1

Getting Error 522 or 521, when accessing 80 or 443 port from ALB link its working (for 443 browser shows warning i.e because ALB and SSL domain is different)

AWS Config.

  1. Created Custom VPC with 1 public subnet and 1 private subnet
  2. Created AutoScaling Group
  3. Created Load Balancer (two listener for http and https forwording to traget group ) and target group (two targets pointing to Ec2 Instance on port 80 and 443 for heathcheck) -> health check is passing.
  4. Launched Ec2 instance in private subnet (no public ip), instance can only be access by application load balancer security group.

Ec2 and Apache2 Config.

  1. Enabled SSL in apache2

  2. Open port 443 in instance, Security Group of ALB and access port 80 (http) and 443 (https)

  3. For SSL followed article https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-18-04

Generated SSL Certificate from CloudFlare

  1. SSL/TLS -> Origin Server -> Generated RSA certificate

  2. Imported SSL certificate to AWS ACM

  3. Attached ACM SSL certificate to Loadbalancer HTTPS Listener

  4. Also create AWS ACM SSL certificate and validated with DNS for testing tried both ssl certificate - didn't worked

Subdomain and ALB link

  1. Created DNS CNAME entry in CloudFlare

  2. Added subdomain which pointing to ALB link. (tried with proxy and DNS only)

  3. Your SSL/TLS encryption mode is Full

  4. Always Use HTTPS: ON

When hitting subdomain in normal window (browser) its getting 522 and in incognito mode for the first time it is working but after that not.

When making curl request to https://subdomain.domain.com always working

Created extact duplicate instance in Public subnet and linked with another subdomain (created in cloudflare) just for testing -> working properly.

Also tried by adding separate target group for port 443 (HTTPS) -> in this traget group health check is getting failed whereas same working in other target group which for port 80 (http)

How to resolve this issue?

desertnaut
60.7k32 gold badges155 silver badges183 bronze badges
asked Dec 23, 2020 at 13:34
2
  • According to their documentation CloudFlare can't reach your webserver, can you check the ALB security group and make sure their IP-Ranges are on the Allow-List? Commented Dec 23, 2020 at 14:47
  • @Maurice Port 80 and 443 of ALG security group is open to world for IPv4 and IPv6. Commented Dec 23, 2020 at 15:46

1 Answer 1

2

Issue was because of internet facing loadbalancer was available in public and private subnet, and because of private subnet cloudflare was not able to connect to ec2 instance which was in private subnet. Loadbalancer subnet section was showing You are creating an internet-facing Load Balancer, but there is no Internet Gateway attached to these subnets you have selected warning.

Solution: https://aws.amazon.com/premiumsupport/knowledge-center/public-load-balancer-private-ec2/

answered Dec 24, 2020 at 14:01
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.