I’m using Nginx as a reverse proxy on an EC2 in the private subnet. In the public subnet, I created an ALB and also created an ACM for domain proxy.mydomain.test.
The LB’s target group is using 443 port with HTTPS protocol. The LB’s listener is also using the 443 port and HTTPS protocol, even ELBSecurityPolicy-2016-08 ssl policy and ACM’s certificate arn. It’s action is using forward.
The LB’s listener rule’s action is also forward with host_header condition. Its value is the full domain proxy.mydomain.test.
The Nginx proxy server’s duty is to point to the ELB endpoint in the internal subnet which serving an another service. So it maybe should use proxy_pass, then I think the /var/www/html isn’t necessary.
So about the Nginx in the EC2, is it necesary to create a self signed cert?
And, in the server listen config of Nginx, use 80 or 443 to catch the inbound?
2
Answers
This is up to your architecture.
NGINX proxyis the public endpoint, it must have SSLcertificate.
Load Balanceris the public endpoint, it musthave SSL certificate.
At this case, your
Load Balanceris internal config which only allows internal VPC access so HTTP traffic (over port 80) is enough. But for best practices, you can enhance security at any layers and make them HTTPS which is encouraged.For security reasons, for the public endpoint, we usually configure to redirect traffic from port 80 to port 443.
Reference: https://linuxize.com/post/redirect-http-to-https-in-nginx/
Usually you don’t need SSL/HTTPS between ALB and instances, or when you route traffic within a VPC. So your traffic would be:
Usually you only encrypt traffic from the internet to ALB.