What changes require in LEMP stack for session handling over HTTPS with AWS Certificate Manager (ACM) and EC2 server running behind ELB?

0
votes

I came to know I can use AWS Certificate Manager(ACM) to get wild card SSL i.e. *.example.com.

SSL certificate created in ACM can be used on EC2 running behind AWS ELB.

listeners are currently configured for this load balance

The problem occurs when there is request from AWS ELB from port 443 to EC2 on port 80, URL in browser still on HTTPS, internal PHP is running on HTTP(not listening in nginx config to 443), so session is not valid, and the application logout flow occurs and session is not valid.

I have no idea how to resolve this, or how I can configure port 443 in nginx witout SSL?

PS

As Amazon do not give option to download SSL private key and public key from ACM to setup SSL on EC2 nginx config over port 443.

1
amazon-web-servicesnginxamazon-ec2ssl-certificateelastic-load-balancer
I doubt this is an issue with the SSL certificate itself. How many EC2 servers do you have behind the load balancer? Do you have sticky sessions enabled on the load balancer? - Mark B

1 Answers

3
votes

As you added SSL to the load balancer, not your instance, you don’t have to deal with configuring keys or listening on a new port. As far as the web server is concerned you’re still running under HTTP which comes with it’s own problems.

Luckily AWS are one step ahead and have a header we can use for this purpose as shown in the example below:

server {
  listen 80;
  server_name yoursitename;
  root /path/to/web/dir;

  index index.php;

  proxy_set_header X-Forwarded-Proto $scheme;
  if ( $http_x_forwarded_proto != 'https' ) {
    return 301 https://$host$request_uri;
  }

  location ~ \.php$ {
      # PHP conf
  }
}

You may also have to edit settings in your application to tell it you’re using HTTPS. This will likely be in a config file or a setting in a database.

You’ll most likely have some insecure content warnings now. You can’t load insecure content over HTTPS so make sure that you aren’t loading any images or scripts over HTTP. Google Developers have a good guide on this so give it a read if you want to learn more.