Configuring SSL for your apps on AWS Cloud
A large part of our infrastructure as part of Tyroo Technologies runs on AWS and given that we have some expertise on that, through this article we want to share our learnings on the various ways of configuring SSL certification for your application on AWS.
Prerequisites:
- You should have an AWS account and required permissions to add SSL Certificate and edit ELB configurations.
- You should have an ELB with at-least 1 EC2 instance behind it.
- You should have private and public keys and the chain certificate required in the SSL setup.
The Two Ways of Configuring SSL Certification on AWS
There are 2 ways of configuring SSL certificates for your application on AWS.
- Terminate the SSL traffic on ELB and pass plain text traffic to the application server.
- Terminate SSL traffic on application server without breaking the SSL encryption on ELB in between.
In this article we will take a deeper look at both the architectures and how to set them up.
Method 1: Terminate SSL on ELB
Here we secure the traffic from end user’s system to the Elastic Load Balancer. Hence, the ELB and user’s system (browser) should do the SSL handshake.
Note that, in this scheme, the traffic between the ELB and app servers is transmitted in plain text. This is not necessarily bad, depending on the level of security you want. In most cases, it should just do fine.
This means, the ELB should have your SSL public key file, which it can provide to the client at the time of authentication and should also have the private key file which it can use to decrypt the traffic sent by the client.
AWS provides a graphical interface to save the private and public keys and chain certificate in the ELB configuration. Follow these steps to configure it (it is assumed that you have an ELB already created):
- In your AWS console, open the ELBs list and create an ELB if you do not have one already. Then put your application servers behind this ELB. We assume you know how to do this step (if not, AWS has a nice article here).
- Choose the target ELB on which you wish to configure SSL and select `Listeners` tab in the panel which appears below the ELBs list.
- Click on Edit/Add button to open the `Edit Listeners` window.
- In `Edit Listeners` window, you need to set two configurations for forwarding http and https respectively to your servers from ELB.
Next, follow the steps below to create the configs.
HTTP Forwarding Configuration:
- Load Balancer Protocol: http
- Load Balancer Port: 80
- Instance Protocol: http
- Instance Port: 80
HTTPS Forwarding Configuration:
- Load Balancer Protocol: https
- Load Balancer Port: 443
- Instance Protocol: http
- Instance Port: 80
- Choose SSL Certificate you wish to use using the button under `SSL Certificate` column
- Click on Save button and you are good to go!
Before saving, your configuration window should look like this snippet:
Method 2: Terminate SSL on Application Server
This is quite simple. Follow step 1, 2 and 3 from Method 1 to open Edit Listeners window. In this window, configure the ELB to forward the incoming traffic on port 80, to port 80 of the application server and incoming traffic on port 443, to port 443 of the application server.
The catch is - use TCP protocol instead of http/https while setting the listener rules for ELB.
Now just configure your application server (Nginx, Apache or whatever you are using) at individual application instances behind the ELB to use the public/private key pairs for handling https traffic. Here are some nice blog posts to help you with this setup:
Pretty simple? Yeah! Ask your doubts in the comments below. Happy SSLing. :-)