Amazon ELB SSL Termination HowTo

We’ve been using the new Amazon Load Balancers (ELB) for some of our websites, since there’s not much information out there on the subject, I thought a post would be in order.

The load balancers are charged at $0.025 per hour, plus $0.008 per GB of data transferred through them. Personally I think this is very reasonable.

They’re hardware based, and can balance both HTTP and TCP traffic. This means you can balance both the traffic to the web server, and the database traffic.

Setting up the Load balancer:

  1. Login to your AWS console.
  2. Select EC2 Tab.
  3. Click on Load Balancer.
  4. Click on Create Load Balancer. You will get following screen.

    Initial Screen
    Figure 01
  5. Click Continue. You will get following screen.
    Upload Certificates
    Figure 02
    • Provide name for your Certificate.
    • Now Copy and paste the content of the following:
    • Private Key (in pem format) in Private Key text area.
    • Your certificate issued by certification authority in Public Key Certificate text area.
    • Intermediate certificate in Certificate Chain text area.
  6. Click Continue. You will get following screen.
    Configure Health check options
    Figure 03

    Here configure your Load Balancer Health check.

  7. Click Continue. You will get following screen.
    Select the instance to be added to Load Balancer
    Figure 04

    Here select the instance(s) that you want to be added in load balancer.

  8. Click Continue. You will get following screen.
    Review your load balancer option
    Figure 05

    Review your load balancer settings and all ok click on Create.

That’s it this will launch the load balancer.

When you are doing SSL termination on ELB you need to redirect the HTTPS traffic coming to your load balancer to you web server’s HTTP port. Reason for this is you cannot have SSL on Load Balancer and web server at same time. However, doing this create’s a problem when you are using Apache + mod_jk + tomcat / JBOSS.

We had problems after introducing the load balancer. Requests were coming to our server but were not fulfilled. The reason was the backed server JBOSS where our application is hosted was giving following error.

javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?

The problem here was the connection coming from Load Balancer to Apache is redirected to JBOSS as is hence the connection when made to JBOSS was having protocol as HTTPS in header and connection established was HTTP.

How to resolved this?

To resolve this open your vhost file and add the below line in all virtual hosts.

RequestHeader set X-Forwarded-Proto "http"

and reload / restart you Apache. Make sure you have below line is not commented in httpd.conf file.

LoadModule headers_module modules/mod_headers.so

Hope this will help someone and save their time.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


CommentLuv badge