could it be a problem with the API itself i.e. do I have to add any extra configuration to the API?
Your current listener on HTTPS isn't working because you aren't pointing it at the same destination as the HTTP listener.
Set your HTTPS listener's Instance Protocol to HTTP and its port to the port
your API listens on - 31315.
I tried editing the security group corresponding to this load-balancer
This needs to be done as well. The load balancer's security group must allow 443, and the load balancer must be listening on 443. The only piece you look like you're missing is pointing the load balancer's listener to the correct destination port on the instance.
Could it be a problem with the API itself i.e. do I have to add any extra configuration to the API?
I wouldn't think so. The API probably doesn't care whether the load balancer listens for htts or not - the important thing is that the traffic is sent to the port the API is listening on.
I have the following beanstalk environment: https(443) -> ALB -> http(80) to instance.
ALB listener accept only HTTPS request and authenticate with SSL certificate and then process to default port 80.
Everything works fine but I wonder if is it also possible to redirect HTTP port 80 requests back to ALB HTTPS listener without the need to support HTTPS on the instance?
When I tried to create redirect process it failed since it tried health-check on port 443 and the instance doesn't support it.
P.S. Is it a security issue if authentication done only in ALB and it communicate instances on port 80? (Instance security group accept requests only from ALB)
The redirection from port HTTP to HTTPS is best set using EC2 console, not EB console. For that you have to go to EC2 console-> Load Balancers.
Then you can modify the existing rule on HTTP:80 listener from Forward to Redirect as shown below:
The above change should not affect any of your health checks.
Is it a security issue if authentication done only in ALB and it communicate instances on port 80?
Yes. This is how it is most commonly done. The HTTP traffic between ALB and your instances traverses only AWS network, not the internet. So its safe from public eyes. But obviously, you can still setup HTTPS between ALB and the instances, but this requires extra work and puts more stress on your instances as they now have to handle SSL encryption and decryption as well.
I'm very new to AWS, so if any of the info I give you is not correct, I would appreciate a correction.
I have a single EC2 instance, running Windows, and using Internet Information Services (IIS). That instance has an elastic IP address set, so anytime I want to access my web, I do it through "http://xx.xxx.xxx.xxx/myWeb/controller/view.
I have a mobile app that opens a webview through an address like the one before, to register a credit card, and the API i'm using for that is requesting to make the connection secure. Doing research, I found about AWS Certificate Manager. It's of my uderstanding that you can only deploy a Certificate generated from the certificate manager to an ELB or CloudFront, but I don't have any of those.
All the documentation I read is fairly advanced for my understanding at this point or is focused on Linux servers, so I would like to know, how would you guys solve this? should I put ELB in front of my EC2 to be able to use Certificate Manager? or is there a better way to enable a HTTPS connection?
I also read about having to enable port 443 (HTTPS), is this an extra step I have to take, besides getting the SSL certificate?
Sorry if I'm all over the place. Any help would be greatly appreciated :)
There are 2 options, host the SSL within the Instance, or use ELB/ALB to terminate SSL (and change port) and forward the connection to the Instance. In either case you would need a domain name registered (the trust relationship is against the domain name, not the IP address).
If you choose the AWS route:
(Optional) Register the domain in Route 53, or transfer it in
Register the certificate in ACM, or upload your own
Create an ELB / ALB. Set it to use the custom domain and enable SSL.
Create a 'listener' on the ELB / ALB listening on port 443 (IIRC the SSL is actually attached to this listener). Set the listener to forward all incoming connections to the Instance on a port of your choosing (e.g. 80 now that it is HTTP).
If you are using websockets you would need to use an ALB (not ELB)
Beware there is a monetary cost for using ELB / ALB.
In the deployment scenario I am using, there is a single ELB, balancing multiple EC2 instances, serving a multi-domain system. Since ELB doesn't support multiple SSL certificates on HTTPS, ELB port 443 is configured as TCP 443, which points to port 9443 on EC2 instances (with Proxy Protocol enabled).
This way installing multiple SSL certificates using a single ELB is possible, as described in this blog post.
The problem now is that stickiness policy cannot be associated only with a listener with HTTPS as frontend protocol.
However, I cannot use HTTPS as frontend protocol, because of the multiple domains/SSL certificates point made above.
What would be the best way to handle the issue?
As it was suggested by #Castaglia, I ended up with configuration of separate ELBs, one for each domain/certificate pair.
In the auto scaling configuration, you have option to specify multiple ELBs.