How can you terminate custom/external HTTPS SSL certificate in AWS ELB & EC2?
1) at ELB level
use AWS certificate manager, create a certificate & upload your existing certificate
In ELB Listener rules, configure HTTPS(443 port) & attach the above certificate
Limitation: You can add only one certificate per an ELB
2) at EC2 level
Suppose if you have multiple sites under EC2 (multi-tenant) & want to terminate HTTPS certificates for all the sites
Having an ELB for each site will be costly solution, then you need to use TCP pass through solution
https://test1.com
https://test2.com
https://test2.com
In ELB Listener rules, configure TCP (443 port) pass through
You could not obtain the clients IP address if the ELB was configured for TCP load balancing, so enable proxy protocol
Enable proxy protocol in ELB through CLI (not available in AWS console), which allows X-Forwarded-For headers
Then the termination happens at you EC2 server level (Nginx/Apache)
Nginx:
server {
listen *:443 ssl proxy_protocol;
server_name *.site.com;
set_real_ip_from 0.0.0.0/0;
real_ip_header proxy_protocol;
ssl on;
ssl_certificate /opt/site/conf/ssl_keys/nginx_site.crt;
ssl_certificate_key /opt/site/conf/ssl_keys/site.pem;
location / {
proxy_pass http://127.0.0.1:80;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_redirect off;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $host;
proxy_set_header X-Custom-Header nginx;
}
}
1) at ELB level
use AWS certificate manager, create a certificate & upload your existing certificate
In ELB Listener rules, configure HTTPS(443 port) & attach the above certificate
Limitation: You can add only one certificate per an ELB
2) at EC2 level
Suppose if you have multiple sites under EC2 (multi-tenant) & want to terminate HTTPS certificates for all the sites
Having an ELB for each site will be costly solution, then you need to use TCP pass through solution
https://test1.com
https://test2.com
https://test2.com
In ELB Listener rules, configure TCP (443 port) pass through
You could not obtain the clients IP address if the ELB was configured for TCP load balancing, so enable proxy protocol
Enable proxy protocol in ELB through CLI (not available in AWS console), which allows X-Forwarded-For headers
Then the termination happens at you EC2 server level (Nginx/Apache)
Nginx:
server {
listen *:443 ssl proxy_protocol;
server_name *.site.com;
set_real_ip_from 0.0.0.0/0;
real_ip_header proxy_protocol;
ssl on;
ssl_certificate /opt/site/conf/ssl_keys/nginx_site.crt;
ssl_certificate_key /opt/site/conf/ssl_keys/site.pem;
location / {
proxy_pass http://127.0.0.1:80;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_redirect off;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $host;
proxy_set_header X-Custom-Header nginx;
}
}
No comments:
Post a Comment