4

I configured my ELB to be able to serve ssl pages by putting my certs in the ELB itself. Say the ELB serve requests from www.example.com.

At the same time i need to use ssl outside the ELB and serve some content directly from the server without passing through ELB. In this case the requests goes to web.example.com.

how can i do it and be sure that if ssl is served by ELB is offloaded from the server?

Consider that my webserver is nginx.

Thanks, C

rollsappletree
  • 141
  • 2
  • 2
    If the web server is performing SSL termination, then by definition it is not also being offloaded. What you are proposing (other than that) is technically possible but has a number of other considerations. Will you explain why you want to have it both ways, please? – Michael - sqlbot Nov 28 '16 at 12:12
  • hi @Micheal - sqlbot, i want to do that cause my env is setted like this: my server must serve both www and web. www from ELB and web directly. when i call "www" i end up into the ELB where i can have multiple machines, instead when i call "web" i MUST be on that particular machine. When i call from www (thus passing through ELB) i want ELB to offload machine from ssl, instead when I go to web i still need ssl, but due to not passing from ELB i had to configure ssl in nginx too. – rollsappletree Nov 28 '16 at 12:46
  • 1
    Thank you for the clarification. The cleanest solution will be a second ELB, with only this instance associated. Instances can be associated with multiple ELBs. – Michael - sqlbot Nov 28 '16 at 17:18
  • I wonder if an ENI with a second EIP serving the direct traffic would help here. However I'm not sure @rollsappletree has thought this through fully, especially regarding the SSL / ELB offload comment. – Tim Nov 28 '16 at 18:46

2 Answers2

0

Use something like:

server {
    listen 80;
    ...
}

server {
    listen 443;

    ssl on; # etc.
    ...
}

Point your ELB at the 80; expose your web.example.com to 443. Done!... not sure you're going about this the right way though. I'd reconsider your arch/strategy for something more sensible in terms of tiering. You almost certainly want to avoid doing SSL on your webserver if you can help it.

belial
  • 263
  • 2
  • 7
  • 4
    Worth mentioning you would be best to set up security group settings to prevent traffic from reaching the server directly other than from known good locations, especially blocking port 80 from anything other than ELB. Skipping SSL on the webserver isn't really necessary, and in some cases discouraged, as it means that protected traffic is still passing over network links unencrypted. If you deal with any financials even if your servers are never accessed directly, I'd configure backend ssl authentication to ensure traffic between instance and ELB. – KHobbits Nov 29 '16 at 01:42
0

If at all possible I'd avoid bypassing the ELB. I'd also avoid the necessity for a particular URL to only be served by one host. That's an anti-pattern that builds fragile systems.

That being said, I understand that sometimes it's unavoidable. If I were building the infrastructure to solve your problem I'd use an Application Load Balancer and two Target Groups. One Target Group would have all of the hosts in it and be the default destination for the ALB. The second Target Group would have only the one host registered and I'd use an ALB rule that matched the Host to "web.example.com" to forward traffic to that Target Group.

This keeps your architecture relatively clean and allows you to make adjustments to the system as the application matures.

Jon Buys
  • 244
  • 2
  • 5