AWS loadbalancer and ssl certificate for my website

2
votes

I setup a website on AWS with Apache on 2 EC2 instances behind an AWS load balancer. The load balancer has a ssl certificate (successfully flowed this manual ) Godaddy is has an A record for the website pointing at the load balancer IP (cannot use DNS name)

Before I had a single instance with local ssl certificate installed and it worked great.

My questions are: 1. When I go to my new website with http:// it shows correctly but in the address bar I don't see any ssl certificate. (Do I still need to use local .htaccess for the ssl redirect? If yes do I need to use the keys I generated the load balancer ssl with?)

  1. When I go to my website with httpS:// the certificate is visible in the address bar with the correct data but the website look like a long list of pictures and text.

The load balancer listeners configuration is: HTTP 80 > HTTP 80 HTTPS 443 > HTTP 80 (with my cert)

Thanks for your help, Alex.

2
sslamazon-web-serviceslistenerload-balancing

2 Answers

1
votes

You have two problems.

If you want to do a redirect, from non-ssl to ssl, you need to detect that the traffic is coming over a non-ssl port.

Normally, you would do this by detecting which port the user was coming in on and redirecting everything sent to port 80. You can still do that if you move your 443 listener traffic to a port other than 80.

The other option is to redirect based on the value of the X-Forwarded-Proto header.

With your other issue, you are probably request some assets like css files, not over SSL. Browsers will block this type of activity.

0
votes

To complement the answer, you will have another problem if you use the elastic load balancer IP in your DNS A record. The first thing is that AWS gives you a DNS name, not a single IP, so they may change the underlying IPs at will. So if this happens, you will end up with a DNS record pointing to the wrong IP.

The other thing is that elastic load balancer uses multiple IPs for the same DNS name in order to direct traffic to instances in different availability zones (you can check this by resolving the DNS name of an elastic load balancer deployed in multiple AZs). So by picking a single IP for your DNS A record, you are limiting the potential functionality of that load balancer, because it will only direct traffic to a single availability zone.

To solve those problems you will have to use a DNS CNAME record that points to the complete load balancer DNS name. Or, if you want to point your root domain to the load balancer, you probably will have to use the AWS managed DNS service Route53.