What do I need to get SSL termination across all of AWX when deployed with an AWS LoadBalancer Ingress?
I was under the assumption that I just need to toss in some annotations like this along with the ACM certificate ARN and everything would magically work
But looking through the github issues, it sounds like there’s a bit more that needs to be done when configuring nginx? SSL Termination at Load Balancer · Issue #150 · ansible/awx-operator · GitHub
Either way, I don’t understand. What basic components do I need for this to work?
At the moment you need to accept on 443 then hand off to AWX using 80 - so change your backend-protocol to http. This will still secure it with SSL
If the traffic is being offloaded from the loadbalancer to node using http, does this open up any vulnerabilities?
SSL offloading increases performance, but LoadBalancer to Application data is not encrypted. This does not mean that traffic overall isn’t encrypted, you will still get Client to Load Balancer encryption.
The only issue this bring is if someone is sniffing traffic directly on your internal network.
Thanks.
I’m actually running the entire deployment in a local network and was doing SSL just in case that very last scenario could happen (as silly as it might be).
I guess I’ll need to wait for the LoadBalancer SSL support to get the true SSL communication, right? Or might there be other ways to make it happen?
Do the other ingress types have a method of supporting SSL? I’ve just been using LoadBalancer since it’s the easiest for me to understand.
I believe they do yes. I wrote the LB function in to support my use case, but also do need to stop SSL offloading at some point in the future. I found I had issues if you then stick an LB in front manually forwarding onto the other methods.
You wont have issues running with SSL offloading, its a common practise unless you need to meet certain security requirements such as PCI DSS
