Setup ELB as an SSL Termination Proxy
Oh the joys of using the Amazons ELB. Now the heading for this section is “The Problem,” but to be honest, the only problem is that you ain’t set that thing up yet. ELB is awesome sauce incarnate. A few mousy pointy clickies and you have a load balancing monster that handles SSL, port translation, fails overs, multiple availability zones, and jillions of instances. Its bliss. Amazon where have you been all might life?
So lets get started!
How to get there
The first thing you want to do is navigate to the Load Balancer page. From the top left menu:
Services → __EC2 __ Find __Load Balancers __ along the left side menu and click.
… crack your Monster, take a pull
Click Create Load Balancer, the wizard will walk you through the details of setting up your load balancer.
Define that Balancer
Fill in the name, then drop down the Listener Configuration: table. We are configuring this load balancer to be the SSL termination point, so we will speak to the outside world you HTTPS on port 443. Internally can speak to our servers over port 80.
|Load Balancer Protocol||Load Balancer Port||Instance Procotol||Instance Port|
The app we are serving uses a policy of Strick Transport Security; however,
I want to do a permanent redirect at the Nginx level from
HTTPS. For this reason, we configure the load balancer to listen
on port 80.
Click here to purchase a production cert. Don’t be a cheap ass, this is your domain’s credibility we are talking about here.
Got SSL? Tick the “Upload a new SSL Certificiate” type.
NOTE: You may use existing SSL certs for future ELBs.
I digress, Continue!
The app I am going to run forces connections over HTTPS, so I change the protocol to HTTPS. I do not change the port to 443 because I am communicating to my instance over port 80. This is an internal health check. The path is set “/”, the timeouts internals and thresholds stay default.
This is pretty important don’t you think?
In development mode, I may be cavalier a little about ingress and egress data, ports and security. I create a group that allows ports 80, 443 from the world. Maybe some other ports. Who knows?
In production mode, I batten down the hatches. The only ports exposed to the world are 80 and 443. Period.
Oh… security groups? We do that stuff right cheeya!
Hopefully you have created some instances, if not go do that. Select the instances that you want balanced.
Keep the defaults, jerk.
ELB distributes traffice evenly accross zones by default.
Connection draining is the process of allowing existing connections to finish when you deregister an instance. You can consider this a graceful deregistration of your EC2 instance.
Double check your settings and Create.
Yeehaw! Time to get TechCrunched cause you just built yourself a Web Scale No Fail Whale.
Now, just hold on there tubby, we let’s peep some of these things.
First and foremost, contratulations you did it!
Look at DNS Name: under the Description tab. That is the url you paste into your world wide web browser.
Under Instances you would see the EC2 instance(s) you are balancing. If the health check is set up properly, and the instance and app are running, this should say “InService”. If it says “OutOfService” you may want hold off on posting to HackerNews.
The other tabs are fairly straight forward. If this is a sandbox, go and break stuff! Otherwise, click around and see what’s what.
AWS has a little information on EC2. So if you need assistance or can’t sleep, check it out here
blog comments powered by Disqus