AWS - SSL Offloading with an Application Load Balancer

SSL offloading or SSL termination is removing the SSL based encryption from incoming traffic that a web server receives to eliminate the server from processing the burden of encrypting and decrypting traffic sent through SSL allowing it to focus its resources for serving web content. This also greatly reduces your SSL administration not only during the initial build and ongoing certificate renewals but also simplifies auto scaling configurations in addition to addressing certain types of security attacks away from the web servers, there is also cost savings to be had with certificate renewals and reduced server specifications without the decryption/encryption overhead.

By utilising Amazon Certificate Manager with your ALB, the certificate will be stored securely, regularly rotated and updated automatically by AWS with no action on your part and best of all it is free providing you use the AWS load balancer service. This article shows you to do the SSL offloading on an AWS Application Load Balancer (ALB).

Build an EC2 and Install Apache

First create a web server in a public subnet, for this example I am using a free tier Red Hat Enterprise Linux 7.6 AMI launching it into a public subnet, using a security group consisting of HTTP (0.0.0.0/0) and SSH (My Public IP).

Tip: For quickness when configuring the instance details, expand the advanced details section and paste the code below, once the server has been built it will install an Apache web server and configure a default index.html page

#!/bin/bash
yum install -y httpd
systemctl start httpd
systemctl enable httpd
usermod -a -G apache ec2-user
chown -R ec2-user:apache /var/www
chmod 2775 /var/www
find /var/www -type d -exec chmod 2775 {} \;
find /var/www -type f -exec chmod 0664 {} \;
echo "<html>Infra Engineer Sample Web Page</html>" > /var/www/html/index.html

Allow a few minutes for the EC2 to build then using your browser you should be able to go to the public IP allocated by AWS and it should return a page on HTTP, i.e.

Create the certificate using Amazon Certificate Manager (ACM)

Now the webserver is working on port 80 it is time to create the certificate to use on the ALB

Within the AWS console search for Certificate Manager or ACM

Select request a public certificate, add your domain (i.e. www.infra.engineer) or use a wildcard (i.e. *.infra.engineer)

Validate the domain via DNS or Email

I strongly recommend using Route 53 if you do not use it already, if you do use it select the Create record in Route53 otherwise it will have to be verified manually.

A few minutes after the records have been created the domain should change from pending validation to validated.

If you have multiple certificates note the last few characters or the ARN or the Identifier to use later on when setting up the ALB.

Create your Application Load Balancer (ALB)

Please be aware of the ALB pricing before you start using it in production, see here for pricing

Now your certificate is ready it is time to create the ALB, before starting this you will need to ensure you have 2 public subnets in separate availability zones so create another one if need be.

Within the AWS console go to EC2 then on the left hand section select "Load Balancers" then create load balancer

You will be given the choice of 3 load balancer types, create an Application Load Balancer

Add a logical name, ensure the scheme is set to internet facing and change the listener from HTTP to HTTPS

For the availability zone, select your VPC and the subnet where you where webserver resides in. You can specify only one subnet per Availability Zone. You must specify subnets from at least two Availability Zones to increase the availability of your load balancer.

Select the ACM certificate created earlier and a TLS1.2 security policy then click next

Create a new logically named security group for your load balancer, ensure 443 is open to the world and click next

Create a new target group, give it a name and set the protocol's to HTTP and the port to 80 then select register targets

Add your webserver(s) created earlier as a target, normally multiple mirrored web servers would be added here within different zones but for this example I am just using 1 server, select review check your details and click create.

After a few minutes the load balancer should be created.

Integration services such as Config and WAF (Recommended for business) can be added here if required.

Route 53

When your load balancer is creating it will show a public DNS name which will be along the lines of,

InfraEngineer-SSL-Offloading-842728484.eu-west-1.elb.amazonaws.com
 
For the certificate to work correctly without errors you need to create a CNAME under your domain to this address.
 
Go into your Route 53 hosted zone for the domain and add a CNAME record or an alias option if you wish,
This record will have to tie up with your named certificate created earlier unless you created a wildcard certificate.
Allow a minute for the DNS record to be reachable or normally a lot longer if you are using a 3rd party DNS.

Test your site

Using the CNAME created earlier on https and you should see a secure connection to your ALB which is then decrypted at the back end to the web servers.
Looking at the certificate it will be issued by Amazon.
 
 
Run the following netstat command to show that the website is running on port 80 only,
 sudo netstat -plnt | egrep ":80|:443"
 
 
Leaving your browser open on HTTPS to the site run the following command which will show your connection has established on 80, this should show 1 connection then close your browser and run the same command and it should return 0 showing that the site is working on HTTP between itself and the ALB.
netstat -ant | grep ESTABLISHED | grep :80 | wc -l