skip to Main Content

I’m using Nginx as a reverse proxy on an EC2 in the private subnet. In the public subnet, I created an ALB and also created an ACM for domain proxy.mydomain.test.

The LB’s target group is using 443 port with HTTPS protocol. The LB’s listener is also using the 443 port and HTTPS protocol, even ELBSecurityPolicy-2016-08 ssl policy and ACM’s certificate arn. It’s action is using forward.

The LB’s listener rule’s action is also forward with host_header condition. Its value is the full domain proxy.mydomain.test.

The Nginx proxy server’s duty is to point to the ELB endpoint in the internal subnet which serving an another service. So it maybe should use proxy_pass, then I think the /var/www/html isn’t necessary.

So about the Nginx in the EC2, is it necesary to create a self signed cert?

And, in the server listen config of Nginx, use 80 or 443 to catch the inbound?

2

Answers


  1. This is up to your architecture.

    • If your NGINX proxy is the public endpoint, it must have SSL
      certificate.
    • If your Load Balancer is the public endpoint, it must
      have SSL certificate.

    At this case, your Load Balancer is internal config which only allows internal VPC access so HTTP traffic (over port 80) is enough. But for best practices, you can enhance security at any layers and make them HTTPS which is encouraged.

    For security reasons, for the public endpoint, we usually configure to redirect traffic from port 80 to port 443.

    Reference: https://linuxize.com/post/redirect-http-to-https-in-nginx/

    Login or Signup to reply.
  2. Usually you don’t need SSL/HTTPS between ALB and instances, or when you route traffic within a VPC. So your traffic would be:

    client ---(HTTPS)--->ALB----(HTTP)--->NGINX---(HTTP)--->ALB
    

    Usually you only encrypt traffic from the internet to ALB.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search