Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Using HTTP between CloudFront and EC2 for HTTPS site

Our application is currently running on EC2 instances, requiring HTTPS (and redirecting HTTP to HTTPS). We are now considering serving all requests via CloudFront and enforcing HTTPS through CloudFront. Our thought is that once we do that we would then block HTTP/HTTPS requests not coming from CloudFront and relax the HTTPS requirement. This way all requests to CloudFront would be via HTTPS, but CloudFront would retrieve the data from the EC2 origin via HTTP. This way we would a) reduce some server overhead since the server doesn't have to do the TLS encryption and b) eliminate the need to manage certificates for the EC2 instances.

Are there any security concerns with this or other reasons not to do this?

like image 276
Aaron J Spetner Avatar asked Jul 09 '26 06:07

Aaron J Spetner


2 Answers

Actually, here in the company where I am working, we have the following scenario.

  • EC2 -> ELB -> CF (+ AWS Certificate) = HTTP and HTTPS

    • EC2 always work with 80
    • CF work with both 443 and 80.

It is easy to configure and so far we don't have problems.

like image 57
Joseph Paz Aliaga Avatar answered Jul 11 '26 21:07

Joseph Paz Aliaga


To add additional security you can do the following.

  • Having a secret token header sent from CloudFront which is verified at the EC2 instance to serve the request.
  • Only allowing the IP address ranges of CloudFront, in EC2's or ELB's security group for inbound request.
like image 42
Ashan Avatar answered Jul 11 '26 21:07

Ashan