Sunday, November 10, 2019

apache 2.2 - Providing a static IP for resources behind AWS Elastic Load Balancer (ELB)



I need a static IP address that handles SSL traffic from a known source (a partner). The reason the IP needs to be static is that the partner requires this in order to maintain the PCI compliance.



Our servers are behind an AWS Elastic Load Balancer (ELB), which cannot provide a static IP address; many threads about this here.



My thought is to create an instance in EC2 whose sole purpose in life is to be a reverse proxy server having it's own IP address; accepting HTTPS requests and forwarding them to the load balancer.




Are there better solutions?


Answer



In the end, I implemented the requirement of our partner as follows:




  • launch an instance in AWS

  • allocate and attach an Elastic IP (EIP) to it

  • Installed Apache

  • (in our case, installed our SSL certificate)

  • Configured Apache as a reverse proxy server, forwarding to a CNAME that pointed to our ELB




Here's a sample Apache virtual host configuration. I turned off NameVirtualHost and specified the address of our EIP. I also disabled a default host. If the partner desires, I will add a block that accepts requests only from their IP range.




# Catch non-SSL requests and redirect to SSL

  ServerName our-static-ip-a-record.example.com
  Redirect / https://our-elb-cname.example.com       


# Handle SSL requests on the static IP

  ServerAdmin monitor@example.com
  ServerName our-static-ip-a-record.example.com

  # SSL Configuration
  SSLEngine on
  SSLProxyEngine on
  SSLProxyCACertificateFile /etc/apache2/ssl/gd_bundle.crt
  SSLCertificateFile    /etc/apache2/ssl/example.com.crt    

  SSLCertificateKeyFile /etc/apache2/ssl/private.key
  # Additional defaults, e.g. ciphers, defined in apache's ssl.conf

  # Where the magic happens
  ProxyPass / https://our-elb-cname.example.com/
  ProxyPassReverse / https://our-elb-cname.example.com/

  # Might want this on; sets X-Forwarded-For and other useful headers
  ProxyVia off


  # This came from an example I found online, handles broken connections from IE
  BrowserMatch "MSIE [2-6]" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
  # MSIE 7 and newer should be able to use keepalive
  BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown





Hope this saves someone else some time in the future :-)


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...