SSL certificate behind AWS Load Balancer

Question

I have a project running on AWS. The structure is this:

Application Load Balancer:
    - EC2 AutoScaling Group [1-5]:
      - 1^ instance...
      ... (more spawned when needed)
      - 5^ instance...

I have created a certificate for the Load Balancer with AWS Certificate Manager. So the traffic now is:

Clients ---- HTTPS Port 443 ----- > Load Balancer ------ HTTP Port 80 ----> EC2 Instances

But since there is no certificate on the instances when I load the webpage I get a 'Site Not Secure' warning.

How can I create a complete SSL connection from Clients to any of my instances behind the Load Balancer?

EDIT

Here is the nginx configuration (for all instances)

server {
listen       80;
server_name  marette.ovh www.marette.ovh;

root /home/marette/marette_backend/dist;
index index.html index.htm;

client_max_body_size 10M;
error_page 502 /gateway.html;


location / {
   
    add_header 'Access-Control-Allow-Origin' "*" always;
    add_header 'Access-Control-Allow-Credentials' 'true' always;
    add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
    add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
   
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $host;
    proxy_redirect off;
    proxy_read_timeout 30s;
    proxy_send_timeout 30s;

    root /home/marette/marette_backend/dist;
    try_files $uri $uri/ /index.html;
}
    error_log  /var/log/nginx/vue-app-error.log;
access_log /var/log/nginx/vue-app-access.log;


# this is for the REST backend
location /api {
    add_header 'Access-Control-Allow-Origin' "*" always;
    add_header 'Access-Control-Allow-Credentials' 'true' always;
    add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
    add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
                        # required to be able to read Authorization header in frontend
    add_header 'Access-Control-Expose-Headers' 'Authorization' always;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_read_timeout 30s;
    proxy_send_timeout 30s;      
    proxy_pass https://127.0.0.1:8000/api;
   }

}

And here is the configuration of the listeners for the Balancer

EDIT2:

EDIT3:

I don't understand the reason for a warning. Your client is connected to the load balancer via SSL so the connection from the client's perspective is secure. What happens behind the scenes is invisible to the client and doesn't matter. Can you elaborate on that warning please? — CherryDT
If you could expand on your setup (include screenshots of listeners) then I'll take a look :) — Chris Williams
Maybe the webserver on your instances is misconfigured and doesn't recognize the connection as using the HTTPS protocol (possibly it is not set up to recognize the X-Forwarded-Proto header from the load balancer) and redirects the user to URLs with just the HTTP protocol... (or maybe you are connecting via HTTP in the first place and didn't set up a redirect to HTTPS) — CherryDT

Chris Williams Chris Williams · Accepted Answer · 2020-07-08T10:00:49

Checks that should be performed:

Always check the domain name is correct for the SSL, if it is not valid then you will get certificate errors.
Validate the listener is correctly configured to listen on 443 using HTTPS, and that the SSL is valid.
Validate the target group is using the correct protocol and port for the server itself (does not need to be the same as the load balancer).

A great site to test for SSL problems is using SSL Labs

SSL certificate behind AWS Load Balancer

1 Answers