- Newest
- Most votes
- Most comments
Have you set up an HTTPS listener in your ALB using the method in the following document?
Also, is HTTPS allowed in the ALB security group?
If you do not need to terminate SSL to EC2, you do not need to set up a certificate in httpd.
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#add-https-listener
Also, is the listener port for the target of the target group set to 80?
On your EC2, make sure that the web server is listening on port 80 and the target group port is also 80.
The direct answer to your question is no, out of the box httpd
doesn't do HTTPS, but the way you are aiming to set things up it doesn't need to.
As you have a load balancer with the cert on it, it makes sense to terminate the HTTPS connection there and have the load balancer do the SSL offloading. This means your users hit the load balancer address on port 443, the load balancer presents its cert to the client device, that's SSL taken care of (SSL terminates on the load balancer).
You can choose for users to hit it using HTTP on port 80 and pass that straight through, or redirect 80 to 443 and then handle it like all the other HTTPS connections.
Beyond the load balancer it's safe for connections to the back end EC2 to use plain HTTP on port 80. So the EC2 instance needs to be listening on port 80, and the listener and target group need to be configured for port 80 https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancer-getting-started.html#configure-target-group
The load balancer needs a security group to accept 80 & 443 inbound, and and an outbound rule for port 80 to the EC2. The EC2 needs an inbound security group rule accepting port 80 from the load balancer, which it sounds like you have setup already.
httpd
on the EC2 doesn't need to be aware of HTTPS at all, it will only receive plain HTTP on port 80.
Thanks so much for the responses. I appreciate them! Here's my current setup (after making some changes)...
- I have two Load Balancers:
- Type A DNS records route traffic to the "My HTTP Traffic" load balancer
- Type AAAA DNS records route traffic to the "My HTTPS Traffic" load balancer
- The "My HTTP Traffic" load balancer:
- Is an Internet-facing, Application load balancer
- It has one listener on Port 80 that forwards to a "HTTP Traffic" target group
- The "HTTP Traffic" target group is an Instance target type using HTTP1 over HTTP: 80
- The target group has 2 targets, and both are healthy in the AWS console
- The "My HTTPS Traffic" load balancer:
- Is an Internet-facing, Application load balancer
- It has one listener on Port 443 that forwards to a "Forward-To-HTTP" target group
- The Default SSL Cert is set to my SSL Cert in the AWS Certificate Manager
- The "Forward-To-HTTP" target group is an Instance target type using HTTP1 over HTTP: 80
- The target group has 2 targets, and both are designated as healthy in the AWS console
- With information from the above answers, I have changed my security group configuration. I now have two security groups:
- "Balancer Security Group" with these rules:
- Inbound: IPv4, HTTPS, TCP, 443
- Inbound: IPv4, HTTP, TCP, 80
- Outbound: IPv4, HTTP, TCP, 80, 0.0.0.0/0
- "Instance Security Group" with these rules:
- Inbound: IPv4, SSH, TCP, 22
- Inbound: IPv4, HTTP, TCP, 80
- Outbound: IPv4, HTTP, TCP, 80, 0.0.0.0/0
- "Balancer Security Group" with these rules:
I'm still missing something. HTTP requests continue to work fine. But HTTPS requests continue to receive response that says "This site can’t be reached. 'website' refused to connect."
Can anyone help with what I'm missing? Thanks!
I assume you have configured EC2 as your ALB target group. Make sure mod_ssl is installed in your EC2 and your https is listening on port 443
sudo yum install mod_ssl
sudo systemctl restart httpd
sudo ss -anlt
Your output should have 443 LISTEN
LISTEN 0 128 *:443 *:
This would be needed if the webserver on the EC2 instance is doing the SSL offloading. The scenario described in the question is that there's a loadbalancer with a cert listening on port 443, so the SSL offloading can be done there.
mod_ssl
on the EC2 is superfluous in that case.
Relevant content
- Accepted Answerasked 5 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 22 days ago
- AWS OFFICIALUpdated 2 months ago
You can run HTTP and HTTPS on the same load balancer. You just configure 2 listners.. Configure your HTTP listner to forward to HTTPS and Configure HTTPs with the SSL cert and forward rule to your HTTP target group
The error message sounds like your browser is never making a connection to the HTTPS ALB. In your browser can you click on the padlock in the address bar and do you see your cert?
With the two ALB setup you're going to have to have two Route 53 aliases, one for http.mydomain.com (points to the ALB listening on port 80) and one for https.mydomain.com (points to the ALB listening on 443).
You're not trying to hit the ALB that listens on port 80 with a HTTPS request are you?
As @Gary says in his comment, it's perfectly possible (and simpler to manage) to have both listeners on the same ALB.
@Steve_M You are correct. It appears that my browser is not connecting with the HTTPS ALB. I don't see a padlock. I see an "information" symbol. When I click on the "information" symbol, it says my connection is not secure. As both you and @Gary suggest, I'll change it to have both listeners on the same ALB. Many thanks!