How to set up HTTPS on Amazon EC2 with Elastic Load Balancer
Question
I have requested a certificate in Amazon Certificate Manager. Now it has status 'issued'. In EC2 console I have created Load Balancer. There are 2 listeners: HTTP and HTTPS. I tried Application Load Balancer and Classic Load Balancer, but I can't connect to my site via HTTPS.
My nginx config:
server {
listen 80;
#listen 443 ssl;
rewrite ^(.*) https://$host$1 permanent;
server_name site.com www.site.com;
root /home/ubuntu/www/site.com/wordpress;
index index.php;
client_max_body_size 20m;
gzip on;
gzip_disable "msie6";
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
location ~* ^/(\.htaccess|xmlrpc\.php)$ {
return 404;
}
location ~ /\. {
deny all;
}
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
access_log off;
log_not_found off;
expires max;
}
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
set $is_https 'off';
if ($http_x_forwarded_proto ~ 'https') {
set $is_https 'on';
}
proxy_set_header HTTPS $is_https;
proxy_redirect off;
if (!-f $request_filename) {
proxy_pass http://app_server;
break;
}
#try_files $uri $uri/ /index.php?$args; # permalinks
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
}
How can I import the certificate manually? Or there is a way to set up HTTPS connection with the Amazon certificate?
2 answers
solution1
1 2017-02-12 02:42:06
If you have an ACM cert, you can just select that certificate from the ELB Listener for HTTPS/443 and you don't need to bother setting up the SSL config in your nginx instance. Just have it respond on port 80.
You just need both HTTP/80 and HTTPS/443 in the ELB to HTTP port 80 on the instance (This sample is using the Classic ELB)
If the Cert is in ACM you should see it in the dropdown once when you select "Change" under SSL Certificate.
Now you just need to make sure your ELB security group is set up to allow Ingress from 80/443 and Egress from 80. And you need to make sure your instance allows Ingress from the ELB Security Group.
solution2
0 2017-02-11 11:02:12
Depending on your ELB setup and port mapping, the $https variable won't always work when your instance is behind an AWS ELB (h/t @Michael - sqlbot). You should use HTTP_X_FORWARDED_PROTO header instead and move your rewrite rule inside the IF statement that checks for the HTTP_X_FORWARDED_PROTO header:
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
if ($http_x_forwarded_proto != "https") {
rewrite ^(.*)$ https://$server_name$1 permanent;
}
.
.
.
}
Note on Security Groups
Also, you need to ensure that your load balancer can communicate with registered targets on both the listener port and the health check port. For more info:
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.