Can I use Single AWS ELB to host 2 SSL Certs for 2 Different Domains?

Question

On AWS, I'm hosting Multiple (totally different) Domains on EC2 covered by an ELB on top. I already have 1 Wildcard SSL Cert for 1 Domain and its childs. (xxxx.site1.com)

Then now can I add one more Single SSL Cert (on same ELB) for 1 another different Domain, like (www.site2.com) please?

I'm asking this because some Articles are saying, it won't work and just crush.

Please kindly advise.

Answer 1

No. The only way you could do it is if you use a second port for HTTPS connections (other than 443) which doesn't apply to real world scenarios since 443 is the default port for HTTPS

Having said that, you can simply create a second ELB and assign your second wildcard certificate to it. You can also forward your traffic to the same backend server as the one where the first ELB is forwarding its traffic to.

Hope this helps.

Answer 2

Yes. But not by terminating SSL on the load balancer. You have to enable Proxy Protocol on the ELB and transparently forward TCP requests to the web server. There are more details in this article on how to configure the ELB with example NGINX configurations:

Multiple SSL domains on AWS ELB with Nginx

Using the AWS CLI to enable:

aws elb create-load-balancer-policy \  
  --load-balancer-name acme-balancer \
  --policy-name EnableProxyProtocol \
  --policy-type-name ProxyProtocolPolicyType \
  --policy-attributes AttributeName=ProxyProtocol,AttributeValue=True

aws elb set-load-balancer-policies-for-backend-server \  
  --load-balancer-name acme-balancer \
  --instance-port 9443 \
  --policy-names EnableProxyProtocol

aws elb describe-load-balancers --load-balancer-name acme-balancer

There is also a mod_proxy_protocol module available if you are using Apache.

This does NOT add an additional distribution layer; ELB still handles distributing the traffic, connection draining. However, SSL termination is handled by each individual server.