Description:
Before you start using Elastic Load Balancing, you must configure one or more listeners for your Classic Load Balancer. A listener is a process that checks for connection requests. It is configured with a protocol and a port for front-end (client to load balancer) connections, and a protocol and a port for back-end (load balancer to back-end instance) connections.
Elastic Load Balancing supports the following protocols:
HTTP
HTTPS (secure HTTP)
TCP
SSL (secure TCP)
The HTTPS protocol uses the SSL protocol to establish secure connections over the HTTP layer. You can also use the SSL protocol to establish secure connections over the TCP layer.
If the front-end connection uses TCP or SSL, then your back-end connections can use either TCP or SSL. If the front-end connection uses HTTP or HTTPS, then your back-end connections can use either HTTP or HTTPS.
Rational:
If you have a load balancer with a listener that accepts HTTP requests on port 80, you can add a listener that accepts HTTPS requests on port 443. If you specify that the HTTPS listener sends requests to the instances on port 80, the load balancer terminates the SSL requests and communication from the load balancer to the instances is not encrypted. If the HTTPS listener sends requests to the instances on port 443, communication from the load balancer to the instances is encrypted.
Impact:
If your load balancer uses an encrypted connection to communicate with instances, you can optionally enable authentication of the instances. This ensures that the load balancer communicates with an instance only if its public key matches the key that you specified to the load balancer for this purpose.
Default Value:
By default, the instance protocol is HTTP. If you want to set up back-end instance authentication, change the instance protocol to HTTPS (Secure HTTP). This also updates the instance port.
Audit:
Log in to the AWS Management Console
Go to the EC2 dashboard at https://console.aws.amazon.com/ec2/.
click Load BalancersI in the navigation panel
Select the Elastic Load Balancer that you want to examine.
Select the Listeners tab
Under the Load Balancer Protocol column, check the protocol for each listener available. If there is no listener using the HTTPS or SSL protocol, the selected ELB listeners configuration is not secure (the front-end connection is not encrypted).
Via CLI:
To describe the rules for a listener
aws elbv2 describe-rules \
--listener-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:\
listener/app/my-load-balancer/50dc6c495c0c9188/f2f7dc8efc522ab2
Remediation:
Pre-Requisites:
To enable HTTPS support for an HTTPS listener, you must deploy an SSL server certificate on your load balancer. The load balancer uses the certificate to terminate and then decrypt requests before sending them to the instances. If you do not have an SSL certificate, you can create one.
Implementation Steps:
Log in to the AWS Management Console
Go to the EC2 dashboard at https://console.aws.amazon.com/ec2/.
click Load BalancersI in the navigation panel
- Select the Elastic Load Balancer you want to modify
- Select the Listeners tab from the bottom panel and click the Edit button under the available listener(s).
- In the Edit listeners dialogue box, click Addto add a new entry.
- In the Load Balancer Protocol dropdown list, select HTTPS (Secure HTTP) and click on the Save button
- Delete the Listeners other than HTTPS by clicking on Remove
Via CLI:
To add a listener to your load balancer that accepts HTTPS requests on port 443 and sends the requests to the instances on port 80 using HTTP
aws elb create-load-balancer-listeners --load-balancer-name my-load-balancer \ --listeners \ Protocol=HTTPS,LoadBalancerPort=443,InstanceProtocol=HTTP,InstancePort=80,SSLCertificateId=ARN
To add a listener that accepts HTTPS requests on port 443 and sends the requests to the instances on port 443 using HTTPS:
aws elb create-load-balancer-listeners \ --load-balancer-name my-load-balancer \ --listeners \ Protocol=HTTPS,LoadBalancerPort=443,InstanceProtocol=HTTPS,InstancePort=443,SSLCertificateId=ARN
Backout Plan:
If you want to remove the 443 port from the ELB listeners follow the above steps and then click on the Remove button and click on the Save button
Via CLI:
To delete a listener
aws elbv2 delete-listener \
--listener-arn \
arn:aws:elasticloadbalancing:ua-west-2:123456789012:listener/app/my-load-balancer/50dc6c495c0c9188/f2f7dc8efc522ab2
Reference:
Listeners for your Classic Load Balancer - Elastic Load Balancing
Configure an HTTPS listener for your Classic Load Balancer - Elastic Load Balancing