Setting Up ELB with SSL - What is Backend Authentication?

amazon-ec2 ssl amazon-web-services amazon-elb
14,063

Solution 1

The previous answer is not 100% accurate.

What back-end authentication ACTUALLY does is ensure that the public-key your backend server reports (when ELB is talking to your server over HTTPS/SSL) matches a public key you provide. This would prevent somebody from attaching a malicious server to your ELB, or mitigate somebody hijacking the traffic between ELB and your servers.

Back-end authentication does NOT take into account whether or not the client (a browser for example) is communicating to your ELB over HTTPS/SSL. You can have an ELB communicate to a client over HTTP, while communicating to your backend servers over HTTPS/SSL with backend communication. This would only ensure the communication between ELB and your server is secure, NOT if the clients connection is secure.

In summary

As long as your ELB is communicating to your backend instance over HTTPS, that traffic is encrypted, although it may be hijacked. Back-end authentication helps prevent that traffic from being hijacked.

Why would you not use back-end authentication?

Performance. With back-end authentication enabled, we've seen around a 50-70ms increase in response time when communicating through ELB (with all other HTTPS is enabled).

Solution 2

Back-end authentication ensures all traffic to/from the instances, the load balancer and the client will be encrypted.

I was having some trouble with this setup myself, however after some digging I found the respective section within the Elastic Load Balancing Developer Guide, see Creating a Load Balancer With SSL Cipher Settings and Back-end Server Authentication - in particular, you may want to read how to achieve this by means of Using [the] AWS Management Console, which provides a helpful walkthrough and illustrations for the various topics involved.

Share:
14,063
whobutsb
Author by

whobutsb

Lead Developer of Trendyr.com. PHP, Javascript, HTML5, Cloud-Computing aficionado. Electronic Music Enthusiast.

Updated on September 18, 2022

Comments

  • whobutsb
    whobutsb over 1 year

    I started setting up Amazon's Elastic Load Balancing Service for my server pool and I need to setup HTTPS/SSL. I have all my SSL Certificates setup, but then I come to the step for backend authentication and I'm unsure what certificate is required with the "Backend Authentication".

    Is it my sites private key, public key, or do I need to generate a new key on the server?

    Thank you for the assistance.

    • Hunter Leachman
      Hunter Leachman about 8 years
      "then I come to the step for backend authentication and I'm unsure what certificate is required with the "Backend Authentication". Is it my sites private key, public key, or do I need to generate a new key on the server?" <---- Anyone have an answer to this part of the question? Is this another SSL certificate or the keypair .pem file they give you when creating a security group?
  • whobutsb
    whobutsb over 12 years
    Thank you for the reply, I'm sorry I didn't get back to you sooner. Reading over this now!
  • xor
    xor over 8 years
    Hi William, thanks for the explanation. But whats the verdict, do it or not? What are the chances that communcation between elb and instances gets compromised? Or even a malicious server gets attached to the elb?
  • Cyril Duchon-Doris
    Cyril Duchon-Doris over 6 years
    To be able to attach a malicious server to an ELB, one would need some AWS credentials with ELB registration privileges. I'd say those credentials are held by your deployment servers or by yourself. If those credentials are leaked, there's also a high chance the attacker can connect to your backend anyway (since your deployment machines need to update app versions they most likely have some sort of SSH access) so having https backend encryption probably won't make a difference since the attacker could directly connect to the backends.
  • Shankar
    Shankar almost 5 years
    If suppose I am using AWS default security policy - ELBSecurityPolicy-2016-18. So which public key or private key going to be used on back-end authendication.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Install SSL on Amazon Elastic Load Balancer with GoDaddy Wildcard Certificate
AWS Load Balancer: 503 (Service Unavailable: Back-end server is at capacity)
Does AWS Application load balancer actually support compression?
How to solve AWS ELB/EC2 HTTP 503 with timeout settings?
Possible for HAProxy to perform a mix of SSL termination and passthrough?
Using ELB Across Multiple Regions
AWS elastic load balancer basic issues
ELB Instance Out of service
Full end to end encryption with AWS Elastic Load Balancer, Nginx and SSL
Is it okay to use an Elastic Load Balancer for ssh/sftp traffic?