All geek questions in one place

How to configure SSL, for example, inside ELB and exchange data with a node instance outside ELB

I created an architecture on AWS (hope this shouldn't be wrong) using ELB, autoscaling, RDS, and one instance of node ec2 outside of ELB. Now I do not understand how I can implement SSL in this architecture.

Let me briefly explain this:

  • I created one classic load balancer.
  • Created in autosave group.
  • Assign instances to an autoscale group.
  • And finally, I created one instance that I use for node, and this is outside the Load Balancer and Autoscaling group.

Now that I have applied SSL to my load balancer, the internal instances communicate with the node instance via an HTTP request and because the node instance is outside of the load balancer, so the request is blocked.

Can someone please help me implement SSL for this architecture.

Sorry if you are confused about my architecture, if there is any other better architecture, maybe then please let me know that I can change my architecture.

Thanks,

+5
source share
3 answers

When you have static content, it is best to use it from Cloudfront using an S3 bucket as the source.

About SSL, you can set SSL at the ELB level, follow the documentation .

Your ELB listens on two ports: 80 and 443 and interacts with your ASF instances only with open port 80. Therefore, when secure requests arrive at the ELB , it redirects them to your server ( EC2 in ASG ). Then your server, listening on port 80 , receives a request; if the request has X-FORWARDED-PROTO HTTPS, the server does nothing, otherwise it sets it and forwards / rewrites the URL to be protected, and the process restarts.

Hope this helps and be careful with ERR_TOO_MANY_REDIRECTS

+2
source

Have you considered using an Application Load Balancer with two target groups and a listener rule ?

If one instance of EC2 simply hosts static content and serves content in a common way (e.g. /static ), then everything can be behind a common load balancer with one common certificate that you can configure with ACM .

0
source

"because the node instance is out of load balancing, so the request is blocked."

If they are in the same VPC, you should check the security group that you assigned to your instances. In particular, if you want to allow connections on ports 443 and / or 80 on a standalone instance to be accessible from the security group assigned to load balancing instances, call this "sg-load_balancer" (check your AWS Console to see what it represents is the actual security group identifier).

To check this - select a security group for a single instance, pay attention to the tabs at the bottom of the page. Go to the Inbox tab. You should see a set of rules ... You want to make sure that they are for HTTP and / or HTTPS, and instead of putting the IP address in "Source", set the security group for load balancing instances - Let's start with sg- , and the console will provide you with a drop-down list to show valid entries.

If you do not see a security group for load balancing instances, there are good chances that they are not in the same VPC. To check - raise the console and find the VPC ID on each node. This will start with vpc_ . They must be the same. If not, you will have to configure rules and routing tables to allow traffic between them ... More slightly, take a look at a similar problem to get some ideas on how to solve this problem: Allow Amazon VPC A to switch to a new private subnet on VPC B?

0
source

Source: https://habr.com/ru/post/1270986/

More articles:


All Articles