Reputation: 1136
When using NLB, only specifying HTTPS works and not HTTP
I'm confused with configuring LoadBalancer(NLB) in AWS. When configuring the LB as below (it's the Terraform file), I never specified HTTPS protocol. However, after the LB gets spinned up, I can only reach my targets by https://LB_ARN:80 and nothing is shown when I hit http://LB_ARN:80. I am quite confused of the reason, and also, more confusing part is that using https://LB_ARN:80 as DNS, my Browser(Chrome) tells me the site is not secure (though it is HTTPS). Any help please ?
resource "aws_lb" "boundary" {
name = "boundary-nlb"
load_balancer_type = "network"
internal = false
subnets = data.terraform_remote_state.network.outputs.tokyo_vpc_main.public_subnet_ids
tags = merge(local.common_tags, {
Name = "boundary-${terraform.workspace}-controller-nlb"
})
}
resource "aws_lb_target_group" "boundary" {
name = "boundary-nlb"
port = 9200
protocol = "TCP"
vpc_id = data.terraform_remote_state.network.outputs.tokyo_vpc_main.vpc_id
stickiness {
enabled = false
type = "source_ip"
}
tags = merge(local.common_tags, {
Name = "boundary-${terraform.workspace}-controller-nlb-tg"
})
}
resource "aws_lb_target_group_attachment" "boundary" {
count = var.num_controllers
target_group_arn = aws_lb_target_group.boundary.arn
target_id = aws_instance.controller[count.index].id
port = 9200
}
resource "aws_lb_listener" "boundary" {
load_balancer_arn = aws_lb.boundary.arn
port = "80"
protocol = "TCP"
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.boundary.arn
}
}
resource "aws_security_group" "boundary_lb" {
vpc_id = data.terraform_remote_state.network.outputs.tokyo_vpc_main.vpc_id
tags = merge(local.common_tags, {
Name = "boundary-${terraform.workspace}-controller-nlb-sg"
})
}
resource "aws_security_group_rule" "allow_9200" {
type = "ingress"
from_port = 9200
to_port = 9200
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.boundary_lb.id
}
Upvotes: 1
Views: 3800
Answers (1)
Reputation: 238169
This appears to me as misconfiguration of your backend servers. Specifically, they seem to server HTTPS connections on port 80.
Since you are using NLB with TCP protocol, any HTTPS connection is forwarded to your backend servers. Meaning, there is no SSL termination on your NLB. So even though you haven't specified HTTPS in your NLB settings, HTTPS connections are forwarded on top of TCP to your backend instances. The backend instance handle the HTTPS with maybe self-signed SSL certificate, not NLB, on the wrong port. This would explain warnings from browser.
I would recommend checking configuration of your backend services and making sure that are serving HTTP on port 80, not HTTPS as it seems to be the case now.
Upvotes: 1
Related Questions
- AWS Load Balancer with a https listener created with terraform throws connection refused
- httpserver in EC2 instance via terraform
- Terraform (A)lb redirect http -> https
- Terraform AWS NLB TLS Passthrough
- Enable https on aws instance with ELB
- How do I configure AWS network load balancers to route HTTPS traffic with Terraform?
- Creating a AWS ELB serving http and https with Kubernetes
- https on elb not working along with route 53 settings
- SSL Error on using Amazon ELB
- AWS ELB Server-Side HTTPS