1

Linux 2 for Elastic Beanstalk written in Java

Below is my .platform/nginx/conf.d/https.conf file. When I run this, my Load Balancer defaults to ELBSecurityPolicy-2016-08. I only want ELBSecurityPolicy-TLS-1-2-2017-01 selected when I do this. What am I doing wrong?

server {
   listen 443 ssl;
   server_name  localhost;
   server_tokens off;

   access_log /var/log/nginx/ssl_access.log main;

   # access_log off;
   # ssl                  on;
   ssl_certificate      /etc/pki/tls/certs/server.crt;
   ssl_certificate_key  /etc/pki/tls/certs/server.key;

   ssl_session_timeout  5m;

   ssl_protocols  TLSv1.2;   
   ssl_prefer_server_ciphers   on;

   location /subd {
      proxy_pass  http://127.0.0.1:8443/subd;
      proxy_set_header   Connection "";
      proxy_http_version 1.1;
      proxy_set_header        Host            $host;
      proxy_set_header        X-Real-IP       $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
  }

}
Andy P
  • 109
  • 8
  • If you have load balancer, why do you use SSL on your instances? This is rarely done in practice. – Marcin Jul 17 '21 at 04:04
  • I don't understand your response. My code provided is pretty much exactly like all the examples I see on the Internet. So how is it done differently? Regarding my initial question, can it be done? – Andy P Jul 20 '21 at 13:54

1 Answers1

3

It can be done with the load balancer, yes.

On EB, I had SSL terminating at the ELB though not on the server (80=>instance:80, 443=>instance:8443). The solution was as follows (credit fully to the author of this gist).

Current named policies for classic load balancers are on AWS' site.

Create a new file .ebextension/change-elb-tls-policy.config

option_settings:
  - namespace: aws:elb:policies:tlspolicy
    option_name: LoadBalancerPorts 
    value: 443    
  - namespace: aws:elb:policies:tlspolicy
    option_name: SSLReferencePolicy
    value: ELBSecurityPolicy-TLS-1-2-2017-01
Ian
  • 1,622
  • 11
  • 16