How do I bypass an Amazon load balancer to terminate https access on my auto-scaling group instances?

1
votes

I have set up a TCP listener on the elastic load balancer (ELB) port 443 which then forwards to the auto-scaling group (ASG) via SSL on port 443.

It is my understanding that the certificate on the ASG servers will be presented.

I have enabled back end authentication. On the console, the port configuration reads: 443 (TCP) forwarding to 443 (SSL) Backend Authentication: Enabled, followed by my PublicKeyPolicyType name.

This is not working. No certificate is being presented.

Am I missing something? Do I need to upload the cert to the ELB? I am trying to avoid this.

1
sslamazon-web-serviceshttps
backend also needs to be tcp if you want to do the auth yourself in the service.Mircea
Oh man, so simple. That worked. Thanks Mircea. AWS documentation says SSL at the backend which doesn't work. docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/…rorstack

1 Answers

2
votes

Backend authentication means that your ELB will use SSL (and expect to see a certificate) when communication to 443 on your instances.

Once the data gets back to the ELB. It just uses the port 443 NO SSL exactly as you specified.

With the ELB the common practice is to Terminate SSL on the ELB and for extra security still use SSL to communicate with your instances.

enter image description here

You need to upload your SSL cert (and keys) to the ELB itself. This can be done in the AWS console ELB configuration.

https://aws.amazon.com/blogs/aws/elastic-load-balancer-ssl-support-options/