I'm trying to have a Client-Server setup in AWS Elastic Beanstalk with a load balancer where the client uses certificate authentication. I created a self-signed certificate of my own Certificate Authority. My Own CA is a root for a server key, a server certificate, a client key and a client certificate that I created. The server is a nodejs app that listens to an HTTPS protocol on custom port 4433. The whole setup is working in an Elastic Beanstalk that is a single instance, where the EC2 terminates the HTTPS and the security group has the nodejs port 4433 open.
The thing is that I would like to have the EB work with a load balancer. I configured an application load balancer, added an HTTPS listener that listens to port 443 and used the self-signed server certificate that I imported to ACM. I followed AWS documentation and created a file https-lb-passthrough.config, placed it in a folder .ebextensions off of the nodejs application and deployed to the Elastic Beanstalk. Here is the content:
option_settings: aws:elb:listener:443: ListenerProtocol: TCP InstancePort: 4433 InstanceProtocol: TCP
When I try making a requests from a C# client that makes an HTTPS GET request I get a 502 Bad Gateway error. Here is the load balancer log: http 2019-12-02T16:46:05.480445Z app/awseb-AWSEB-1GSGKA6I5BBLS/c401b470346aaa57 223.25.98.106:41582 172.30.10.106:80 0.001 0.001 0.000 502 502 182 716 "GET http://23.23.41.94:80/ HTTP/1.1""Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" - - arn:aws:elasticloadbalancing:us-east-1:224205300280:targetgroup/awseb-AWSEB-19IDNTK0JS0Q7/dadcc745cce88970 "Root=1-5de53fcd-d198a9a8b4279570aae691a4""-""-" 0 2019-12-02T16:46:05.479000Z "forward""-""-""172.30.10.106:80""502"
When trying from curl, I get a 400 Bad Request error. Here is the load balancer log: https 2019-12-02T16:39:17.990190Z app/awseb-AWSEB-1GSGKA6I5BBLS/c401b470346aaa57 173.251.70.131:18400 - -1 -1 -1 400 - 0 288 "- https://awseb-awseb-1gsgka6i5bbls-765901116.us-east-1.elb.amazonaws.com:443- -""-" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 - "-""services-dev-sec..com""arn:aws:acm:us-east-1:224205300280:certificate/75636aaa-90b0-4a5c-b6d7-2dd6db594d95" - 2019-12-02T16:39:17.969000Z "-""-""-""-""-"
Here is the server code:
const
express = require('express'),
https = require("https"),
fs = require("fs");
const options = {
key: fs.readFileSync('certs/server/services-dev-sec.key'),
cert: fs.readFileSync('certs/server/services-dev-sec.crt'),
ca: fs.readFileSync('certs/ca/ca.crt'), // authority chain for the clients
requestCert: true, // ask for a client cert
//rejectUnauthorized: false, // act on unauthorized clients at the app level
enableTrace : true,
};
const app = express();
app.use((req, res) => {
console.log(new Date(),'client authorized:',req.client.authorized, 'client CN:',req.socket.getPeerCertificate().subject.CN,'Method:',req.method);
res.writeHead(200);
res.end("hello world\n");
});
app.listen(8000);
const httpsPort = 4433;
console.log(new Date(),'Creating an HTTPS server');
https.createServer(options, app).listen(httpsPort, function() {
console.log(new Date(),'listening on port:' + httpsPort);
});
nodejs.log file is empty, which lends me to believe that the request is not passed in to the nodejs application. I don't see the requests in the EC2's nginx access.log or error.log
My question is, how do I make the load balancer forward the HTTPS:443 request to EC2:4433?