I have an Nginx container in public subnets proxying requests to a load balancer in the same public subnets.
The following is a location block in my nginx.conf
location ~* "^/[a-z]{2}_[a-z]{2}/somelocation/(.*)$" {
proxy_pass https://my-lb.region.elb.amazonaws.com/rest/$request_uri;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Authorization $http_x_access_token;
}
The issue I'm having is that whitelisting the Nginx ecs security group on the ALB security group for the HTTPS protocol is not working
I can tell that it is the Security group causing issue as, when I whitelist ALL ips and protocols, it works as intended
I've tried multiple security groups, going so far as to create one that does nothing just to add to the alb.
The exact flow of a request is this:
Client -> alb#1 -> nginx in ecs -> alb#2 -> BE application in ec2
ALB#1s security group is whitelisted on the nginx ecs container and connects correctly.
It sounds like your load balancer is a public load balancer. That means it will have a public IP address, not an internal VPC IP address. In this scenario, Nginx is resolving the IP address of the load balancer to be outside of the VPC, so it is forwarding the traffic out of the VPC, which AWS then routes back into the VPC to your load balancer. Unfortunately, when traffic exits the VPC and comes back in like that, the association with the originating security group is lost, which is why your security group rule isn't working.
The solution is to convert the load balancer to an internal load balancer, which will only be accessible from within the VPC and only have an internal VPC IP address. Then all traffic from Nginx to the load balancer will remain inside the VPC and retain the association with the security group.