ELBs
ELBs provides security policies that have predefined SSL negotiation configurations to use to negotiate SSL connections between clients and your load balancer.
If you are using the HTTPS/SSL protocol for your listener, you can use one of the predefined security policies, or use your own custom security policy.
If you create an HTTPS/SSL listener without associating a security policy, ELBs associate the default predefined security policy, ELBSecurityPolicy-2016-08, with your load balancer.

When you use TCP for both front-end and back-end connections, your load balancer forwards the request to the back-end instances without modifying the headers.
After your load balancer receives the request, it attempts to open a TCP connection to the back-end instance on the port specified in the listener configuration.
Because load balancers intercept traffic between clients and your back-end instances, the access logs for your back-end instance contain the IP address of the load balancer instead of the originating client.
You can enable Proxy Protocol, which adds a header with the connection information of the client, such as the source IP address, destination IP address, and port numbers.
The header is then sent to the back-end instance as a part of the request.
Take note that ALBs do NOT support SSL renegotiation for client or target connections.
It is not capable of re-negotiating or re-spawning an SSL connection between the load balancer and the target EC2 instances.
Last updated
Was this helpful?