How to route HTTPS traffic through ELB to a EC2 container running a Java JHipster webApp

Question

I have a JHipster monolithic application (Angular + Java SpringBoot + Tomcat container, everything together) deployed successfully in a EC2. I could set the security groups in order to enable 8443 incoming requests to the Public DNS and I am able to access it from any browser.

After that, I've requested a public certificate from Amazon for a domain I've already acquired with Route53.

So the idea was to use 443 instead of 8443, and the real domain (instead the Public DNS provided by AWS), so in effect I've created a ELB (all in the same VPC, security group and hosted zone). This ELB is listening in 443 and has a redirect to 8443 as default action.

But.. ERR_CONNECTION_REFUSED is what the browser shows..

It is important to mention that since AWS does not allow us to download the certificate (at least I don't see any option for that in the console) in the JDK of the EC2 where the app runs I've installed a custom certificate (generated with keytools) in order to apply it in Tomcat to listening the already mentioned 8443 port.

I also tried running in 8080 instead of 8443 (and of course updating the security groups) but no change..

Could you give me a clue about what I'm missing? So far the unique way I see is to create a new EC2 with a NGINX to act as a reverse proxy (with a rewrite policy maybe) behind the ELB, but I prefer to avoid additional complexity unless absolutely needed.

Additional data:

• Tomcat server configuration:

    server:
        port: 8443
        server.ssl.key-store: keystore.p12
        server.ssl.key-store-password: thePassword
        server.ssl.keyStoreType: PKCS12
        server.ssl.keyAlias: theKeyAlias

• Security group inbound rules:

    Custom TCP 8443 with 172.31.0.0/16 (the same range of the ELB)
    HTTPS TCP 443 with 0.0.0.0/0 and ::/0

• Also the AWS Certificate is enabled and already issued (CNAME record set was created in Route53)

**UPDATE 1 - 04 February 2019 22:21 (GMT-3) **

Guys, I finally decided to have a NGINX behind the ELB. Also I've realized that communication between NGINX and App Server could be HTTP, therefore my app is gonna listen in port 8080, simplifying a bit the scheme. I've realized also that I need only one certificate in order to have the "browser padlock" and encrypted all traffic between clients and ELB, so no matter if it is not possible to download it (it is not needed to install also in NGINX nor App. Server).

Answer 1

At the Apache level you should add a listener on port 443 which would proxy pass the requests on port 8443. This will make sure that all incoming requests on port 443 of the domain will be passed to the application running on port 8443 of the server

listen 443;
location /{
proxy_pass  http://127.0.0.1:8443;

}

Answer 2

Finally issue RESOLVED I could make work fine the NGINX and also I had to change another things:

I've passed from an Application Load Balancer to a Classic Load Balancer. The final scheme is like I've explained in the UPDATE of this topic, I mean:

User connects via HTTP or HTTPS through Classic LB and then it goes to EC2 NGINX listening on port 80.

Then from NGINX to WebApp I've used a proxy_pass in this way:

    location / {
        proxy_pass  http://172.x.y.z:8080;
    }

And finally an HTTP forward in NGINX to use HTTPS exclusively:

    proxy_set_header X-Forwarded-Proto $scheme;
    if ( $http_x_forwarded_proto != 'https' ) 
    {
       return 301 https://$host$request_uri;
    }

Lijo Abraham, your answer helped me to have a clear direction and this post shows the exactly solution applied (thats why I will green tick this post).

Many thanks and regards.

**UPDATE 1 - 10 February 2019 17:21 (GMT-3) ** Finally I've remade all again using Application ELB this time instead of Classic ELB (the latter deprecated) and everything works as expected, don't know why in the beginning ELB Classic didn't work (probably some error in security groups rules configuration or something kind of that).