FoxuTech

Configure Elastic Load Balancing with SSL and AWS Certificate Manager for Applications on AWS

Configure Elastic Load Balancing with SSL

Load balancing is a technique commonly used by high-traffic Web sites and Web applications to share traffic across multiple hosts, thereby ensuring quick response times and rapid adaptation to traffic peaks and troughs. The Elastic Load Balancing service from Amazon Web Services (AWS) with Secure Sockets Layer (SSL) support makes it easy to add secure load balancing for  applications running on AWS.

In a horizontally scaled web server environment, no individual server should care about SSL. Your customers and the rest of the world should interact with your system through HTTPS, but your web servers only need to respond to HTTP, to allow for per-server health check monitoring.

Your load balancer is the bridge between your pool of resources and the outside world, so your load balancer should handle SSL. Luckily, AWS makes this really easy.

This guide walks you through the process of configuring and testing an Elastic Load Balancer with an SSL certificate for a application running on AWS.

Step 1: Identify your application instance in the AWS EC2 Console

The first step is to identify your application instance and collect various important bits of information, such as the instance ID, DNS name, public IP address, availability zone and Virtual Private Cloud (VPC) ID. To do this:

 

Create an Elastic Load Balancer with HTTP and HTTPS support

Next, create an Elastic Load Balancer as follows:

  1. Enter a name for the load balancer and specify the scheme as “Internet facing”.
  2. In the “Listeners” section, ensure that there is an HTTP listener on load balancer port 80. Click the “Add listener” button and add a second HTTPS listener on load balancer port 443. This configures the load balancer to handle both HTTP and HTTPS requests from clients.
  3. In the “Availability Zones” section, select the same VPC as the one used by your application instance and select a subnet from each availability zone.
  4. Click the “Next: Configure Security Settings” button to proceed.

On the “Configure Security Settings” page, select the “Request a new certificate from ACM” option to create a new SSL certificate for your load balancer. This will launch the AWS Certificate Manager (ACM) in a new window.

Within the AWS Certificate Manager, on the “Request a certificate” page, enter your domain name. Click “Review and request” to review and confirm the request.

An email will now be sent to the registered owner of the domain with instructions to confirm the certificate request by validating the domain. The domain will appear in the AWS Certificate Manager with status set to “Pending validation”.

  1. Select the option to “Create a new security group”.
  2. Add a security rule to allow inbound traffic on port 80 (the HTTP port) with source “Anywhere”.
  3. Add a second security rule to allow inbound traffic on port 443 (the HTTPS port) with source “Anywhere”.
  4. Click the “Next: Configure Routing” button to proceed.
  1. In the “Target group” section, create a new target group and assign it a name. Ensure that the protocol is set to “HTTP”, the port to “80” and the target type to “instance”. With this configuration, traffic between the load balancer and the instance will be transmitted using HTTP, even for HTTPS requests made by the client to the load balancer.
  2. In the “Health checks” section, define the protocol as “HTTP” and the path to “/”.
  3. Click the “Next: Register Targets” button to proceed.

On the “Register Targets” page, use the instance ID obtained in Step 1 to identify and select the application instance. Click the “Add to registered” button to move the instance into the list of registered targets. Click the “Next: Review” button to proceed.

On the “Review” page, review the details of the configured load balancer. Click “Create” to confirm the configuration and deploy the load balancer.

The load balancer will now be created and deployed.

Step 3: Point your domain name to the load balancer’s IP address

Once the deployment is complete, perform the following steps:

NOTE: Once you make the necessary changes, it can take up to 48 hours for the change to propagate across other DNS servers.

Browsing to https://DOMAIN should result in the load balancer displaying the secure welcome page of the application. Clicking the padlock icon in the browser address bar should display the details of the domain and SSL certificate.

How should I configure my ELB health check when using NameVirtualHosts and redirecting to www?

Question AWS Forum – You could alternatively specify the path part of the URL that you want the ELB to request and ignore that path by adding another RewriteCond:

RewriteCond %{HTTP_HOST} !^www\.example\.com$ [NC]
RewriteCond %{REQUEST_URI} !^/health-check$
RewriteRule ^ http://www.example.com/$1 [R=301,L]

Normal users who hit that URL will not be redirected. You could also use the same technique to detect the User-Agent of the ELB.

RewriteCond %{HTTP_HOST} !^www\.example\.com$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^ELB-HealthChecker
RewriteRule ^ http://www.example.com/$1 [R=301,L]

Normal users who spoof their User-Agent will not be redirected. Or the internal IP address of the ELB.

RewriteCond %{HTTP_HOST} !^www\.example\.com$ [NC]
RewriteCond %{REMOTE_ADDR} !^10\.
RewriteRule ^ http://www.example.com/$1 [R=301,L]

For this option to work, you will require either mod_rpaf (for Apache 2.2) or mod_remoteip (for Apache 2.4) to modify the REMOTE_ADDR variable to contain the correct part of the contents of the X-Forwarded-For header. As long as you set that up correctly, it shouldn’t be possible for a normal user to avoid the redirect response.

Exit mobile version