I am building an application with some pretty secret TLS and caching requirements, and I am using a stack that looks like this:
HTTPS HTTP
Nginx (443) Varnish (80)
| |
Varnish (80) Nginx (8080)
\ /
AWS ALB (80)
|
ECS Pool (Docker) - Apache/80
(I listen to Nginx on 8080 between Varnish and ALB because Varnish does not handle DNS queries with multiple / changing IP addresses as easily as Nginx).
The problem is the HTTPS request path: basically, Nginx installs X-Forwarded-Proto: https, and then I have Varnish VCL to safely pass this to ALB. But ALB seems to strip the header and replace it with its own (which becomes X-Forwarded-Proto: http), and then the backend application on ECS servers sees http and writes all resource links / paths as http, causing a warning about insecure mixed content in Safari, Chrome, etc. .
, , , - Varnish, TLS- ALB , :
HTTPS HTTP
Nginx (443) Varnish (80)
| |
AWS ALB (443) AWS ALB (80)
\ /
\ /
ECS Pool (Docker) - Apache/80
... , Varnish HTTPS-. , , , ALB Varnish vmod - (Lambda ..), ECS Docker...
AWS ALBs/ELBs - ? , , , HTTPS ALB. , SNI, ... : (