Application Load Balancer (ELBv2) SSL pass through

半城伤御伤魂 提交于 2021-02-05 20:54:11

问题


I am trying to configure an AWS Application Load Balancer (vs. a Classic Load Balancer) to distribute traffic to my EC2 web servers. For compliance reasons I need end to end SSL/HTTPS encryption for my application.

It seems to me the simplest way to ensure that traffic is encrypted the entire way between clients and the web servers is to terminate the HTTPS connection on the web servers.

My first question: Is it possible to pass through HTTPS traffic through an AWS Application Load Balancer to the web servers behind the load balancer in this manner?

From what I've gathered from the AWS documenation, it is possible to pass traffic through in this manner with a Classic Load Balancer (via TCP pass through). However, the Application Load Balancer looks like it wants to terminate the HTTPS connection itself, and then do one of the following:

  • send traffic to the web servers unencrypted, which I can't do for compliance reasons
  • create a new HTTPS connection to the web servers, which seems like extra work load

My second question: is that understanding of the documentation correct?


回答1:


Terminating the SSL connection at the web servers requires you to change the load balancer listener from HTTPS to TCP. ALB doesn't support this, only classic ELB. Further, if you were terminating the SSL at the web server the load balancer wouldn't be able to inspect the request since it wouldn't be able to decrypt it, so it wouldn't be able to do all the fancy new routing stuff that the ALB supports.

If you actually want to use an ALB for the new features it provides, and you need end-to-end encryption, you will have to terminate SSL at the ALB and also have an SSL certificate installed on the web servers. The web server certificate could be something like a self-signed cert since only the ALB is going to see that certificate, not the client.

I assume you need end-to-end encryption for compliance reasons (PCI, HIPAA, etc.). Otherwise there isn't a very compelling reason to go through the hassle of setting it up.



来源:https://stackoverflow.com/questions/42027582/application-load-balancer-elbv2-ssl-pass-through

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!