EC2: HTTPS Load Balancing for multiple domains

Question

I want to enable https listener for my ELB. All my instances are launched by auto-scaling one master instance.

Normally if we are not under an ELB, an nginx server block would be listening to 80 with no ssl_certificate entries, or listening to port 443 ssl with ssl_certificates.

Going over AWS documentation, it doesn't not answer me the following questions:

1) By default, when HTTPS is selected as a load balancer protocol, the instance protocol would be HTTP. Why is that? Don't we need to secure the connection between the ELB and instances?

2) I already have multiple certificates. Wildcard ones and ones for single subdomains, as well as self-signed certificates. How do I move them to the three blocks which AWS allows me to edit (Private Key, Public Key Certificate and Certificate Chain).

3) Next, do I remove the SSL configuration in my server blocks if the instance protocol is going to be HTTP? Should it listen to port 80?

Answer 1

You can concatenate multiple certificates together as

cat 1.crt 2.crt > 3.crt

And yes, all of nginx 443 ssl configuration should be removed, and to force the HTTPS you should add the X-Forwarded-Proto header.

Answer 2

A single Elastic Load Balancer routes traffic to exactly one set of instances, it is not designed to route traffic for multiple domains (no virtual hosting).

Example

            /---- :80 Instance A
ELB:80 :443 ----- :80 Instance B
            \---- :80 Instance C

The common setup is an internet facing ELB that accepts HTTP:80 and HTTPS:443 connetions. In case of HTTPS:443 it can handle SSL termination, meaning it will accept the HTTPS, handle the SSL and routes traffic to the instances on HTTP:80.

Since the instances are in a private subnet and the ELB and instances communicate in your VPC their is no need for SSL.

For SSL termination you need to provide each ELB with the SSL certificate chain (the three blocks).