3

I have an AWS classic load balancer. Here are my listeners :

enter image description here

The AWS classic load balancer is doing tls termination, and redirecting the traffic to port 30925 of my nodes
The process listening on port 30925 is an istio gateway, redirecting traffic afterwards based on the SNI of the request

However, the AWS classic load balancer doesn't seems to keep the SNI of the request after tls termination

Is there any documentation regarding the behavior of the load balancer in that situation?
I found a couple of links talking about SNI (here for example), but it's only talking about the load balancer itself handling the routing of the SNI

Patanouk
  • 111
  • 8
  • I think this is the justified behavious as SNi is not supported for classic load balancer.You should rather switch to application and network for SNI capabilities. – Jatin Mehrotra May 31 '21 at 07:48
  • What happens to the request after the ELB terminates TLS then? Is the load balancer just sending the request to NODE-IP:INSTANCE-PORT with the content of the request? – Patanouk May 31 '21 at 08:01
  • 1
    Just pass everything over TCP, and let your targets handle entire SSL processing, which will include SNI. – Marcin May 31 '21 at 08:11
  • @Marcin Yes, i tried this and it indeed works fine. The issue is that in that case I have to make the certificate accessible to my applications inside the nodes. It was easier for me to just setup the tls termination on the load balancer and use self-signed certificates on my backend applications afterwards – Patanouk May 31 '21 at 08:43
  • @Patanouk If you terminate SSL on LB, nothing related to SSL is passed to targets. That's the entire point of termination - your targets do not have to care about ssl. – Marcin May 31 '21 at 09:12
  • @Marcin I understand now, thanks for your explanations. One last question though : What happens when you setup an https listener on the instance side? The load balancer is just sending the request to https:// INSTANCE_IP:INSTANCE_PORT without verifying if the certificate is valid, if the host is matching etc...? – Patanouk May 31 '21 at 09:25
  • 1
    @Patanouk Usually you would use http between LB and your target. If you use https, then yes, LB does not care about ssl, thus self-signed certs are fine. – Marcin May 31 '21 at 09:30
  • 1
    @Marcin Got it, thanks for the explanation. Feel free to reorganise your comments in an answer if you're interested in the checkmark, I will accept it. Else I will do it myself later today – Patanouk May 31 '21 at 09:38

1 Answers1

2

Based on the comments.

If you terminate SSL on the load balancer (LB), SSL-related information is not carried over to your targets. To ensure full SSL-forwarding to your targets, you have to use TCP listener. This way your targets will be responsible for handling SSL, and subsequently will be able to custom process it.

Marcin
  • 215,873
  • 14
  • 235
  • 294