Setting Up ELB with SSL - What is Backend Authentication?
I started setting up Amazon's Elastic Load Balancing Service for my server pool and I need to setup HTTPS/SSL. I have all my SSL Certificates setup, but then I come to the step for backend authentication and I'm unsure what certificate is required with the "Backend Authentication".
Is it my sites private key, public key, or do I need to generate a new key on the server?
Thank you for the assistance.
Solution 1:
The previous answer is not 100% accurate.
What back-end authentication ACTUALLY does is ensure that the public-key your backend server reports (when ELB is talking to your server over HTTPS/SSL) matches a public key you provide. This would prevent somebody from attaching a malicious server to your ELB, or mitigate somebody hijacking the traffic between ELB and your servers.
Back-end authentication does NOT take into account whether or not the client (a browser for example) is communicating to your ELB over HTTPS/SSL. You can have an ELB communicate to a client over HTTP, while communicating to your backend servers over HTTPS/SSL with backend communication. This would only ensure the communication between ELB and your server is secure, NOT if the clients connection is secure.
In summary
As long as your ELB is communicating to your backend instance over HTTPS, that traffic is encrypted, although it may be hijacked. Back-end authentication helps prevent that traffic from being hijacked.
Why would you not use back-end authentication?
Performance. With back-end authentication enabled, we've seen around a 50-70ms increase in response time when communicating through ELB (with all other HTTPS is enabled).
Solution 2:
Back-end authentication ensures all traffic to/from the instances, the load balancer and the client will be encrypted.
I was having some trouble with this setup myself, however after some digging I found the respective section within the Elastic Load Balancing Developer Guide, see Creating a Load Balancer With SSL Cipher Settings and Back-end Server Authentication - in particular, you may want to read how to achieve this by means of Using [the] AWS Management Console, which provides a helpful walkthrough and illustrations for the various topics involved.