For a single server app I want protection against DDOS and encryption in transport. From what I understand aws ALB does the ssl mitigation on the load balancer so I can connect to the target only on http. so if I want encryption in transit I cannot use ALB.
Is there a way to integrate waf/shield with ssl pass through or some other way to get encryption in transport with waf/shield integrated?
Thanks
AWS provides the option to create an HTTPS listner for your ALB, more details can be found in: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html
Add an HTTPS listener You configure a listener with a protocol and a port for connections from clients to the load balancer, and a target group for the default listener rule. For more information, see Listener configuration.
Prerequisites
To add a forward action to the default listener rule, you must specify an available target group. For more information, see Create a target group.
To create an HTTPS listener, you must specify a certificate and a security policy. The load balancer uses the certificate to terminate the connection and decrypt requests from clients before routing them to targets. The load balancer uses the security policy when negotiating SSL connections with the clients.
To add an HTTPS listener using the console
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
On the navigation pane, under LOAD BALANCING, choose Load Balancers.
Select a load balancer, and choose Listeners, Add listener.
For Protocol : port, choose HTTPS and keep the default port or enter a different port.
(Optional) To authenticate users, for Default actions, choose Add action, Authenticate and provide the requested information. To save the action, choose the checkmark icon. For more information, see Authenticate users using an Application Load Balancer.
For Default actions, do one of the following:
Choose Add action, Forward to and choose a target group.
Choose Add action, Redirect to and provide the URL for the redirect. For more information, see Redirect actions.
Choose Add action, Return fixed response and provide a response code and optional response body. For more information, see Fixed-response actions.
To save the action, choose the checkmark icon.
For Security policy, we recommend that you keep the default security policy.
For Default SSL certificate, do one of the following:
If you created or imported a certificate using AWS Certificate Manager, choose From ACM and choose the certificate.
If you uploaded a certificate using IAM, choose From IAM and choose the certificate.
Choose Save.
(Optional) To define additional listener rules that forward requests based on a path pattern or a hostname, see Add a rule.
(Optional) To add a certificate list for use with the SNI protocol, see Add certificates to the certificate list.
To add an HTTPS listener using the AWS CLI
Use the create-listener command to create the listener and default rule, and the create-rule command to define additional listener rules.
