Configuring SSL for your apps on AWS Cloud

Prashant Kumar
Engineering@Tyroo
Published in
4 min readAug 22, 2016

A large part of our infrastructure as part of Tyroo Technologies runs on AWS and given that we have some expertise on that, through this article we want to share our learnings on the various ways of configuring SSL certification for your application on AWS.

Prerequisites:

  • You should have an AWS account and required permissions to add SSL Certificate and edit ELB configurations.
  • You should have an ELB with at-least 1 EC2 instance behind it.
  • You should have private and public keys and the chain certificate required in the SSL setup.

The Two Ways of Configuring SSL Certification on AWS

There are 2 ways of configuring SSL certificates for your application on AWS.

  • Terminate the SSL traffic on ELB and pass plain text traffic to the application server.
  • Terminate SSL traffic on application server without breaking the SSL encryption on ELB in between.

In this article we will take a deeper look at both the architectures and how to set them up.

Method 1: Terminate SSL on ELB

Here we secure the traffic from end user’s system to the Elastic Load Balancer. Hence, the ELB and user’s system (browser) should do the SSL handshake.

Note that, in this scheme, the traffic between the ELB and app servers is transmitted in plain text. This is not necessarily bad, depending on the level of security you want. In most cases, it should just do fine.

Scheme for terminating the traffic at ELB level and passing plain text traffic to application servers.

This means, the ELB should have your SSL public key file, which it can provide to the client at the time of authentication and should also have the private key file which it can use to decrypt the traffic sent by the client.

AWS provides a graphical interface to save the private and public keys and chain certificate in the ELB configuration. Follow these steps to configure it (it is assumed that you have an ELB already created):

  1. In your AWS console, open the ELBs list and create an ELB if you do not have one already. Then put your application servers behind this ELB. We assume you know how to do this step (if not, AWS has a nice article here).
  2. Choose the target ELB on which you wish to configure SSL and select `Listeners` tab in the panel which appears below the ELBs list.
  3. Click on Edit/Add button to open the `Edit Listeners` window.
  4. In `Edit Listeners` window, you need to set two configurations for forwarding http and https respectively to your servers from ELB.
List load balancers and then choose the ELB you want to apply HTTPS to

Next, follow the steps below to create the configs.

HTTP Forwarding Configuration:

  • Load Balancer Protocol: http
  • Load Balancer Port: 80
  • Instance Protocol: http
  • Instance Port: 80

HTTPS Forwarding Configuration:

  • Load Balancer Protocol: https
  • Load Balancer Port: 443
  • Instance Protocol: http
  • Instance Port: 80
  • Choose SSL Certificate you wish to use using the button under `SSL Certificate` column
  • Click on Save button and you are good to go!

Before saving, your configuration window should look like this snippet:

ELB listeners configuration for terminating SSL at ELB level.

Method 2: Terminate SSL on Application Server

This is quite simple. Follow step 1, 2 and 3 from Method 1 to open Edit Listeners window. In this window, configure the ELB to forward the incoming traffic on port 80, to port 80 of the application server and incoming traffic on port 443, to port 443 of the application server.

Scheme for tunnelling traffic through ELB and terminating SSL only at application server: end-to-end encryption.

The catch is - use TCP protocol instead of http/https while setting the listener rules for ELB.

Use TCP forwarding for HTTP and HTTPS traffic to avoid breaking SSL at ELB

Now just configure your application server (Nginx, Apache or whatever you are using) at individual application instances behind the ELB to use the public/private key pairs for handling https traffic. Here are some nice blog posts to help you with this setup:

Pretty simple? Yeah! Ask your doubts in the comments below. Happy SSLing. :-)

--

--