By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

how can i resolve 400 bad request The plain HTTP request was sent to HTTPS port issue on nginx server

0

Hi, we have created one nginx server on ec2 instance and configured Self signed certificate on that server also i have configured /etc/nginx/sites-available/defualt file with SSL configuration, please find snap shot of configuration nginx-server-config

i have mentioned the path for ssl certificate which i have generated using openssl.

i have kept NLB infront of it and created one domain for it and attached a certificate to it , i have generate certificate for domain from ACM. Target group is healthy and has target as instance which has nginx installed, and targetting to port 443

My NLB has listener as TLS:443

but still i am getting this error error when trying access through domain when i am trying to access Nginx default page. can anyone please tell me what is the possible solution for it.

Topics
ComputeNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon EC2Elastic Load BalancingAWS Certificate Manager
Language
English
Shriram
asked 7 months ago3188 views
2 Answers
0

Is your NLB doing the SSL offloading? So HTTPS is coming in the front on port 443, the NLB decrypts the traffic, and sends plain HTTP out of the back https://aws.amazon.com/blogs/aws/new-tls-termination-for-network-load-balancers/

If this is what's happening then this needs to be directed to the plain HTTP port 80 on the EC2, not to port 443 which is expecting HTTPS.

Probably not related, but you've got a single server process listening for HTTP & HTTPS and while this is legal and should work as long as the syntax is correct, consider breaking it into two separate servers:

server {
    listen 80;
    server_name myserver.example.com;
    return 301 https://myserver.example.com$request_uri;
}

server {
    listen 443 ssl;
    server_name myserver.example.com;

    ssl_certificate /path/to/my/cert;
    ssl_certificate_key /path/to/my/key;

    [ any other config ]
}
profile picture
EXPERT
Steve_M
answered 7 months ago
  • Shriram
    7 months ago

    Hey, thanks for the reply. so i tried to follow the steps and it worked in my dev environment, like I build one flow which has NLB in front and directing to Nginx server and that nginx acting as reverse proxy to apche server. it works when I add separate server. But, I my actually application, we are deploying was viya and it is on EKS, we are launching our app and it is creating all the configurations in the backend like nginx config, NLB config target group. so, now I want to understand how can update nginx there because I cant update my nginx config as it is in pods and not recommended.

0

The error indicates the outbound communication from the NLB doesn't use TLS.

To send traffic using TLS from the NLB to your target group you must set the target group protocol to TLS https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html#target-type:~:text=a%20target%20group-,Routing%20configuration,-By%20default%2C%20a

If a target group is configured with the TLS protocol, the load balancer establishes TLS connections with the targets using certificates that you install on the targets.

You also have the option of creating an NLB that passes through encrypted traffic without decrypting it by creating a TCP listener and setting the port to 443. See https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-listeners.html#:~:text=Network%20Load%20Balancer-,Listener%20configuration,-Listeners%20support%20the

With a TCP listener, the load balancer passes encrypted traffic through to the targets without decrypting it

profile pictureAWS
Peter Grainger
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content