1

I have an EC2 running some software and I've been using Certbot but we need to move away to ACM.

For ACM to work, we need Cloudfront -> ALB -> TG -> EC2. The EC2 is running on HTTP so I want the user to hit cloudfront with HTTPS and the ALB to do the translation of HTTPS to HTTP target group.

However when I go to the ALB domain (or cloudfront) I just get Connection Refused.

I followed this guide How to redirect HTTPS to HTTP on ELB Application Load Balancer - which said simply to create an ALB with https listener and tg with port 80 which is what i did.

I have a HTTPS Listener on the ALB:

pgadmin load balancer

I have the target group set to port 80

target group settings

Wayneio
  • 3,466
  • 7
  • 42
  • 73
  • Does https on alb work? Can you access your website when you use alb's url? – Marcin Aug 06 '21 at 09:38
  • No, this is the problem. I navigate to the alb domain and it has connection refused @Marcin – Wayneio Aug 06 '21 at 09:40
  • Did you setup SG on ALB? – Marcin Aug 06 '21 at 09:40
  • @Marcin good question. I have checked and all ports are open to all ips on the alb, ingress and egress – Wayneio Aug 06 '21 at 09:43
  • So only https does not work? If you try http (may need to add http listener)? – Marcin Aug 06 '21 at 09:46
  • @Marcin yeah if i change everything to HTTP, cloudfront and alb, the full process works. But we do not want HTTP for security, hence i am trying to enable https at the ALB end – Wayneio Aug 06 '21 at 09:47
  • Yes I understand, just want to narrow down the issue. Did you get the SSL cert properly verifified for your own domain (not AWS domain)? – Marcin Aug 06 '21 at 09:49
  • @Marcin yep we use the SSL cert elsewhere in our infra so it's legit. The target group health check is also happy, so does seem to me to be between ALB and TG – Wayneio Aug 06 '21 at 09:56
  • Try to switch route53 (or anything else you use for DNS) directly as an alias to your ALB. Also check SG of the ALB for ingress IP adress of the Cloudfront https://ip-ranges.amazonaws.com/ip-ranges.json. Or open it temporarily to the world. – czende Aug 06 '21 at 10:03
  • Maybe if you run `curl -i https://` you will get some more info? – Marcin Aug 06 '21 at 10:17

0 Answers0