Setting Up ELB with SSL - What is Backend Authentication?

amazon-web-services ssl amazon-ec2 amazon-elb

I started setting up Amazon's Elastic Load Balancing Service for my server pool and I need to setup HTTPS/SSL. I have all my SSL Certificates setup, but then I come to the step for backend authentication and I'm unsure what certificate is required with the "Backend Authentication".

Is it my sites private key, public key, or do I need to generate a new key on the server?

Thank you for the assistance.


Solution 1:

The previous answer is not 100% accurate.

What back-end authentication ACTUALLY does is ensure that the public-key your backend server reports (when ELB is talking to your server over HTTPS/SSL) matches a public key you provide. This would prevent somebody from attaching a malicious server to your ELB, or mitigate somebody hijacking the traffic between ELB and your servers.

Back-end authentication does NOT take into account whether or not the client (a browser for example) is communicating to your ELB over HTTPS/SSL. You can have an ELB communicate to a client over HTTP, while communicating to your backend servers over HTTPS/SSL with backend communication. This would only ensure the communication between ELB and your server is secure, NOT if the clients connection is secure.

In summary

As long as your ELB is communicating to your backend instance over HTTPS, that traffic is encrypted, although it may be hijacked. Back-end authentication helps prevent that traffic from being hijacked.

Why would you not use back-end authentication?

Performance. With back-end authentication enabled, we've seen around a 50-70ms increase in response time when communicating through ELB (with all other HTTPS is enabled).

Solution 2:

Back-end authentication ensures all traffic to/from the instances, the load balancer and the client will be encrypted.

I was having some trouble with this setup myself, however after some digging I found the respective section within the Elastic Load Balancing Developer Guide, see Creating a Load Balancer With SSL Cipher Settings and Back-end Server Authentication - in particular, you may want to read how to achieve this by means of Using [the] AWS Management Console, which provides a helpful walkthrough and illustrations for the various topics involved.

Related

Windows Firewall has port 80 open but prevents Apache from making connections
How do I launch a process as a specific user at startup on OS X?
nginx: [emerg] unknown directive "http"
Routing WIFI and LAN for specific traffic
gpg-agent says agent exists, but gpg says agent doesn't exist?
How to undo assigning ownership of db_datareader/db_datawriter schema?
Is there a way to monitor /dev/random?
Can I disable WSD (Web Services for Devices) on Server 2012/R2? How?
SSH over VPN connection
Can't change the keyboard layout on Centos 7
How do I manually release a DHCP lease on the DHCP server itself?
non-cpu-intensive alternative to lsof?