Ssl – AWS: Forwarding HTTPS to HTTP via ELB

amazon-elbamazon-web-servicesssl

I'm having issues setting up HTTPS on AWS via a load balancer. I've managed to get as far as proxying my standard :80 server, via HTTPS on the load balancer, so requests to https://www.example.com are working. So if AWS can handle HTTPS traffic at the ELB level, do I actually need to start a separate web server to handle the HTTPS traffic, or can I just leave it at that?

What are the disadvantages of proxying HTTPS -> HTTP using an AWS load balancer?

Best Answer

Even without ELB, you don't need two web servers - Apache, nginx, IIS and other popular webservers can all serve HTTP and HTTPS at the same time.

That said, you can leave it the way you have it now, with one caveat - traffic between the ELB and your EC2 instance is unencrypted. As it's on Amazon's internal network, this is reasonably secure, but if you're transmitting stuff like credit cards and social security numbers, you'll want it encrypted all the way (especially if PCI compliance comes into play).

Related Solutions

WordPress – Endless Redirect Loop with AWS ELB and wordpress site using wordpress https plugin

I would hazard a guess without you posting your ELB configuration that the ELB is redirecting HTTPS (443/tcp) traffic to the EC2 instance on HTTP (80/tcp). Then you're .htaccess and plugin are trying to redirect it back to HTTPS because it is being seen over HTTP.

Go take a look at your EC2 console under Network & Security > Load Balancers and I would imagine you'll see the Port Configuration says something along the lines of 443 forwarding to 80 (HTTPS, Certificate: blah)

Providing a static IP for resources behind AWS Elastic Load Balancer (ELB)

In the end, I implemented the requirement of our partner as follows:

launch an instance in AWS
allocate and attach an Elastic IP (EIP) to it
Installed Apache
(in our case, installed our SSL certificate)
Configured Apache as a reverse proxy server, forwarding to a CNAME that pointed to our ELB

Here's a sample Apache virtual host configuration. I turned off NameVirtualHost and specified the address of our EIP. I also disabled a default host. If the partner desires, I will add a <Directory> block that accepts requests only from their IP range.

<IfModule mod_ssl.c>
# Catch non-SSL requests and redirect to SSL
<VirtualHost 12.34.567.890:80>
  ServerName our-static-ip-a-record.example.com
  Redirect / https://our-elb-cname.example.com       
</VirtualHost>
# Handle SSL requests on the static IP
<VirtualHost 12.34.567.890:443>
  ServerAdmin monitor@example.com
  ServerName our-static-ip-a-record.example.com

  # SSL Configuration
  SSLEngine on
  SSLProxyEngine on
  SSLProxyCACertificateFile /etc/apache2/ssl/gd_bundle.crt
  SSLCertificateFile    /etc/apache2/ssl/example.com.crt    
  SSLCertificateKeyFile /etc/apache2/ssl/private.key
  # Additional defaults, e.g. ciphers, defined in apache's ssl.conf

  # Where the magic happens
  ProxyPass / https://our-elb-cname.example.com/
  ProxyPassReverse / https://our-elb-cname.example.com/

  # Might want this on; sets X-Forwarded-For and other useful headers
  ProxyVia off

  # This came from an example I found online, handles broken connections from IE
  BrowserMatch "MSIE [2-6]" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
  # MSIE 7 and newer should be able to use keepalive
  BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>

Hope this saves someone else some time in the future :-)

Best Answer

Related Solutions

WordPress – Endless Redirect Loop with AWS ELB and wordpress site using wordpress https plugin

Providing a static IP for resources behind AWS Elastic Load Balancer (ELB)

Related Topic