13

I started setting up Amazon's Elastic Load Balancing Service for my server pool and I need to setup HTTPS/SSL. I have all my SSL Certificates setup, but then I come to the step for backend authentication and I'm unsure what certificate is required with the "Backend Authentication".

Is it my sites private key, public key, or do I need to generate a new key on the server?

Thank you for the assistance.

Eric Hammond
  • 10,901
  • 34
  • 56
whobutsb
  • 249
  • 2
  • 3
  • 6
  • "then I come to the step for backend authentication and I'm unsure what certificate is required with the "Backend Authentication". Is it my sites private key, public key, or do I need to generate a new key on the server?" <---- Anyone have an answer to this part of the question? Is this another SSL certificate or the keypair .pem file they give you when creating a security group? – Hunter Leachman Mar 25 '16 at 08:13

2 Answers2

14

The previous answer is not 100% accurate.

What back-end authentication ACTUALLY does is ensure that the public-key your backend server reports (when ELB is talking to your server over HTTPS/SSL) matches a public key you provide. This would prevent somebody from attaching a malicious server to your ELB, or mitigate somebody hijacking the traffic between ELB and your servers.

Back-end authentication does NOT take into account whether or not the client (a browser for example) is communicating to your ELB over HTTPS/SSL. You can have an ELB communicate to a client over HTTP, while communicating to your backend servers over HTTPS/SSL with backend communication. This would only ensure the communication between ELB and your server is secure, NOT if the clients connection is secure.

In summary

As long as your ELB is communicating to your backend instance over HTTPS, that traffic is encrypted, although it may be hijacked. Back-end authentication helps prevent that traffic from being hijacked.

Why would you not use back-end authentication?

Performance. With back-end authentication enabled, we've seen around a 50-70ms increase in response time when communicating through ELB (with all other HTTPS is enabled).

William King
  • 241
  • 2
  • 2
  • 1
    Hi William, thanks for the explanation. But whats the verdict, do it or not? What are the chances that communcation between elb and instances gets compromised? Or even a malicious server gets attached to the elb? – xor Jan 29 '16 at 15:11
  • To be able to attach a malicious server to an ELB, one would need some AWS credentials with ELB registration privileges. I'd say those credentials are held by your deployment servers or by yourself. If those credentials are leaked, there's also a high chance the attacker can connect to your backend anyway (since your deployment machines need to update app versions they most likely have some sort of SSH access) so having https backend encryption probably won't make a difference since the attacker could directly connect to the backends. – Cyril Duchon-Doris Jan 15 '18 at 23:07
  • If suppose I am using AWS default security policy - ELBSecurityPolicy-2016-18. So which public key or private key going to be used on back-end authendication. – Shankar May 31 '19 at 16:20
5

Back-end authentication ensures all traffic to/from the instances, the load balancer and the client will be encrypted.

I was having some trouble with this setup myself, however after some digging I found the respective section within the Elastic Load Balancing Developer Guide, see Creating a Load Balancer With SSL Cipher Settings and Back-end Server Authentication - in particular, you may want to read how to achieve this by means of Using [the] AWS Management Console, which provides a helpful walkthrough and illustrations for the various topics involved.

Steffen Opel
  • 5,560
  • 35
  • 55
af-at-work
  • 670
  • 1
  • 6
  • 12