- Newest
- Most votes
- Most comments
To use the AWS-issued certificate without needing to have a publicly trusted certificate on your instance, you should set up an Application Load Balancer (ALB) with an HTTPS listener to receive TLS connections from your users, terminate the TLS connection using the AWS-issued certificate, and send the traffic to your EC2 instance either unencrypted over HTTP or using HTTPS and a self-signed or expired certificate. Between the ALB and your server, any certificate will do, even an expired or self-signed one.
Instructions for creating an ALB start here: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancer-getting-started.html
And a high-level design diagram showing the building blocks of an ALB configuration is here: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html
You'll be needing approximately the following:
- To create a security group to allow inbound access over tcp/443 and tcp/80 to the load balancer from 0.0.0.0/0 and allowing all traffic outbound (as is the default)
- Create an ALB in your VPC in appropriate subnets with an Internet Gateway as the default gateway
- Create an HTTPS listener on the ALB set to listen to port 443 and to use the AWS-issued certificate (https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html)
- Set the default rule of the listener to return a fixed HTTP 404 response with no content
- Create an additional listener rule to accept your valid site names (eyespy.help, eyespy.org, www.eyespy.org) for the "Host" HTTP header and send them to a target group (which you can create at this point) that points to your EC2 instance on port 443 for HTTPS or port 80 for HTTP, depending on your preference for traffic between the ALB and the EC2 instance inside your VPC
- Optionally, create a listener for HTTP on port 80 and set it also to return 404 by default (https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-listener.html)
- Create an additional listener rule for the HTTP listener that also accepts your site names and redirects the user to the corresponding hostname but with HTTPS and on port 443
The reason for configuring the default listener rules on the ALB to return an HTTP 404 as a fixed response is that most casual attempts to find vulnerable systems on the internet scan the internet at large simply by IP address and don't know or care which DNS names are behind them. No valid user would access the site without knowing its name, so dropping requests arriving without a valid name does no harm but filters out huge numbers of unnecessary, largely malicious requests.
Relevant content
- asked 7 months ago
- Accepted Answerasked a year ago
- asked 8 months ago
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 19 days ago