0

I'm trying to configure my server so that it terminates https connections at the EC2 instances. This is all on Elastic Beanstalk, and my environment is Node.js. The connection from the client to the load-balancer is already https, but I am taking this extra measure to meet HIPAA requirements.

I feel like I followed the instructions on AWS docs to the T, but am getting a "502 Bad Gateway" error. Below are the steps I took. Please let me know if you need more information.

  1. Added secure listener on Application Load Balancer using the console. (followed instructions here)

  2. Made a self-signed certificate using OpenSSL. For "Common Name," entered the qualified domain registered with Route 53 (looks something like server.example.com). (followed instructions here)

  3. Configured nginx to listen on port 443 and terminate SSL connections using the certificate by creating a config file .ebextensions/https-instance.config (followed instructions here)

--- from here on, the contents of the config files can be found here----

  1. Configured the secure listener on the load balancer to forward to port 443 of instances using config file .ebextensions/https-reencrypt-alb.config

  2. Configured security group of the load balancer using .ebextensions/https-lbsecuritygroup.config

  3. Configured security group of the EC2 instances using .ebextensions/https-backendsecurity.config

Thanks in advance for any help.

EDIT 1:

  • The server returns a valid response if I make a http request (i.e. http://server.example.com).
  • The security group rules are currently set so that both load balancer and instances allow All Traffic from Anywhere on all ports.
  • The error.log for nginx shows rows and rows of 2021/03/19 17:33:43 [error] 12568#0: *159 connect() failed (111: Connection refused) while connecting to upstream, client: 172.XX.XX.XX, server: , request: "GET / HTTP/1.1", upstream: "http://127.X.X.X:8081/", host: "172.XX.X.XXX" (X's are my redaction)
  • You should be able to `ssh` into the EC2 server and run `curl --insecure https://localhost` to verify the server is running. The `--insecure` tells curl to skip validation of your self-signed certificate. If that works, then post your security group configuration. If that doesn't work, then look at your server logs to figure out why nginx didn't start up. – Mark B Mar 21 '21 at 00:26
  • Thanks for the steps. I've updated my original post to include what I've found. –  Mar 21 '21 at 01:08
  • It appears that the actual application nginx is proxying requests to is not running. – Mark B Mar 21 '21 at 12:29

1 Answers1

1

This article solved my problem.

I think that the issue was that, contrary to what the docs claimed, nginx wouldn't play nicely with a self-signed certificate. I used Let's Encrypt instead of self-signing an OpenSSL one.

One more thing I noticed is that the instructions in the docs might be creating the nginx config file in an outdated location. The location specified by the article cited above was effective for my Linux2 EC2.