Serving SSL with AWS ELBs and Apache

So you have a site that is on an EC2 instance, and you want to turn it into an SSL site. That’s a common task, but what if you have multiple SSL sites on that host. You can’t share the IP and still have things work for older browsers, so you end up using ELBs.

There are a couple of ways to do this, depending on how complicated you want things. The obvious solution might be to just setup SSL listeners on alternate ports with your webserver, and then map the ELB to those ports for each vhost.

That is madness. And not always possible. What if you’re using some webapp that only answers for HTTP? Or the SSL operations for your webapp are incredibly slow. Or you are lazy. And what if all you want to do is direct the non-SSL to SSL versions of the site? Even if you don’t redirect, that’s still 2 vhosts to maintain. So what to do?

Simple. ish.

First, setup the listeners on the ELB so that they both point to HTTP on the instance protocol. You’ll still have to setup the SSL listener on the ELB, but both the HTTP and HTTP inbound traffic will get directed to the instance’s HTTP.

And that’s it. Unless you want to redirect non-SSL to SSL. Then you’ll need to add this to your vhost :

RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [L,R]

The ELB is nice enough to give you the request’s original protocol, allowing you to redirect as needed.

There are some problems I’ve seen, though. Some webapps, or even framework modules, will insist they be run on SSL only, and will see all this as happening only via HTTP, so they might get upset. In these cases, you will likely need to go ahead and do the port mapping bit, which is hell to maintain for a bunch of sites.

Someday I’m hoping enough browsers will support SSL vhosting that this can all become moot.

Serving SSL with AWS ELBs and Apache