8

Right now I have a domain (example.com) that I have hosted on Google Domains, but uses Amazon's Route 53 DNS servers, and I've created a hosted zone & registered an SSL certificate for free with ACM. So I got it to take requests for example.com and forwards them to a target group (EC2 instance).

I'd like to expand this into:

  • staging.example.com
  • prod.example.com

where each has its own target group it points to.

Is this possible with an ALB? How would I encode this into the load balancer's routing rules?

(Also: would I have to re-verify the SSL cert for the subdomains?)

lollercoaster
  • 15,969
  • 35
  • 115
  • 173

2 Answers2

11

You route each subdomain to different target group using Listener Rules

enter image description here

When you add a Listener Rule, set a condition for Host header and select the subdomain you want to use e.g. staging.example.com and select Forward to as your target group.

enter image description here

Regarding SSL, you won't need to create a new certificate as long as you have the certificate for *.example.com attached to the listener (see View/Edit certificates)

Community
  • 1
  • 1
ubi
  • 4,041
  • 3
  • 33
  • 50
  • Unfortunately, with a listener rule on port 443 when I type in `https://staging.xxx.com/` I get the dreaded `Your connection is not private Attackers might be trying to steal your information from staging.xxxxx.com (for example, passwords, messages, or credit cards). Learn more`. My ACM wildcard domain is confirmed as well. Hm. – lollercoaster Oct 14 '19 at 18:26
  • Ah, so I was able to solve this. The load balancer listens on 443. It directs to a target group on port 80, and then the instance itself is listening on 80. This seems to work, and passes SSL cert tests along with browser (no complaints). I have to wonder though, isn't this less secure than true end-to-end HTTPS? where the server application itself receives HTTPS traffic? It seems like if an attacker was able to get behind the load balancer, then this traffic is sent in the clear. – lollercoaster Oct 15 '19 at 02:10
  • For anyone else wondering about the answer to lollercoaster's question, the answer is to generate a self-signed cert on the server and set it to listen on 443 for HTTPS, then point the target group to port 443 with HTTPS. Only browsers validate the certs. The target group doesn't care if the cert is valid or what CA issued it, only that one exists. This way you have the backend connection encrypted too. However, the browser TLS will always terminate at the load balancer, and they will have no knowledge of whether the LB->target_group->server connection is encrypted or not. – Daniel Nalbach Apr 23 '22 at 15:21
1

Yes, it is possible. Just create another recordset in your hosted zone (presumably the same way you did it for example.com) for staging and for prod. As for the certificate issue, you will need a wildcard certificate if you want to use the same certificate for all 3 hosts (example.com, staging.example.com and prod.example.com).

Ashaman Kingpin
  • 1,467
  • 1
  • 11
  • 11