On AWS, I'm hosting Multiple (totally different) Domains on EC2 covered by an ELB on top. I already have 1 Wildcard SSL Cert for 1 Domain and its childs. (xxxx.site1.com)
Then now can I add one more Single SSL Cert (on same ELB) for 1 another different Domain, like (www.site2.com) please?
I'm asking this because some Articles are saying, it won't work and just crush.
Please kindly advise.
No. The only way you could do it is if you use a second port for HTTPS connections (other than 443) which doesn't apply to real world scenarios since 443 is the default port for HTTPS
Having said that, you can simply create a second ELB and assign your second wildcard certificate to it. You can also forward your traffic to the same backend server as the one where the first ELB is forwarding its traffic to.
Hope this helps.
Yes. But not by terminating SSL on the load balancer. You have to enable Proxy Protocol on the ELB and transparently forward TCP requests to the web server. There are more details in this article on how to configure the ELB with example NGINX configurations:
Multiple SSL domains on AWS ELB with Nginx
Using the AWS CLI to enable:
aws elb create-load-balancer-policy \
--load-balancer-name acme-balancer \
--policy-name EnableProxyProtocol \
--policy-type-name ProxyProtocolPolicyType \
--policy-attributes AttributeName=ProxyProtocol,AttributeValue=True
aws elb set-load-balancer-policies-for-backend-server \
--load-balancer-name acme-balancer \
--instance-port 9443 \
--policy-names EnableProxyProtocol
aws elb describe-load-balancers --load-balancer-name acme-balancer
There is also a mod_proxy_protocol module available if you are using Apache.
This does NOT add an additional distribution layer; ELB still handles distributing the traffic, connection draining. However, SSL termination is handled by each individual server.
Since October 10th 2017 it's possible to do this with Application Load Balancer. You can bind multiple certificates to the same secure listener on your load balancer and ALB will automatically choose the optimal TLS certificate for each client. For more information see: https://aws.amazon.com/blogs/aws/new-application-load-balancer-sni/
I agree with the above answer for Nginx by Garth Kerr.
In case of Apache:
You can terminate SSL certificates either at ELB or Apache/Nginx(server) level
In case of multi-tenant(multi-client) architecture, we may need to support different customers(with different domains - *.abc.com, *.xyz.com) under a single ELB, which will not work in an existing ELB setup.
Solution: You can do this by adding listeners in ELB like below: TCP 443 (instead of HTTPS - 443) - this will pass through the 443 requests Then, you can terminate the SSL certificates at the server level
You have to purchase the certificate from external vendors (like GoDaddy) and install & terminate the certificates at the server level.
E.g., Apache virtual host looks like
NameVirtualHost *:443
<VirtualHost *:443>
ServerName abc.com
####abc HTTPS Certificate
SSLEngine on
SSLCertificateFile /opt/organization/site/ssl_keys/abc/abc_gd.crt
SSLCertificateKeyFile /opt/organization/site/ssl_keys/abc/abc.pem
SSLCertificateChainFile /opt/organization/site/ssl_keys/abc/abc_gd_bundle.crt
WSGIScriptAlias / /opt/organization/site/deployment-config/abc.wsgi
ServerSignature On
Alias /media/ /opt/organization/site/media/
<Directory /opt/organization/site/media/>
Order deny,allow
Allow from all
</Directory>
</VirtualHost>
NameVirtualHost *:80
<VirtualHost *:80>
ServerName abc.com
#Rewrite to HTTPS in case of HTTP
RewriteEngine On
RewriteCond %{SERVER_NAME} abc.com
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule . https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
WSGIScriptAlias / /opt/organization/site/deployment-config/abc.wsgi
ServerSignature On
Alias /media/ /opt/organization/site/media/
<Directory /opt/organization/site/media/>
Order deny,allow
Allow from all
</Directory>
</VirtualHost>
