TLS termination and rewrite host_header using AWS services


Hi there, I'm looking for some suggestion here. I have over 1000 publicly accessible endpoints, all pointing to the same NLB, as CNAMEs. NLB does a TCP proxy and sends it to a pair of HA-Proxy, where TLS off-loaded and the host_header gets rewritten to a local domain, like: =>, => etc. but it's becoming a huge overhead with monster ha-proxy config file. Hence I'm trying to replace the ha-proxy with some sort of native AWS services. I know ALB can terminate the TLS but couldn't find anything in th e AWS docs that it can rewrite the host header and can also add some custom headers. Thought about AP Gateway but I think many to one mapping's gonna be challenging? Does anyone have any suggestions about what AWS services (one or combine) can replace the ha-proxy functionalities?


1 Answer

There are several AWS services that can be used to replace the HAProxy functionalities:

Elastic Load Balancing (ELB): ELB is a fully-managed load balancing service that automatically distributes incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses. It provides high availability and scalability for your applications and is a good replacement for HAProxy.

Application Load Balancer (ALB): ALB is a type of Elastic Load Balancing that routes traffic to different targets based on application-level information, such as URL or HTTP header. It provides advanced features like content-based routing and can be used to replace HAProxy in many scenarios.

Network Load Balancer (NLB): NLB is another type of Elastic Load Balancing that is designed to handle high traffic volumes and provides low latency at scale. It can be used for TCP/UDP traffic and is a good replacement for HAProxy when dealing with network-level traffic.

Amazon CloudFront: CloudFront is a global content delivery network (CDN) that can be used to distribute content, such as static files or streaming media, to users around the world. It can be used to replace HAProxy for static content delivery.

AWS Global Accelerator: Global Accelerator is a service that improves the availability and performance of applications by routing traffic through the AWS global network. It can be used to replace HAProxy for high-availability scenarios where fast failover is required.

Overall, the choice of which service to use depends on your specific use case and requirements. Looking at your use case to replace headers, CloudFront seems to be a good fit.

answered 13 days ago
  • One should not be using classic ELBs anymore; at least I cannot use it anymore.

    ALB can offload TLS and can re-encrypt as well but cannot override hist_header. I'm not sure if it can even add an additional header.

    NLB can do TLS offloading but neither can do any header manipulation nor TLS listener can be used if sending the traffic to ALB.

    CloudFront can do a number of things but I think it needs to store all of the certs in us-east-1 region to make it work, which is acceptable by our SWG, so I'm stuck in there too.

    it's a many-to-one mapping in regards to header rewrite i.e., etc. all gets their host_header overridden to single, FYI. Do you think a combination of API GW + ALB can replace ha-proxy?


You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions