HTTPS not working on AWS Elastic Beanstalk

by

Adding HTTPS to elastic beanstalk environment isn’t complicated to configure; until I fell into small mistake. Some of configuration dashboard’s flow been changed a bit from last time I setup the SSL certificate to a beanstalk environment.

Assumptions:

  • SSL certificate is ready from AWS Certificate manager.
  • Using lassic Load Balancer (Optional)
  • Configuration on application side is all fine.

Now assumption is we already have a SSL certificate created from AWS Certificate manager. We will head inside configuration of beanstalk environment. Under Load Balancer Configuration, we will add new lister that listens to HTTPS protocol at port 443. Under the settings, HTTP listener will already be added by default. Another assumption is that default security group added during creation of environment has all correct inbound rules to allow proper incoming access. Generally this is all taken care by beanstalk environment behind the scenes so we will not delve into too deep but focus on abstraction layer where making a mistake is easily susceptible to a new user.

Now, I will add new listener.

Description says:

You can specify listeners for your load balancer. Each listener routes incoming client traffic on a specified port using a specified protocol to your instances. By default, we’ve configured your load balancer with a standard web server on port 80.

The UI flow look like this.


I added HTTPS protocol in listener and Port to 443 in the fields. After changing listener settings, it will also change the instance settings to port 443 and HTTPS. When I saved this configuration that was the mistake I made. This didn’t work and my website didn’t worked with https request.

Here is the kicker: The configuration description says:

Instance protocol

The protocol to use for routing traffic to backend instances. This must be at the same internet protocol layer as the listener protocol. It also must have the same security level as any other listener using the same instance port as this listener.

Listener protocol

The load balancer transport protocol to use for routing.

The description even says that instance protocol must be same as listener protocol. But in this case it is not because when setting both instance and listener to port 443 it simply doesn’t work.

Why? It looks adding HTTPS listener doesn’t necessarily add it on backend listener. The behaviour is that HTTPS request from user agent like browser or app to the load balancer is encrypted but then from load balancer to instance at backend is unencrypted. That is what I am thinking. This stack is created by elastic beanstalk tased on platform that is deployed. I couldn’t figure it out to activate https at instance port or backend from dashboard’s configuration. Not knowing if it is allowed.

So Next I updated setting instance port at port 443 to listen https but didn’t work in image below. Beanstalk environment’s health went severe.


Then what’s the bottom line?

Well, Changing instance port to 443 didn’t work and Only having port 80 at instance port seems to make it work. What does it means in for security? There are documentation which makes it more confusing for me
If you specify that the HTTPS listener sends requests to the instances on port 80, the load balancer terminates the SSL requests and communication from the load balancer to the instances is not encrypted. If the HTTPS listener sends requests to the instances on port 443, communication from the load balancer to the instances is encrypted.

With that information provided in AWS Documentation, communication isn’t been encrypted between load balancer and instance. Only communication between user agent and load balancer is encrypted. If I am analysing this correctly.


Conclusion: I hope this meets your needs. As in above image, For now the way to make HTTPS work in elastic beanstalk is to set instance port at 80 and protocol to HTTP with listener port at 443 and listener protocol to HTTPS.

You might also like: AWS Elastic Beanstalk Swap Environment Urls

You might also like: How to redirect HTTP to HTTPS in Elastic Beanstalk

More Articles

Recommended posts