1. 技术文章
  2. VPC SSL/HTTPS environment

VPC SSL/HTTPS environment

▼魔方 西西 提交于 2020-07-10 03:13:46

问题


I have the following VPC setup with AWS Elastic Beanstalk:

  1. Web App Public Load Balancer pointed to by my domain (proxied through cloudflare) with EC2 instances in private subnet.
  2. Private internal API Load Balancer with inbound access granted to EC2 instances above via Security Group
  3. Database within the private subnet, accessible by EC2 instances behind the API Load Balancer.

I would like to enable end to end HTTPS, AWS has good documentation here (https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-endtoend.html).

I have followed this, albeit with my free Cloudflare domain certs. This seemed ok until I get the following error: 'SELF_SIGNED_CERT_IN_CHAIN' when my web app tries to connect to the internal API via https://internal-aweseb-dns.amazonaws.com (DNS for internal API Load Balancer).

Questions

  1. Is this the correct way get end to end HTTPS?; and

  2. How do I resolve the above error? (returned by Node JS)

Thanks


回答1:


In the end I came to this conclusion: I don't need end to end HTTPS when my instances are in a private subnet because:-

  1. Once HTTPS is terminated at the Load Balancer, the internal requests are over HTTP but are not over the public internet. They requests cannot be seen by anyone outside the AWS network.

  2. The data I am transmitting is not overly sensitive (just emails and user preferences) so there is no Compliance/Regulatory reason to enforce end to end HTTPS in a private network.

  3. There is a small performance hit when using HTTPS as an SSL handshake must occur, which is an overhead.

  4. I have additional security via Security Groups, only allowing internal traffic originating from the Load Balancer.

There are many suggestions that would guide you to configure your application to ignore the certificate when connecting via HTTPS... but that defeats the whole point of HTTPS (secure encrypted connection). You may as well just HTTP instead of doing this.

After much research and discussion with AWS, I think using HTTP over an internal network is secure enough for 99% of use cases and is pretty standard with a lot of setups and so unless you actually need end-to-end encryption for your use case, I would advise doing this instead.

Hope this helps.



来源:https://stackoverflow.com/questions/62415855/vpc-ssl-https-environment

标签
amazon-web-services
ssl
https
amazon-vpc
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!