HTTPS enables you to transfer data over the network securely. To be able to use HTTPS with your load balancer you need to do the following steps:
- Request a certificate
- Add a CNAME record
- Attach HTTPS listener to the load balancer
1. Request a certificate
From AWS console, go to "Certificate Manager".
It will take you to the homepage of the AWS Certificate Manager. Select Provision Certificate and click "Get started".
Choose "Request a public certificate" and click on the "Request a certificate" button.
Enter the domain name you are using with your load balancer and click next. If you are using a sub-domain, you will have to enter that sub-domain. Also, you can cover more than one domain in a single certificate like this:
whateverdomain.club
my.whateverdomain.club
abc.whateverdomain.club
or to cover all the sub-domains, you have to use
*.whateverdomain.club
whateverdomain.club
Select "DNS Validation" (learn why) and click "Next"
You can add tags if you want, otherwise, leave them empty and click "Review". On the review page, review the info and click "Confirm and Request". Click "Export DNS configuration to a file" (it will download a csv file) and click "Continue".
Now we need to validate our request (prove that we are authorized to request SSL certificates for our domain). Until the validation is completed you will see "Pending validation" status against the certificate request.
2. Add a CNAME record
To prove our authorization we need to add the CNAME record to our domain's DNS records. To do that go over to route 53 (if your domain's NS are not pointing towards AWS then you will have to do the following steps from your domain registrar's control panel or some other service that you are using).
Select the Hosted Zone for the domain in question.
Click "Create record set", open up the csv file that was downloaded earlier and enter the values accordingly:
Name
= From csv's Record Name column
Type
= CNAME - Canonical name
Alias
= No
Value
= From csv's Record Value column
After entering the values click "Save Record Set".
*Note: in the CSV file, the Record Name is completely written, you just need the random string part.
# value in csv
_ab1e89753de00b10b8de785149740feb.whateverdomain.club.
# value you need to enter in the name field
_ab1e89753de00b10b8de785149740feb
Once the CNAME record has been added (correctly), go back to the AWS Certificate Manager and look for the status. It should be changed to "Issued".
*Note: The status change can take 0-72 hours. However, if ACM (AWS Certificate Manager) is not able to validate within 72 hours, then you will see "Time out" as the status and you will have to regenerate the request.
3.Attach HTTPS listener to the load balancer
Now that we have successfully generated an SSL certificate for our domain, we are ready to attach HTTPS listener to the load balancer. Head over to EC2, from the bottom left section select "Load Balancers". Select the load balancer to whom you intend to attach the SSL. Go the "Listeners" tab from the bottom and click "Add listener".
Select "HTTPS" as protocol. Add default action "Forward to" and select the target group to which you want to forward your requests. Leave "Security Policy" as it is. Select the certificate we generated above in the "Default SSL certificate".
Once the listener has been attached, go back to the load balancer page. From the bottom left select "Security Groups".
Select the security group attached to the load balancer.
Click "Add Rule". From the "Type" dropdown, select HTTPS
. From the source select 0.0.0.0/0
. Add another rule, pick HTTPS
as the type but ::/0
as the source. Click "Save rules".
That's it. Go to your browser, navigate to your domain and https
as the protocol to confirm the set-up.
Top comments (5)
I commented on another post, but I think it's more accurate to be placed here. Now that we have SSL setup how should we go about forwarding http to https? I was thinking the best place to do that would be the nginx file, but now I'm receiving 502 and 504 errors. I basically updated that .conf file to look something like this:
How do you go about forwarding http to https with this setup?
That you need to do within the ELB (AWS Elastic Load Balancer).
Ah i see I just needed to edit the rule to "Redirect to" then "Port": 443. Thank you!
Nice article! keep it up.
By the way, If you want to use SSL for another resources like EKS, you can follow my guidance here: dev.to/iilness2/practical-way-to-s...
Nice article!
I've been running an Apache web server without the load balancer and noticed a significant increase in page load time after deploying the ELB. This problem only exists when I'm using a listener with https protocol. Load time is normal with http.
Do you have any idea why this is the case?
Thank you