Search code examples
amazon-web-servicessecurityamazon-ec2httpsamazon-cloudfront

Using HTTP between CloudFront and EC2 for HTTPS site

Our application is currently running on EC2 instances, requiring HTTPS (and redirecting HTTP to HTTPS). We are now considering serving all requests via CloudFront and enforcing HTTPS through CloudFront. Our thought is that once we do that we would then block HTTP/HTTPS requests not coming from CloudFront and relax the HTTPS requirement. This way all requests to CloudFront would be via HTTPS, but CloudFront would retrieve the data from the EC2 origin via HTTP. This way we would a) reduce some server overhead since the server doesn't have to do the TLS encryption and b) eliminate the need to manage certificates for the EC2 instances.

Are there any security concerns with this or other reasons not to do this?

Solution

  • Here is what we ended up doing:

    1. Origin EC2 only allows HTTP (port 80)
    2. ELB only allows HTTPS (port 443) and targets the EC2 via HTTP (port 80)
    3. EC2 Security Group restricts HTTP access to the ELB's security group
    4. Created Route53 DNS entry for origin-blabla.example.com as an alias to the ELB
    5. CloudFront distribution redirects HTTP -> HTTPS
    6. CloudFront has origin-blabla.example.com as its origin
    7. CloudFront origin has custom HTTP header
    8. Both CloudFront and ELB have a *.example.com TLS Certificate (I also could have used separate certs for specific domain names)
    9. URL Rewrite blocks/redirects all requests that don't have one of the following: a) the above-mentioned custom HTTP header or b) UserAgent that matches ^ELB-HealthChecker$

    So now all requests come to CloudFront via HTTPS (if they come as HTTP they are redirected to HTTPS), which connects to ELB via HTTPS, which in turn gets the data from EC2 via HTTP. This cannot be circumvented (unless someone is desperate enough to guess the origin DNS and brute force the custom HTTP header and add it to their browser request - and I'm not sure what they're really gaining by that) so we can rest assured that a) all requests are secure, b) there is only one domain name that can be used to access our system, and c) we don't have to worry about certificates on the server.