10

I am trying for the simplest deploy to get an HTTPS web server up and running in Fargate.

I have used Amazon Certificate Manager to create a public certificate.

I have an Application Load Balancer that is talking to the Fargate container on two ports: 80 for HTTP and 443 for HTTPS

This is the problem: when I run my webserver on port 80 (HTTP) and connect via the ALB, it works fine (not secure, but it serves up the HTML).

When I run my webserver on port 443 with TLS enabled, it does not connect via the ALB.

Another point is that when running my webserver with TLS enabled on port 443, I do not have the certificate or certificate key, and so am confused how to get that from Amazon.

Another question I have is: does it make sense for me to say that the ELB will communicate with the client over HTTPS but that the ELB can communicate with the container via HTTP? Is this secure?

My networking knowledge is very rusty.

Daniel Widdis
  • 8,424
  • 13
  • 41
  • 63
TheBottleSeller
  • 205
  • 1
  • 5
  • 12
  • "Another question I have is".. Consider limiting your SO post to one question. Having multiple questions that aren't narrowly focused makes it tricky for us to answer. – bluescores Sep 04 '18 at 14:07
  • How are your target groups configured for your ALB? Does the ALB security group allow traffic on 443? – bluescores Sep 04 '18 at 14:09
  • @bluescores thanks and sorry for the multiple questions... I have configured the security group to allow 443. So then if I can communicate with the ALB from the public internet over https (443), then would it be possible for the ALB to communicate with my web server over http (80)? – TheBottleSeller Sep 08 '18 at 21:24

1 Answers1

12

does it make sense for me to say that the ELB will communicate with the client over HTTPS but that the ELB can communicate with the container via HTTP?

Yes. You should make sure your web server is accepting traffic from the ALB on port 80. This is done at the application level, on the web server, and with your target group, which is what the ALB will use to determine how it routes traffic to your web server. This is way it typically works:

client --(443)--> ALB --(80)--> web server

Some things to check:

  • Target group is configured to send traffic to your FG web server on port 80
  • Target group health check is configured to check port 80
  • FG task security group has ingress from ALB on port 80
  • Web server is configured to listen on port 80

Sidenote: You can configure your target group to send traffic to the target (web server in Fargate) on 443, but as you said, without the proper certificate setup in the container, you won't be able to properly terminate SSL and it just wouldn't work. You would need to upload your own cert to ACM for this to work, which sends you down a security rabbit hole, namely how to avoid baking your private key into your Docker image.

bluescores
  • 4,437
  • 1
  • 20
  • 34
  • 1
    Thank you! This is what I suspected, because there does not seem to be a need for my web server to support SSL when connecting to the ALB from the public internet should be over SSL and then the ALB --> web server should be secured by AWS. A follow up question, to secure my webserver I should make sure that it is off of a publicly accessible subnet? And instead put it on a private subnet that only the ALB can communicate with, and the ALB is on a public subnet? – TheBottleSeller Sep 13 '18 at 06:58
  • 2
    You're welcome. Yes, you can put the web server in a private subnet and the ALB in a public on, just make sure both private and public subnets are in the same AZ and it should Just Work™ – bluescores Sep 13 '18 at 16:48
  • 2
    You should also make sure the security group for your ALB accepts traffic in port 443 – ztrange Dec 11 '18 at 15:29