Menu
I'm doing some planning for a Rails multi-tenant application, and wondered what the best approach was for handling certificates for custom domains. Application is pretty bog standard; ELB, application servers, and multi-tenant DB.
In my current use case, the tenants will each have an application subdomain unique to them. That's routinely handled with a wildcard certificate.
However when I look ahead and consider how custom domain support (with SSL certificates either uploaded by client or self-generated, and stored in AWS Certificate Manager), I'm not sure how I would best handle installing multiple certificates. Assume that name servers have already been configured and that I've generated/secured the appropriate SSL certificates via AWS CM, letsencrypt, or have .
There's a few options I can see and I'd love some direction on how best to proceed:
In this scenario, I see an ELB being created with the custom domain certificate installed. That ELB acts as a proxy and points to the main ELB, which then load balances as per normal. I favour this approach myself and the additional $20/month+ per ELB is fine.
Question: Can you chain multiple ELBs without losing important header data (like the host?) I have not tried this before.
In this scenario, each custom domain would be installed on an ELB with the custom domain certificate installed, and would have each server instance registered directly to it. I don't see this being ideal, as I would have to automate (de/)registering instances on each ELB every time I spin up/down an instance.
Using HAProxy or an alternative, SSL certificates are loaded and added/removed as appropriate. I'll then need to (de/)register instances with HAProxy as well managing the HAProxy server directly. I don't favour this approach as I'm trying to reduce the number of instances I need to directly manage.
This feels pretty ugly to me, as I'd need to install each certificate on each application server at launch time and then restart(?) each server as they change.
Are there any other approaches I'm missing? Considerations I've neglected?
Chris mentioned below (thanks again!) that AWS Application Load Balancers will support up to 25 certificates. That'll certainly be enough to get me started, however I'm curious what the approaches could be to scale beyond that. Multiple ALBs, HAProxy, or...?
761
On Oct. 10, 2017, AWS announced support for multiple SSL certs on application load balancers (ALBs).
So the solution is to use an ALB. You can have multiple target groups associated with each ALB, and you can do hostname based routing, so even if you end up having to shard your back ends, you can still point at a single ALB.
Edit 1: As @Michael - sqlbot ponts out, if you need more than 25 certs per ALB, you probably want to start using multiple ALBs just to reduce blast radius.
But if for some reason you need to do this, one other option to look into (note: I have not tried this) is to use a CloudHSM for SSL/TLS processing. There are two versions: the CloudHSM Classic (one time $5,000 fee, plus $1.88/hr for a dedicated appliance) and a new CloudHSM which is only $1.60/hr.
143
We had to deal with this issue at our SAAS. Our set up currently looks like this:
We use Let's Encrypt in all of this, of course, and we use Tenant SSL to manage the infrastructure.
33
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
