Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Cloudfront, ELB and SSL

If i use Cloudfront to sit in front of a webserver, which itself is behind an ELB, would the following apply?

  • I use Route53 to create a domain name record for the CF domain and apply an SSL certificate to that domain to secure the distribution

  • If CF can not serve the content from the cache then the SSL connection is forward to the the ELB (which fronts the webserver as an origin server)

  • Therefore i also need to use the same domain name (FQDN) on the ELB (via Route53 CNAME) and apply the same cert there too?

  • When CF forwards the request through the ELB the SSL is terminated Is that right ? Will one FQDN cert suffice or better to use a wildcard? Is it better to use the origin server domain name instead?

As i can now use the new AWS certificate manager tool (ACM) to add these certs, does anyone know if CF still require the cost for use of custom SSL cert if using ACM (which makes CF an expensive AWS service)?

like image 546
JoeShmoe Avatar asked Feb 02 '16 15:02

JoeShmoe


1 Answers

If CF can not serve the content from the cache then the SSL connection is forward to the the ELB (which fronts the webserver as an origin server)

The SSL connection is not "forwarded". A new SSL connection is established between CloudFront and the ELB.

The SSL connection between the user and CloudFront is a completely different connection than the one between CloudFront and the ELB. Therefore, there is not requirements on matching the domain names used on the ELB and CloudFront.

Therefore i also need to use the same domain name (FQDN) on the ELB (via Route53 CNAME) and apply the same cert there too?

The only restriction is that the SSL certificate on the ELB must match the domain name used on the ELB. It can be a different SSL cert and domain name than those used on CloudFront.

If you want to use the "Custom SSL" feature and support "All Clients", not just those that support SNI, then yes, you must still pay the extra charges, even is you are using ACM.

Example 1

You can create Route 53 records for www.domain.com and origin.domain.com and an SSL cert for *.domain.com. From these, you would assign www.domain.com to the CloudFront distribution, origin.domain.com to your ELB, and use the wildcard cert on both.

Example 2

You can create Route 53 records for www.domain.com and origin.domain.com and separate SSL certs for www.domain.com and origin.domain.com. From these, you would assign www.domain.com to the CloudFront distribution using the www.domain.com cert, and origin.domain.com to your ELB using the origin.domain.com cert.

Example 3

You can create Route 53 records for www.domain1.com and origin.domain2.com and separate SSL certs for www.domain2.com and origin.domain2.com. From these, you would assign www.domain2.com to the CloudFront distribution using the www.domain2.com cert, and origin.domain2.com to your ELB using the origin.domain2.com cert.

like image 131
Matt Houser Avatar answered Sep 18 '22 21:09

Matt Houser