3

This is the first time that I am using load balancer... I have spent quite a bit of time going through documentation and I am still quite confused.

I want to host my website. My website supports HTTPS only. I want to put my backend servers behind an Application Load Balancer.

I am using AWS' default VPC, I have created an ALB (myALB) and installed my SSL certificate on it. I have also created 2 EC2 instances (myBackEndServer1 & myBackEndServer2).

Questions:

  1. Should the communication between backend servers and myALB be through HTTP or HTTPS?
  2. I have created an HTTPS listener on myALB, do I also need an HTTP listener on myALB? what I want is to redirect any HTTP request to HTTPS (I believe this should happen on myALB)?
  3. I want to use External ID login (using Facebook). I have set up Facebook login to work with HTTPS only. Does the communication between Facebook and my backend servers go through myALB? I mean, I either need HTTPS on my backend servers, or the communication with facebook should go through myALB.

I would appreciate any general advice.

Hooman Bahreini
  • 14,480
  • 11
  • 70
  • 137

1 Answers1

4
  1. You can use both HTTP and HTTPS listeners.
  2. Yes, you can achieve that with ALB. You can add a rule to it that says that any request that is coming to port 80 will be redirected to port 443 on a permanent basis. Check out rules for ALB.
  3. If you make a request from your instances to Facebook - it depends on Facebook, whether your communication will be encrypted, because in such case you are a client. However if you set up some webhook, Facebook is now a client and to communicate with you, you're gonna give your load balancer's DNS name. And due to the point 2 in this list, Facebook will be forced to use TLS.

I'm not sure I fully understood your question number three, but here's something you may also find useful. ALB has some features that allows to authenticate users with Cognito. It explicitly says that your EC2 instances can be abstracted away from any authentication, also if it makes use of Facebook ID or Google Id or whatever. Never tried though.

Vladyslav Usenko
  • 2,296
  • 8
  • 18
  • Thanks a lot, so I don't need any SSL on my backend servers (SSL off loading on ALB)? My question 3 about users who login to a website (e.g. stackoverflow) using their facebook account. My Webserver needs to send a request to a facebook app to authenticate the user, and the facebook app send a response back to my server, saying this user is verified or not. My question is, does this exchange go through load balancer (as the facebook app that I have set up requires HTTPS). – Hooman Bahreini May 11 '19 at 10:07
  • 1
    No, you don't need SSL on your instances and yes, it will go through the load balancer. – Vladyslav Usenko May 11 '19 at 10:12