Home / server / Questions / 1004917
In Process
User9123
Asked: 2020-02-28 19:35:44 +0800 CST

Cloudfront for TLS Termination?

  • 772

I was looking for a cheap AWS service that would terminate TLS and also take care of signing an Amazon certificate for an internal application. I found that I can use Cloudfront with a custom origin pointing to the public IP of an EC2 instance.

I have built the mentioned setup and it works just fine, but I had to open the application port on my EC2 instance to the world and it speaks http. Is that safe or does my cost optimization make no sense?

Thanks for any help! :)

security amazon-ec2 ssl reverse-proxy amazon-cloudfront

2 Answers

  1. IIRC, if Cloudfront is terminating SSL, then you can't use HTTPS on the back-end and it has to be HTTP from Cloudfront<-->EC2.

    If you have opened that same web app/server directly to the Internet on HTTP, then that is bypassing Cloudfront and you're losing whatever caching/protection/SSL-termination/cost-savings that Cloudfront provides.

    You can also use the AWS Classic Load Balancer to reverse-proxy HTTP (forwarding HTTP to your EC2) and provide a layer of abstraction and provide a little further protection that HTTP directly to your EC2 instance.

    • 2

  2. You can specify the Origin Protocol Policy you want CloudFront to use when fetching objects from the origin server. You can specify HTTPS. Caveats are:-

    1. Has to be a custom origin (Amazon EC2 instances, Elastic Load Balancing load balancers, MediaPackage origins, MediaStore containers, or your own web server)
    2. For HTTPS viewer requests that CloudFront forwards to this origin, one of the domain names in the SSL certificate on your origin server must match the domain name that you specify for Origin Domain Name. Otherwise, CloudFront responds to the viewer requests with an HTTP status code 502 (Bad Gateway) instead of returning the requested object

    Note the text in bold.

    See AWS docs here for more info

    • 1