DEV Community

Mubbashir Mustafa
Mubbashir Mustafa

Posted on • Edited on

Attach SSL to Elastic Load Balancer (ELB) and enable HTTPS

HTTPS enables you to transfer data over the network securely. To be able to use HTTPS with your load balancer you need to do the following steps:

  1. Request a certificate
  2. Add a CNAME record
  3. Attach HTTPS listener to the load balancer

1. Request a certificate

From AWS console, go to "Certificate Manager".
Alt Text

It will take you to the homepage of the AWS Certificate Manager. Select Provision Certificate and click "Get started".
Alt Text

Choose "Request a public certificate" and click on the "Request a certificate" button.
Alt Text

Enter the domain name you are using with your load balancer and click next. If you are using a sub-domain, you will have to enter that sub-domain. Also, you can cover more than one domain in a single certificate like this:



whateverdomain.club
my.whateverdomain.club
abc.whateverdomain.club


Enter fullscreen mode Exit fullscreen mode

or to cover all the sub-domains, you have to use



*.whateverdomain.club
whateverdomain.club


Enter fullscreen mode Exit fullscreen mode

Select "DNS Validation" (learn why) and click "Next"
Alt Text

You can add tags if you want, otherwise, leave them empty and click "Review". On the review page, review the info and click "Confirm and Request". Click "Export DNS configuration to a file" (it will download a csv file) and click "Continue".
Alt Text

Now we need to validate our request (prove that we are authorized to request SSL certificates for our domain). Until the validation is completed you will see "Pending validation" status against the certificate request.
Alt Text

2. Add a CNAME record

To prove our authorization we need to add the CNAME record to our domain's DNS records. To do that go over to route 53 (if your domain's NS are not pointing towards AWS then you will have to do the following steps from your domain registrar's control panel or some other service that you are using).
Alt Text

Select the Hosted Zone for the domain in question.
Alt Text

Click "Create record set", open up the csv file that was downloaded earlier and enter the values accordingly:

Name = From csv's Record Name column
Type = CNAME - Canonical name
Alias = No
Value = From csv's Record Value column

After entering the values click "Save Record Set".

Alt Text

*Note: in the CSV file, the Record Name is completely written, you just need the random string part.



# value in csv
_ab1e89753de00b10b8de785149740feb.whateverdomain.club. 

# value you need to enter in the name field
_ab1e89753de00b10b8de785149740feb



Enter fullscreen mode Exit fullscreen mode

Once the CNAME record has been added (correctly), go back to the AWS Certificate Manager and look for the status. It should be changed to "Issued".
Alt Text

*Note: The status change can take 0-72 hours. However, if ACM (AWS Certificate Manager) is not able to validate within 72 hours, then you will see "Time out" as the status and you will have to regenerate the request.

3.Attach HTTPS listener to the load balancer

Now that we have successfully generated an SSL certificate for our domain, we are ready to attach HTTPS listener to the load balancer. Head over to EC2, from the bottom left section select "Load Balancers". Select the load balancer to whom you intend to attach the SSL. Go the "Listeners" tab from the bottom and click "Add listener".
Alt Text

Select "HTTPS" as protocol. Add default action "Forward to" and select the target group to which you want to forward your requests. Leave "Security Policy" as it is. Select the certificate we generated above in the "Default SSL certificate".
Alt Text

Once the listener has been attached, go back to the load balancer page. From the bottom left select "Security Groups".
Alt Text

Select the security group attached to the load balancer.
Alt Text

Click "Edit inbound rules".
Alt Text

Click "Add Rule". From the "Type" dropdown, select HTTPS. From the source select 0.0.0.0/0. Add another rule, pick HTTPS as the type but ::/0 as the source. Click "Save rules".
Alt Text

That's it. Go to your browser, navigate to your domain and https as the protocol to confirm the set-up.
Alt Text

Top comments (5)

Collapse
 
rynebenson profile image
Ryne Benson • Edited

I commented on another post, but I think it's more accurate to be placed here. Now that we have SSL setup how should we go about forwarding http to https? I was thinking the best place to do that would be the nginx file, but now I'm receiving 502 and 504 errors. I basically updated that .conf file to look something like this:

server {
  listen 80;

  server_name _;

  location / {
    root      /usr/share/nginx/html;

    index     index.html index.htm;

    try_files $uri $uri/ /index.html;
  }

  error_page 500 502 503 504 /50x.html;

  location = /50x.html {
    root /usr/share/nginx/html;
  }

  return 301 https://$host$request_uri;
}
Enter fullscreen mode Exit fullscreen mode

How do you go about forwarding http to https with this setup?

Collapse
 
mubbashir10 profile image
Mubbashir Mustafa

That you need to do within the ELB (AWS Elastic Load Balancer).

Collapse
 
rynebenson profile image
Ryne Benson

Ah i see I just needed to edit the rule to "Redirect to" then "Port": 443. Thank you!

Collapse
 
iilness2 profile image
andre aliaman

Nice article! keep it up.

By the way, If you want to use SSL for another resources like EKS, you can follow my guidance here: dev.to/iilness2/practical-way-to-s...

Collapse
 
natenn profile image
Nate

Nice article!

I've been running an Apache web server without the load balancer and noticed a significant increase in page load time after deploying the ELB. This problem only exists when I'm using a listener with https protocol. Load time is normal with http.

Do you have any idea why this is the case?

Thank you