AWS弹性负载均衡器SSL证书

huangapple go评论73阅读模式
英文:

AWS elastic load balancer SSL certificate

问题

我们有一个面向互联网的经典负载均衡器,其DNS为my-elb-1234.region.elb.amazonaws.com,但我们不用它来路由/负载均衡到我们的EC2实例。此外,此ELB中只有一个EC2实例。在这个EC2实例中,我们只运行一个Nginx服务器。我们实际上不使用ELB的DNS作为访问/入口点到我们的服务器。我们有一个Route53托管区域our-proccess.domain,托管了EC2实例中的Nginx服务器中的域名/服务器。这已经持续了多年,最近被我们的安全团队发现。

我知道我们没有以任何方式正确或有效地使用这个ELB资源。

是否有办法为ELB的DNS my-elb-1234.region.elb.amazonaws.com 获取一个签名的SSL证书?我们尝试过使用ACM,但当在域中包含my-elb-1234.region.elb.amazonaws.com 时失败了,我认为这是因为amazonaws.com是域的一部分,而ACM禁止了它。我们还尝试了certbot,我们用它为our-process.domain 生成SSL,但我认为它仍然被禁止,因为amazonaws.com域。我们还尝试在our-process.domain 托管区域中创建一个CNAME记录,将流量路由到my-elb-1234.region.elb.amazonaws.com,但使用sslshopper.com进行检查时失败了,因为证书中没有与名称(my-elb-1234.region.elb.amazonaws.com)匹配的通用名称。

英文:

We have this internet-facing classic load balancer with the dns my-elb-1234.region.elb.amazonaws.com but we do not use this for any routing/balancing to our ec2 instances. Also, there is only one ec2 instance in this ELB. In this ec2 instance we only have a nginx server running on it. We do not really use the ELB's DNS as an access/entry point to our server. We have this route53 hosted zone our-proccess.domain that hosts the domains/servers in the nginx server in the ec2 instance in the ELB. This has been going on for years now and just recently found out by our security team

I know we are not doing/using this ELB resource the right way or in any way.

Is there a way to have the ELB's DNS my-elb-1234.region.elb.amazonaws.com to have a signed SSL certificate? We've tried using ACM but it just failed when having the my-elb-1234.region.elb.amazonaws.com in the domain, I think this is because of the amazonaws.com is part of the domain and it is forbidden in ACM. we also tried certbot, which we used to generate the SSL for our-process.domain but i think it still forbids because of the amazonaws.com domain. we also tried having a cname record in the our-process.domain hosted zone routing to the my-elb-1234.region.elb.amazonaws.com but using sslshopper.com to check and it fails as there are no common names in the certificate that match the name(my-elb-1234.region.elb.amazonaws.com).

答案1

得分: 1

  • 如果我理解正确的话,您需要在ACM中使用您自己的域名process.domain创建一个证书。
  • process.domain中为您的CLB创建一个CNAME记录,例如myoldapp.process.domain,将其映射到您的负载均衡器(LB)。
  • 从您的CLB中,在监听器中配置HTTPS监听器,以使用您在步骤1中为process.domain创建的证书。

这应该没问题。当请求到达LB并包含myoldapp.process.domain时,LB上的证书已配置为process.domain,SSL终止应该会在LB级别正确进行。

英文:
  • You will have to create a certificate in ACM with your own domain process.domain if I got it right.
  • Create a cname record for you CLB in process.domain like myoldapp.process.domain mapping to your LB.
  • From your CLB, in the listeners, configure the https listener to use the certificate you created for process.domain in step 1.

That should be ok. When a request is coming with myoldapp.process.domain and reach the LB, and the cert on it is configured process.domain; the ssl termination should happen properly with this setup on the LB level.

huangapple
  • 本文由 发表于 2023年6月5日 14:21:24
  • 转载请务必保留本文链接:https://go.coder-hub.com/76403937.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定