Application Load Balancer (ELBv2) SSL pass through

26
votes

I am trying to configure an AWS Application Load Balancer (vs. a Classic Load Balancer) to distribute traffic to my EC2 web servers. For compliance reasons I need end to end SSL/HTTPS encryption for my application.

It seems to me the simplest way to ensure that traffic is encrypted the entire way between clients and the web servers is to terminate the HTTPS connection on the web servers.

My first question: Is it possible to pass through HTTPS traffic through an AWS Application Load Balancer to the web servers behind the load balancer in this manner?

From what I've gathered from the AWS documenation, it is possible to pass traffic through in this manner with a Classic Load Balancer (via TCP pass through). However, the Application Load Balancer looks like it wants to terminate the HTTPS connection itself, and then do one of the following:

  • send traffic to the web servers unencrypted, which I can't do for compliance reasons
  • create a new HTTPS connection to the web servers, which seems like extra work load

My second question: is that understanding of the documentation correct?

1
amazon-web-servicessslload-balancing
I haven't tried this with AWS, but I use HaProxy for my production server's to pass through SSL/HTTPS to Nginx.Lance Badger
I am not sure if send traffic to the web servers unencryptedthat is what is happening. I would start aws.amazon.com/blogs/aws/… or docs.aws.amazon.com/elasticbeanstalk/latest/dg/… Hope this helpsMuqeet Khan
@MuqeetKhan that is exactly what is happening if you terminate SSL at the load balancer and don't have an SSL certificate installed on the web server. If there is no SSL certificate on the web server how could the traffic between the load balancer and the server possibly be encrypted?Mark B
@John R can you please share that how you have achieved thatArbab Nazar
@ArbabNazar to the best of my recollection (this was a year ago and I'm at a different job now) I did this using a Classic Load Balancer with a TCP pass through. Then you terminate the HTTPS connection on the web servers that lie behind the load balancer. I did not use an Application Load Balancer.John R

1 Answers

42
votes

Terminating the SSL connection at the web servers requires you to change the load balancer listener from HTTPS to TCP. ALB doesn't support this, only classic ELB. Further, if you were terminating the SSL at the web server the load balancer wouldn't be able to inspect the request since it wouldn't be able to decrypt it, so it wouldn't be able to do all the fancy new routing stuff that the ALB supports.

If you actually want to use an ALB for the new features it provides, and you need end-to-end encryption, you will have to terminate SSL at the ALB and also have an SSL certificate installed on the web servers. The web server certificate could be something like a self-signed cert since only the ALB is going to see that certificate, not the client.

I assume you need end-to-end encryption for compliance reasons (PCI, HIPAA, etc.). Otherwise there isn't a very compelling reason to go through the hassle of setting it up.