0

Hi – I'm a beginner with SSL/HTTPS so apologies if my terminology/understanding here are limited.

I'm running a NodeJS app which is a proxy server for multiple other servers (it's a simple load balancer, following the code in this article).

The Node app runs on port 7080. I have an AWS Elastic Load Balancer which listens on port 80 and forwards requests (via TCP) to port 7080, which all works fine.

I've been trying to add SSL support and have created a Let's Encrypt certificate for my domain (which points at the ELB endpoint). I uploaded the certificate to AWS and have added an SSL listener with the certificate, which also forwards to TCP 7080. This doesn't work – requests just time out.

In the app instructions I'm following for the Node app, it suggests configuring the app with the SSL certificate files and passing these settings on for the proxy server it creates. I tried this too but had certificate errors, which I assume was because I was loading the raw EC2 instance URL and not the loadbalancer domain (which the certificates point to). I was hoping that by terminating the SSL request at the load balancer level, I wouldn't need to configure the underlying Node app to run on SSL itself. Have I misunderstood this?

As I say above, I'm new to this and still getting my head around what's going on. Any tips would be gratefully received.

Matt Andrews
  • 225
  • 2
  • 7

2 Answers2

1

Argh, solved this myself. The load balancer security group didn't have port 443 open (the EC2 instance did, redundantly).

Matt Andrews
  • 225
  • 2
  • 7
1

First of all you are right to say that by terminating SSL at the AWS ELB you do not need to concern yourself with configuring SSL on your NodeJS application. This is a pattern that I commonly use - you shouldn't need to configure the node app with anything to do with SSL.

Secondly - within AWS I would strongly advise that you use Amazon's Certificate Manager to create your certificates - by doing so you don't need to worry about renewals, and it's actually a great deal easier (and still free) to set up and maintain than attempting to use Let's encrypt (which is great, but better suited to applications outside of AWS). Again, I use ACM certificates wherever I can now - in production.

Now onto trying to solve your issue.

Assuming this is working as expected on HTTP it should be simple to get it working on HTTPS.

The first things I would check:

  • ensure that you don't have a security group on your load balancer that is blocking access to port 443 (where I assume your HTTPS listener is listening). The associated security group on the ELB will need to allow access to both port 80 and port 443
  • check that you're not getting an unexpected redirect to something that is unreachable using your browsers devtools, it might be that the connection is working as expected - curl or openssl s_client might be helpful for debugging this further
sihil
  • 176
  • 1
  • 3