(4 of 4) Amazon ELB Multi-domain SSL forwarding to NGINX and Play Servers

Posted on Wednesday, April 10, 2013

(4 of 4  Create an ELB with the signed certificate)

This guide goes over setting up an ELB with a multi-domain SSL certificate.  The servers attached to the ELB will run multiple Play servers on different ports with an nginx server running in front of them to handle routing based on domain/subdomain names.

I know that is quite a mouthful but here is what I am trying to accomplish….

I want to run more than one Play Server on an ec2 instance.  Each Play Server will run on its own port.   I want to have a domain name to route to a specific Play server.  Ex.  www.example.com routes to the Play server running on port 9000 and  www2.example.com routes to the Play server running on port 8000.   In addition I want all the communication to be secure using ssl certificates.

For an individual server you could simply put a nginx server in front of the Play servers and have the nginx handle routing based on domain name.  But, in this case I want to add an AWS ELB (Elastic Load Balancer) in front of several EC2 machines.

Here is what I have found out thus far.   The ELB can handle the ssl certificate, but it can only have one certificate per ELB.  This forces you to use a multi-domain SSL certificate.   Also the ELB cannot port forward based on domain name so you still need an nginx server in front of the Play servers.

I want something like this.  The ELB handles the certificate and the nginx server handles the domain name routing.

Create an ELB

Now that you have the server and the SSL certificate it's time to create the ELB

Log into the AWS web console and open up the EC2 service

Click on Load Balancers

Click on Create Load Balancer

Give it a name, in my case I called mine  myTestLoadBalancer

In my case I have my ec2 instance running in a VPC I made.  If you are in a similar situation you need to select your VPC from the pull down menu.

Leave the rest of it the same and click continue

Set the health checks.  In my case I kept them the same.  Click Continue

(I went back and changed the ping path to "/")

If this is an ELB using a VPC you need to select which subnets it can attach to.  Then click Continue

Assign a security group to the ELB and click continue

Select the instances you want to attach to this load balancer by checking their checkboxes then click Continue.

Review the information and then click Create.

Click "View my load balancers and check their status.

Test the Load balancer

Looking at the load balancer you can see that it has an address associated with it.  In my case it is


Now open up the a browser with


Associate domain name

I won't go into great detail here but I created a subdomain ssl-test for whiteboardcoder.com on route 53.  I made a CNAME and entered in the ELB name and clicked save Record Set.    I also did the same thing for my ssl-test2.whiteboardcoder.com subdomain.

I ran a dig command to make sure the domain names were using the cname now.

> dig ssl-test.whiteboardcoder.com
> dig ssl-test2.whiteboardcoder.com

Also I had to close the tab on chrome and open a new one to refresh it and get the new web location.

Now I opened

Success!  It's using the ELB

Adding an SSL certificate to the ELB

What I really want to do is add an SSL certificate to the load balancer.
I already have my SSL certificate set up and ready to go.  I have other posts about how to create an SSL certificate if you get stuck on that.

Assuming you have your SSL certificate here is what you need to do.

Add 443

You need to add port 443 to the ELB

Select the ELB and then click on the Listener tab

From the pull down select HTTPS then click select under the SSL Certificate column

Give it a name,  I called mine ssl-test.
Enter the private Key and Public Key certificates then click Save

(the private key is from the whiteboardcoder.key file)
(the public key is from the file ssl-test.whiteboardcoder.com.crt downloaded from godaddy)

Select the certificate you just made and click Save.

Click Save.  (At this point I did get an odd error  Could not add listener. Server Certificate not found for the key: )   I fixed this by just refreshing the page and selecting the certificate again.

Now test the https version of the site.  In my case I opened


Other resource issue

In chrome I get this notification that warns me of some resources on the page not being encrypted.   This is because the default Play page is bringing in resources from other domains.

To get rid of this notice you need to update the play files.

> cd
> vi HelloWorld/app/controllers/Application.scala

Update it to

package controllers

import play.api._
import play.api.mvc._

object Application extends Controller {

  def index = Action {
    Ok("Hello World this is the port 9000 Play server")


And then update the other file

> cd
> vi HelloWorld2/app/controllers/Application.scala

Update it to

package controllers

import play.api._
import play.api.mvc._

object Application extends Controller {

  def index = Action {
    Ok("Hello World this is the port 8000 Play server")


Reload the https pages. 

For chrome I had to open a new tab.  If I tried to refresh the old tab I the yellow notifications were not updated for some reason.

Success!  With no yellow notifications.

[1]        How to Create a SSL Certificate on nginx for Ubuntu 12.04
                Accessed 03/2013 

No comments:

Post a Comment