- 最新
- 最多得票
- 最多評論
The logs generated for both domains suggest that the requests have been processed and forwarded to reach the server of domain 2. Although, as the 400 error indicates a bad request, this would lead to the following scenario being a possible root cause of the error :
Considering the following setup at your NLB 2 where : Listener (TLS:443) ----> Target group (TCP:443)
The NLB is configured with a TLS listener, the TLS is terminated at the NLB and only HTTP content remains to be forwarded and if the target groups are configured with the TCP protocol, meaning there is no additional TLS encryption happening at the NLB to the targets. With the HTTP traffic being forwarded to an HTTPS endpoint (port 443 on the webserver) you will find the webserver respond back with a 400 error generally with a message letting you know that a HTTP request was received on a HTTPS port.
Therefore, the web server of domain 2 would be receiving HTTP traffic from the NLB instead of the expected HTTPS traffic. The TLS encryption would make HTTPS traffic unique from HTTP traffic.
Hence, it is recommended to configure the NLB target group to establish TLS connections from the NLB to the targets, resulting in end-to-end encryption in transit from your clients to the targets.
Please refer to the following documentations for more information on the same :
- https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-target-group.html
- https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html#target-group-routing-configuration
I would also recommend reaching out to us via support case incase you would like to troubleshoot the issue further.
Hello, Thanks a lot for your reply!!! I think that the TLS is terminated at NGINX level not at NLB. I haven't attached any certificate to the NLB but there is a Let's Encrypt cert sercret for NGINX deployed by cert-manager. So I think that the HTTP request is sent by NGINX and it should be configured to not terminate SSL or reopen a new SSL connexion toward the domain-2. I'll open a ticket to the support. Thanks, Serge.
相關內容
- AWS 官方已更新 2 年前
- AWS 官方已更新 2 年前