25 Nov 2011

SSL Load Balancing on AWS EC2

In this post I'm going provide an overview for one of the most sought after AWS EC2 setups - A securely load balanced pool of instances with HTTPS pass through all the way from client to instance.
Not only does this solution offer secure pass-through, it also provides a method for using a single signed SSL certificate across multiple servers/IPs. 
Amazon may have their own way of doing things but the results you can achieve with the tools they offer in the admin panel alone are really quite splendid.

The key to this is knowing that the ELB will happily accept self-signed SSL certs without asking for any confirmation (which doesn't happen if you access the same server from a browser), and yes, you could just use officially signed SSLs but then costs add up, and why do so if you don't have to and are still able to get a seamless and secure pass through without shelling out big bucks? Yes, exactly. 

So, what's the deal, well, here's the (brief) overview..

  • Add your official certificate to the ELB top level and just configure the ELB > EC2 for port 443 to port 443 (without backend authentication).
  • For  ELB > EC2 security lock-down create an AWS security group for your instances with an entry for port 443 using amazon-elb/amazon-elb-sg as the source. This ties the EC2 instance(s) to accept traffic ONLY from the ELB. After saving the entry you'll see it change to reference the ELB name.
  • Tie down your other entries to relevant access IPs. For example my instance pool runs Ubuntu boxes with the Cherokee web-server installed, as such I have entries for port 22 (SSH) and port 9090 (Cherokee admin) tied to the relevant instance IPs.
  • On your EC2 instances enable Cherokee SSL/libssl, ensure port 443 is active and provide location path entries to your self signed certs where required.
  • In your host DNS config create a CNAME record pointing at the full ELB name.
  • Wait the statutory time for DNS replication (some are quicker than others).
  • Test using https://your_domain_name and if all is well you should now get a nice, direct https connection. 
And there you have it, job done. Cirronix offer a whole range of cloud server support covering all aspects of AWS across both Linux and Microsoft solutions, if you would like advice or assistance with content covered in this post, or any other aspects of cloud technology or virtual server security please feel free to get in touch.


Toronto Locksmiths said...

In this dialog, the load balancer protocol and port are set to HTTPS and 443, respectively. The instance protocol and port are still set at HTTP and 80, meaning that the ELB will talk HTTP to all of its instances.

RichBos said...

Hi, we've locked the instance down via the security group to port 443, but could also configure an on box ufw and/or limit the web server ports, usually find the sg config is enough though.

Post a Comment