1

I am very new to load balancers. I have just set one up that listens on SSL. I also created an EC2 instance and added it to the target group of the "Application Load Balancer". The target group is also connected by SSL.

I have installed apache on the EC2 instance and placed an index.html file in the /var/www/html directory.

I would have thought typing the load balancer associated domain address (www.example.com) would route me to the index.html file of the EC2 instance (which is the only target). However I am getting a Bad Gateway 502 error.

Initially I only had SSH inbound rule on the EC2. I opened up 443 for HTTPS but that didn't make a difference.

Do I need to install a certificate for the SSL on the EC2 as well as the load balancer? And do I need to open any additional ports?

Very new to this all and not sure how the load balancer communicates with the EC2 instance. Hoping that it would be internal so that the EC2 instance was not at all exposed in isolation.

alionthego
  • 8,508
  • 9
  • 52
  • 125
  • Can you access the index page via the load balancer's DNS name? – Mahdi Feb 08 '18 at 14:31
  • My load balancer is only listening on 443 so I setup an A rule on the SSL domain which is how I connect to the load balancer. So entering that domain name should connect to the load balancer and route to the EC2 instance but it doesn't – alionthego Feb 08 '18 at 14:35
  • Then what should happen when someone tries `http://www.example.com`? – Mahdi Feb 08 '18 at 14:37
  • 502 Bad Gateway - it goes to `https://www.example.com` – alionthego Feb 08 '18 at 14:48

2 Answers2

1

So many things can go wrong here but (assuming that you have correctly configured the load balancer) I think what you have should work if you add HTTP listener to your load balancer, change your target group's protocol to HTTP (because the load balancer talks to the EC2 over HTTP), and then, add something like this to your .htaccess:

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule . https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]

You can read more here.

Mahdi
  • 3,199
  • 2
  • 25
  • 35
  • thanks for your reply however I require SSL only for security. I managed to get it to work using a different EC2 instance with a valid SSL certificate on that as well. So both the Application Load Balancer and the EC2 instance have valid SSL certs. The only port open on both is 443 SSL (and SSH). Just typing the url for the load balancer successfully forwarded the request to the EC2 instance. – alionthego Feb 09 '18 at 01:28
0

Install the SSL certificate on the load balancer instead of the EC2. The EC2 does not need its own SSL certificate.

Here are the steps to add HTTPS to a application load balancer:

  1. When you try to set up HTTPS inbound to the load balancer it will give you a section called "ACM" click into that to get a SSL certificate

  2. The ACM page will give you a section to create a new SSL certificate. You will need to input the domain name and some details, afterwards it will give you a CNAME record. You need to go to your domain's DNS settings to add that new CNAME record.

  3. Once you create a SSL certificate with ACM you'll be able to use that on the load balancer, go back to the HTTPS listener and use that new SSL certificate

  4. Then make sure your load balancer security group allows inbound to 443 port.

  5. After that https should work on the load balancer

Note:

I would only set up https after I get http working first on the load balancer and it is directing to the right ec2.

Since the target group for http and https is the same, you want to make sure the target group is working before messing around with https.

That way you won't have two problems to deal with at the same time (https + incorrectly configured target groups/http). It'll allow to tackle each item step by step.

Hope that helps!

steven4354
  • 1
  • 1