CODEWITHSUNDEEP
ssldnscertificateamazon-elb
夏期劇場
夏期劇場

Reputation: 18337

Can I use Single AWS ELB to host 2 SSL Certs for 2 Different Domains?

On AWS, I'm hosting Multiple (totally different) Domains on EC2 covered by an ELB on top. I already have 1 Wildcard SSL Cert for 1 Domain and its childs. (xxxx.site1.com)

Then now can I add one more Single SSL Cert (on same ELB) for 1 another different Domain, like (www.site2.com) please?

I'm asking this because some Articles are saying, it won't work and just crush.

Please kindly advise.

Upvotes: 14

Views: 12176

Answers (4)

jjanzic
jjanzic

Reputation: 606

Since October 10th 2017 it's possible to do this with Application Load Balancer. You can bind multiple certificates to the same secure listener on your load balancer and ALB will automatically choose the optimal TLS certificate for each client. For more information see: https://aws.amazon.com/blogs/aws/new-application-load-balancer-sni/

Upvotes: 8

Prabhath Kota
Prabhath Kota

Reputation: 113

I agree with the above answer for Nginx by Garth Kerr.

In case of Apache:

You can terminate SSL certificates either at ELB or Apache/Nginx(server) level

In case of multi-tenant(multi-client) architecture, we may need to support different customers(with different domains - *.abc.com, *.xyz.com) under a single ELB, which will not work in an existing ELB setup.

Solution: You can do this by adding listeners in ELB like below: TCP 443 (instead of HTTPS - 443) - this will pass through the 443 requests Then, you can terminate the SSL certificates at the server level

You have to purchase the certificate from external vendors (like GoDaddy) and install & terminate the certificates at the server level.

E.g., Apache virtual host looks like

NameVirtualHost *:443
<VirtualHost *:443>
        ServerName abc.com

        ####abc HTTPS Certificate
        SSLEngine on
        SSLCertificateFile /opt/organization/site/ssl_keys/abc/abc_gd.crt
        SSLCertificateKeyFile /opt/organization/site/ssl_keys/abc/abc.pem
        SSLCertificateChainFile /opt/organization/site/ssl_keys/abc/abc_gd_bundle.crt

        WSGIScriptAlias / /opt/organization/site/deployment-config/abc.wsgi

        ServerSignature On
        Alias /media/ /opt/organization/site/media/
        <Directory /opt/organization/site/media/>
        Order deny,allow
        Allow from all
        </Directory>
</VirtualHost>

NameVirtualHost *:80
<VirtualHost *:80>
        ServerName abc.com

        #Rewrite to HTTPS in case of HTTP
        RewriteEngine On
        RewriteCond %{SERVER_NAME} abc.com
        RewriteCond %{HTTP:X-Forwarded-Proto} !https
        RewriteRule . https://%{SERVER_NAME}%{REQUEST_URI} [L,R]

        WSGIScriptAlias / /opt/organization/site/deployment-config/abc.wsgi
        ServerSignature On
        Alias /media/ /opt/organization/site/media/
        <Directory /opt/organization/site/media/>
        Order deny,allow
        Allow from all
        </Directory>
</VirtualHost>

Upvotes: 0

Garth Kerr
Garth Kerr

Reputation: 81

Yes. But not by terminating SSL on the load balancer. You have to enable Proxy Protocol on the ELB and transparently forward TCP requests to the web server. There are more details in this article on how to configure the ELB with example NGINX configurations:

Multiple SSL domains on AWS ELB with Nginx

Using the AWS CLI to enable:

aws elb create-load-balancer-policy \  
  --load-balancer-name acme-balancer \
  --policy-name EnableProxyProtocol \
  --policy-type-name ProxyProtocolPolicyType \
  --policy-attributes AttributeName=ProxyProtocol,AttributeValue=True

aws elb set-load-balancer-policies-for-backend-server \  
  --load-balancer-name acme-balancer \
  --instance-port 9443 \
  --policy-names EnableProxyProtocol

aws elb describe-load-balancers --load-balancer-name acme-balancer

There is also a mod_proxy_protocol module available if you are using Apache.

This does NOT add an additional distribution layer; ELB still handles distributing the traffic, connection draining. However, SSL termination is handled by each individual server.

Upvotes: 8

Rico
Rico

Reputation: 61571

No. The only way you could do it is if you use a second port for HTTPS connections (other than 443) which doesn't apply to real world scenarios since 443 is the default port for HTTPS

Having said that, you can simply create a second ELB and assign your second wildcard certificate to it. You can also forward your traffic to the same backend server as the one where the first ELB is forwarding its traffic to.

Hope this helps.

Upvotes: 14

Related Questions