Configuring your environment's load balancer for TCP Passthrough
If you do not want the load balancer in your AWS Elastic Beanstalk environment to decrypt the HTTPS traffic, you can configure the secure listener to relay requests to backend instances as-is.
Important
Configuring the load balancer to relay HTTPS traffic without decrypting it presents a disadvantage. The load balancer cannot see the encrypted requests and thus cannot optimize routing or report response metrics.
First configure your environment's EC2 instances to terminate HTTPS. Test the configuration on a single instance environment to make sure everything works before adding a load balancer to the mix.
Add a configuration file to your project to configure a listener on port 443 that passes TCP packets as-is to port 443 on backend instances:
.ebextensions/https-lb-passthrough.config
option_settings:
aws:elb:listener:443:
ListenerProtocol: TCP
InstancePort: 443
InstanceProtocol: TCP
In a default Amazon Virtual Private Cloud (Amazon VPC), you also need to add a rule to the instances' security group to allow inbound traffic on 443 from the load balancer:
.ebextensions/https-instance-securitygroup.config
Resources:
443inboundfromloadbalancer:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
SourceSecurityGroupName: { "Fn::GetAtt": ["AWSEBLoadBalancer", "SourceSecurityGroup.GroupName"] }
In a custom VPC, Elastic Beanstalk updates the security group configuration for you.