Skip to content

Instantly share code, notes, and snippets.

@esurdam

esurdam/proxy_elb_ssl.md

Last active July 10, 2016 10:54
Show Gist options
  • Save esurdam/de4d11e2a4362f3f435be4538e83cef1 to your computer and use it in GitHub Desktop.
Save esurdam/de4d11e2a4362f3f435be4538e83cef1 to your computer and use it in GitHub Desktop.
Download ZIP
Setting up ELB for multi SSL
Raw
proxy_elb_ssl.md

ELB Proxy SSL to instance

Thanks to http://garthkerr.com/multiple-ssl-domains-on-elb-with-nginx/

If you are also (likely) handling standard requests over port 80, you do not need to enable Proxy Protocol for non-secure traffic. The HTTP traffic can remain unaffected while adding HTTPS to an existing ELB.

Create ELB and policy

First, we need an ELB instance. If you do not already have a load balancer, you can create one using the AWS console, or by following these instructions for AWS CLI. http://docs.aws.amazon.com/cli/latest/reference/elb/create-load-balancer.html In the example, we use acme-balancer as the ELB name and we are forwarding to backend port 9443.

The listener port should be created using the TCP protocol for both the Load Balancer Protocol and the Instance Protocol. The application layer protocol (HTTPS) is not handled until we reach the nginx instance. In most cases, the public port should be the standard 443.

# create proxy protocol policy
aws elb create-load-balancer-policy \  
  --load-balancer-name acme-balancer \
  --policy-name EnableProxyProtocol \
  --policy-type-name ProxyProtocolPolicyType \
  --policy-attributes AttributeName=ProxyProtocol,AttributeValue=True

# add policy to elb
aws elb set-load-balancer-policies-for-backend-server \  
  --load-balancer-name acme-balancer \
  --instance-port 9443 \
  --policy-names EnableProxyProtocol

# results
aws elb describe-load-balancers --load-balancer-name acme-balancer

Configure nginx with proxy

If you have multiple server blocks running on the same port (virtual hosts), any port that includes proxy_protocol in your nginx configuration will enable proxy protocol handling for ALL traffic on this port, not just the particular server block.

You do not need to seperate the blocks, but is good for testing ;)

# block for proxy traffic
server {

    # port elb is forwarding ssl traffic to
    listen 9443 ssl proxy_protocol;

    # sets the proper client ip
    real_ip_header proxy_protocol;

    # aws vpc subnet ip range
    set_real_ip_from 10.0.0.0/16;

    server_name acme.com www.acme.com;

    ssl on;
    ssl_certificate /etc/ssl/acme/acme.com.crt;
    ssl_certificate_key /etc/ssl/acme/acme.com.key;

}

# block for direct traffic
server {

    listen 443 ssl;

    server_name acme.com www.acme.com;

    ssl on;
    ssl_certificate /etc/ssl/acme/acme.com.crt;
    ssl_certificate_key /etc/ssl/acme/acme.com.key;

}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment