ELBs
Last updated
Last updated
ELBs provides security policies that have predefined SSL negotiation configurations to use to negotiate SSL connections between clients and your load balancer.
If you are using the HTTPS/SSL protocol for your listener, you can use one of the predefined security policies, or use your own custom security policy.
If you create an HTTPS/SSL listener without associating a security policy, ELBs associate the default predefined security policy, ELBSecurityPolicy-2016-08, with your load balancer.
When you use TCP for both front-end and back-end connections, your load balancer forwards the request to the back-end instances without modifying the headers.
After your load balancer receives the request, it attempts to open a TCP connection to the back-end instance on the port specified in the listener configuration.
Because load balancers intercept traffic between clients and your back-end instances, the access logs for your back-end instance contain the IP address of the load balancer instead of the originating client.
You can enable Proxy Protocol, which adds a header with the connection information of the client, such as the source IP address, destination IP address, and port numbers.
The header is then sent to the back-end instance as a part of the request.
Take note that ALBs do NOT support SSL renegotiation for client or target connections.
It is not capable of re-negotiating or re-spawning an SSL connection between the load balancer and the target EC2 instances.