I'm setting up ELB for a https website and I have questions concerning the ports configuration...
Right now I have this port configuration on the ELB:
- 80 (HTTP) forwarding to 80 (HTTP)
- 443 (HTTPS) forwarding to 80 (HTTP)
And on my instance I have this Apache configuration:
- requests to *:80 redirected to https://www.mywebsite
- *:443 configured
Apparently it's working but is it the right way to do?
Thank you for your help
Celine
PS: When I started to configure the ELB I indicated 443 forwarding to 443 but then I had to answer strange questions for the authentication...
The configuration as described in the question didn't work because it created a never ending redirection: 443(ELB) forwarding to 80(Apache) forwarding to 443(ELB) forwarding to 80(Apache) forwarding to 443(ELB), etc.
So, I modified the ELB configuration to have:
- 443 (HTTPS) forwarding to 443 (HTTPS)
- 80 (HTTP) forwarding to 80 (HTTP)
When I created the listener 443 (HTTPS) forwarding to 443 (HTTPS), I didn't get to answer questions concerning the authentication. When I look on the ELB description I can see "Backend Authentication: Disabled"
The Health Check is done on HTTPS:443
(I also modified the instance security group: only the load balancer can access the instance on ports 80 and 443)
Update:
Another solution is to have only port 80 open on the instance:
- 80 (HTTP) forwarding to 80 (HTTP)
- 443 (HTTPS) forwarding to 80 (HTTP)
but to use X-Forwarded-Proto to determine if the client used HTTP or HTTPS and forward to HTTPS only if X-Forwarded-Proto = http
Example with Apache:
<VirtualHost *:80>
...
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTP_USER_AGENT} !^ELB-HealthChecker
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
...
</VirtualHost>
The line RewriteCond %{HTTP_USER_AGENT} !^ELB-HealthChecker has been added so the ELB check is not redirected. See https://serverfault.com/questions/470015/how-should-i-configure-my-elb-health-check-when-using-namevirtualhosts-and-redir for other solutions concerning the health check
AWS Documentation concerning X-Forwarded-Proto: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/x-forwarded-headers.html#x-forwarded-proto
This is a valid way to do it. You can have the ELB handle SSL termination.
In some compliance cases the entire path has to be encrypted all the way to the instance. If this doesn't apply to you, then you don't have to make any changes.
来源:https://stackoverflow.com/questions/17174626/elb-and-apache-configuration-for-https-website