- 최신
- 최다 투표
- 가장 많은 댓글
Is your NLB doing the SSL offloading? So HTTPS is coming in the front on port 443, the NLB decrypts the traffic, and sends plain HTTP out of the back https://aws.amazon.com/blogs/aws/new-tls-termination-for-network-load-balancers/
If this is what's happening then this needs to be directed to the plain HTTP port 80 on the EC2, not to port 443 which is expecting HTTPS.
Probably not related, but you've got a single server process listening for HTTP & HTTPS and while this is legal and should work as long as the syntax is correct, consider breaking it into two separate servers:
server {
listen 80;
server_name myserver.example.com;
return 301 https://myserver.example.com$request_uri;
}
server {
listen 443 ssl;
server_name myserver.example.com;
ssl_certificate /path/to/my/cert;
ssl_certificate_key /path/to/my/key;
[ any other config ]
}
The error indicates the outbound communication from the NLB doesn't use TLS.
To send traffic using TLS from the NLB to your target group you must set the target group protocol to TLS
https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html#target-type:~:text=a%20target%20group-,Routing%20configuration,-By%20default%2C%20a
If a target group is configured with the TLS protocol, the load balancer establishes TLS connections with the targets using certificates that you install on the targets.
You also have the option of creating an NLB that passes through encrypted traffic without decrypting it by creating a TCP
listener and setting the port to 443
. See https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-listeners.html#:~:text=Network%20Load%20Balancer-,Listener%20configuration,-Listeners%20support%20the
With a TCP listener, the load balancer passes encrypted traffic through to the targets without decrypting it
관련 콘텐츠
- AWS 공식업데이트됨 8달 전
Hey, thanks for the reply. so i tried to follow the steps and it worked in my dev environment, like I build one flow which has NLB in front and directing to Nginx server and that nginx acting as reverse proxy to apche server. it works when I add separate server. But, I my actually application, we are deploying was viya and it is on EKS, we are launching our app and it is creating all the configurations in the backend like nginx config, NLB config target group. so, now I want to understand how can update nginx there because I cant update my nginx config as it is in pods and not recommended.