Configuring HSTS with AWS (ELB, Kubernetes Nginx and ACM)

1
votes

We need to implement HSTS in our environment without having to install the certificates outside ACM.

Here is the configuration we currently have:

IGW > ELB > Kunermetes Nginx Instance

The SSL offload is done by the ELB through AWS Certificate Manager (ACM). So after the HTTPS traffic gets to the ELB is decrypted and send to Nginx as HTTP.

Nginx has the following configuration:

 server {
        listen 80 default_server;
        if ($http_x_forwarded_proto = 'http'){
            return 301 https://$host$request_uri;
        }

Is there a way to configure Nginx to use the certificates in the AWS Certificate Manager?

The approach we are considering is to configure the ELB to pass the traffic to Nginx through HTTPS and then create the listener on Nginx on port 443, which will then take the certificates from ACM to decrypt traffic and handle the request directly and be able to provide the HSTS header back to the browser.

From what we understand is either that approach or exporting certificates from ACM and install them into the Nginx, which then requires to secure them in different ways. Unless there is any other way we haven't considered.

I would love to read your feedback.

Thanks, B

1
amazon-web-servicesnginxhsts

1 Answers

0
votes

Note sure if I understand what you are trying to archive, but to my understanding:

  • HSTS is just about adding the 'Strict-Transport-Security' header to the response. You can do it with your current structure (ELB send HTTP to Nginx, and Nginx add this header)

  • I'm afraid exporting the cert from ACM and let Nginx listen on 443 doesn't work: ACM won't allow exporting private keys and you need that on Nginx to server on 443