3

I have a AWS LoadBalancer which created using Kube, Kops and AWS. protocl type for the ELB is tcp. this work fine for http requests, means I can access my site with http://testing.example.com. Now I tried to add SSL for this ELB using ACM (Certificate manager). I added my Domain details example.com and *.example.com by requesting a public Certificate. it created successfully and domain validation is also success.

Then I tried to add this ssl to my ELB like below.

  • went to my ELB and selected the ELB.
  • Then went to Listeners tab and Added SSL to it like below.

enter image description here

and ELB description is like below.

enter image description here

I cannot access the https://testing.example.com, it hangs for few minutes and nothing happens. what is going on here. hope your help with this.

Marlon Brando aka Ben
  • 863
  • 1
  • 14
  • 33

2 Answers2

2

In the Listener configuration, you are forwarding the default HTTP port 80 to port 30987 on the back-end server. So this tells me that the back-end server is listening for HTTP requests on port 30987.

You then added an SSL listener on the default port 443 but you are forwarding that to port 443 on the back-end server. Do you have something on your back-end listening on port 443 in addition to 30987?

The most likely fix for this is to change the SSL listener on the load balancer to forward to port 30987 on the back-end by setting that as the "Instance Port" setting.

Mark B
  • 183,023
  • 24
  • 297
  • 295
  • hi @Mark B I tried it. then it says `Failed to create listener on port: 443. Listeners can't talk to InstancePort 30987 with secure and insecure protocols at the same time` – Marlon Brando aka Ben Jul 02 '18 at 19:35
  • then I tried by adding `30987` as `Instance Port` and `Instance Protocol` as `TCP` and `Load Balancer Protocol` and `Load Balancer Port` kept as it is `SSL` and `443`. it allows me to add it, but the same result. it doesn't work. took lots of time to response and fail. – Marlon Brando aka Ben Jul 02 '18 at 19:45
  • I'm not sure why it is giving you that error message but I think you need to change the first listener to HTTP instead of TCP. Then change the HTTPS back to point to `30987`. Obviously using instance port of `443` is **NOT** going to work since you don't have anything listening on that port on the back-end server. – Mark B Jul 02 '18 at 20:03
  • changed to `HTTP` then default port `80` is working fine. then added `HTTPS` and `Instance Protocol` as `HTTPS` with `30987`. then it says `Failed to create listener on port: 443. Listeners can't talk to InstancePort 30987 with secure and insecure protocols at the same time`. then added `HTTPS` with `Instance Protocol` as `HTTP` with the port `30987`. it allows me to add but same as above. hanging for lot time and timeout. ;) – Marlon Brando aka Ben Jul 02 '18 at 20:12
  • I guess I'm leaving out details because they are obvious to me, but instance protocol and instance port should be HTTP and `30987` for both of the listeners configured on your load balancer. Are you saying with that configuration it times out? – Mark B Jul 02 '18 at 20:38
0

If your backend application (that sits behind the ELB) only listens on HTTP port 30987 then you need some layer of TLS termination before your app server. More food for thought on this approach: https://security.stackexchange.com/questions/30403/should-ssl-be-terminated-at-a-load-balancer

Or you need to tweak your backend app server to also listen on an HTTPS / TLS context, in a different port (which you must map in your ELB configuration).

BTW, I would also suggest to switch to and ALB or an NLB. More info: https://medium.com/cognitoiq/how-cognitoiq-are-using-application-load-balancers-to-cut-elastic-load-balancing-cost-by-90-78d4e980624b

Once you finish the setup of whatever suggestion you picked, run curl -k -I https://testing.example.com/ to check whether of not you are getting blocked by the ELB.

the_marcelo_r
  • 1,847
  • 22
  • 35