7

Is this possible to use AWS Application Load Balancer and use two-way ssl (client certificate)?

My current setup supports this using a classic ELB forwarding through tcp to a webserver endpoint. I now need to route traffic using the URL and wanted to do so using the AWS application load balancer if possible.

If not, any suggestion on how to route traffic using url in AWS?

ThatChrisGuy
  • 559
  • 2
  • 7
  • 23

2 Answers2

7

No this is not supported. In order for the AWS Application Load Balancer (ALB) to route based on path it must inspect the HTTP content (application/layer 7). TCP forwarding load balancers only look at the TCP Packet (layer 4) and never inspect the actual content (needed to route based on path).

Of course a work around would be using AWS certificate manager and let them handle TLS/SSL termination for you. Then you could use ALB to route based on path.

thun
  • 478
  • 3
  • 12
  • Can I use AWS certificate manager to validate client certificate? – ThatChrisGuy Jan 11 '17 at 18:39
  • No this is not possible as far as I know. How many clients exist/need to connect? Can you describe the use case a bit more? – thun Jan 11 '17 at 19:24
  • 1
    Unknown number of clients, it has to scale. Anyways, i have to use client cert so I will have to use nginx or something else to route the traffic with the current setup. Thanks. – ThatChrisGuy Jan 11 '17 at 19:33
  • An alternative solution is you hit a non-https endpoint (port 80 routed over ALB) that responds with the instance's own IP address. The client can then use the IP provided to complete a two-way ssl handshake directly. If connection is lost handle errors client side and re-connect. – thun Jan 11 '17 at 20:04
2

Use a either a classic load balancer or network load balancer with the passthru option. Aplication load balancers will strip the client cert out of the request

woodwose
  • 21
  • 1