应用程序负载平衡器(ELBv2)SSL通过 [英] Application Load Balancer (ELBv2) SSL pass through
问题描述
我正在尝试配置一个AWS Application Load Balancer(相对于Classic Load Balancer),以将流量分发到我的EC2 Web服务器.出于合规性原因,我需要为我的应用程序进行端到端SSL/HTTPS加密.
I am trying to configure an AWS Application Load Balancer (vs. a Classic Load Balancer) to distribute traffic to my EC2 web servers. For compliance reasons I need end to end SSL/HTTPS encryption for my application.
在我看来,确保对客户端和Web服务器之间的通信进行全过程加密的最简单方法是终止Web服务器上的HTTPS连接.
It seems to me the simplest way to ensure that traffic is encrypted the entire way between clients and the web servers is to terminate the HTTPS connection on the web servers.
我的第一个问题:是否可以通过AWS Application Load Balancer以这种方式将HTTPS流量传递到负载均衡器后面的Web服务器?
My first question: Is it possible to pass through HTTPS traffic through an AWS Application Load Balancer to the web servers behind the load balancer in this manner?
根据我从AWS文档中收集的内容,可以通过Classic Load Balancer以这种方式传递流量(通过TCP传递).但是,应用程序负载平衡器看起来像要终止HTTPS连接本身,然后执行以下操作之一:
From what I've gathered from the AWS documenation, it is possible to pass traffic through in this manner with a Classic Load Balancer (via TCP pass through). However, the Application Load Balancer looks like it wants to terminate the HTTPS connection itself, and then do one of the following:
- 未加密地将流量发送到Web服务器,出于合规性原因我不能这样做
- 创建与Web服务器的新HTTPS连接,这似乎需要额外的工作量
我的第二个问题:对文档的理解正确吗?
My second question: is that understanding of the documentation correct?
推荐答案
要终止Web服务器上的SSL连接,您需要将负载平衡器侦听器从HTTPS更改为TCP.ALB不支持此功能,仅支持经典ELB.此外,如果您要在Web服务器上终止SSL,则负载均衡器将无法检查该请求,因为该请求无法解密,因此它将无法完成所有新的路由选择工作ALB支持的.
Terminating the SSL connection at the web servers requires you to change the load balancer listener from HTTPS to TCP. ALB doesn't support this, only classic ELB. Further, if you were terminating the SSL at the web server the load balancer wouldn't be able to inspect the request since it wouldn't be able to decrypt it, so it wouldn't be able to do all the fancy new routing stuff that the ALB supports.
如果您确实要为它提供的新功能使用ALB,并且需要端到端加密,则必须在ALB处终止SSL,并且必须在Web服务器上安装SSL证书.Web服务器证书可能类似于自签名证书,因为只有ALB才能看到该证书,而不是客户端.
If you actually want to use an ALB for the new features it provides, and you need end-to-end encryption, you will have to terminate SSL at the ALB and also have an SSL certificate installed on the web servers. The web server certificate could be something like a self-signed cert since only the ALB is going to see that certificate, not the client.
我假设出于合规性原因(PCI,HIPAA等),您需要端到端加密.否则,没有太多令人信服的理由来进行设置的麻烦.
I assume you need end-to-end encryption for compliance reasons (PCI, HIPAA, etc.). Otherwise there isn't a very compelling reason to go through the hassle of setting it up.
这篇关于应用程序负载平衡器(ELBv2)SSL通过的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
