4

Question:

Is it possible to use WampServer3 (Apache, PHP, MySQL) to work with my Application Load Balancer over port 443? If so how?

Issue:

Currently my application load balancer is connected to my instance and I have 2 listeners, Port 80 and Port 443. The listener on port 443 has an SSL Certificate attached to it that was generated by the AWS Certificate Manager.

  • My target group that is listening on port 80 is healthy and working properly.
  • My target group that is listening on port 443 is unhealthy and timing out.

I know that port 443 is failing due to the Apache settings but I am not sure how I am supposed to enable the port in Apache.

Based on everything that I have read, Apache requires you to have the physical file and key for the SSL in order for it to allow requests through port 443. I have tried to follow the instructions without those two things but WampServer3 will not restart without them.

I feel like there has to be a way to get this to work but I have hit a wall. Perhaps I am not searching for the right thing, or I am missing an additional module that needs to be used.

TLDR: Because the SSL that is generated by the AWS Certificate Manager cannot be physically downloaded, how can I get it to work with Apache on Windows 10 without having the file or key?

EDIT

So to my understanding I need to not only put the Rewrite code below in my <VirtualHost> 

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule .* https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]

I also need to put X-Forwarded-Proto: https at the top of my healthcheck.php page before the <html> tag? I'll keep reading about this since I don't fully understand it.

Bugs
  • 4,491
  • 9
  • 32
  • 41
Matthew
  • 922
  • 1
  • 6
  • 21
  • _If_ I got this right, I suggest you post that edit as an answer detailing the fix. It helps to avoid confusion for future visitors. Thank you. – Bugs Mar 13 '18 at 15:31
  • 1
    Thanks @Bugs I have posted it as an answer instead. – Matthew Mar 13 '18 at 15:35

2 Answers2

2

You have a listener on both 80 and 443 on your load balancer. The listener on 443 has the ACM cert.

You also say that you have one target group for each listener - one on 80 which is health, and one on 443 which is not.

The simple answer is to use one target group for both listeners. That way the connection to your end user is secure if they come in on 443, and only internal traffic between your ALB and instances uses HTTP. That way the health check will succeed, and your users will be able to use the site.

But that's not what most people really want - they want end-to-end security, and more than likely they want to redirect from port 80 to 443.

To force everyone to use 443, you will need a redirect rule in your apache config that checks to see if the incoming connection was secure. Because SSL is terminated on the ALB, you will need to check one of the X-Forwarded header values (See this) and redirect if say X-Forward-Port is 80.

To ensure that end-to-end traffic is secure, you can configure you listeners to listen on port 443 instead of port 80. You can use self-signed certificates for this, and I believe that some versions of Linux come with default certs. The ALB will not do certificate validation.

Edit:

In a comment, there was a question on where to put the rewrite code:

RewriteEngine On 
RewriteCond %{HTTP:X-Forwarded-Proto} =http 
RewriteRule .* https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]

If you have a single entry then this should work. If you have separate entries for port 80 and 443 AND you're using self-signed certs with different listeners, then you would need to put it in the port 80 virtual host entry.

chris
  • 36,094
  • 53
  • 157
  • 237
  • Hey Chris, I appreciate the answer. I have attempted to use this method to no avail. I believe this is due to my ELB being an Application Load Balancer and not a Classic Load Balancer. I am starting to think that it just will not work. I may try to switch it to a Classic Load Balancer though to see if that really does make a difference. – Matthew Feb 23 '18 at 19:17
  • Which parts? We use a single target group handling both 80 and 443 traffic behind an ALB all the time, with redirects on port 80 traffic. One other potential problem: some application frameworks try to determine if the connection is secure (hello, tomcat) and they need to be configured to look at the X-Forwarded headers instead of the default server variables. – chris Feb 24 '18 at 01:08
  • I think I read through that link too quickly and now I am starting to think I did not do it correctly. I attempted to use the `RewriteEngine On` `RewriteCond %{HTTP:X-Forwarded-Proto} =http` `RewriteRule .* https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]` but did not think anything else was needed. Where exactly are the X-Forwarded-Headers supposed to go? in the healthcheck.php file? or in the VirtualHost with the Rewrite? – Matthew Feb 24 '18 at 15:01
  • I did a bit of quick reading about HTTP Headers, see edit on my question. Please let me know if I am still missing a piece of the puzzle. – Matthew Feb 24 '18 at 15:13
0

I ended up not using the AWS Certificate Manager at all due to the hurdles that one has to overcome in order to get it to work.

Instead I found a great resource that provides SSL Certificates for free - LetsEncrypt. I would highly recommend this solution for everyone due to the ease of use. Plus they seem to be backed by many reputable companies.

Matthew
  • 922
  • 1
  • 6
  • 21