AUTHOR: http://aws.typepad.com/aws/2014/02/elastic-load-balancing-perfect-forward-secrecy-and-other-security-enhancements.html LINK!

Recent AWS Customer Success Stories & Videos

More AWS Customer Success Stories...

« Route 53 Health Check Improvements - Faster Interval and Configurable Failover | Main | Amazon CloudFront Now Supports Microsoft Smooth Streaming »

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Josh

Awesome! Finally. :)

What about HSTS Headers?
http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

Jeff Barr

Josh, thanks for the suggestion and the comment. I have forwarded it to Lesley.

Petr Soukup

Is ELB going to support multiple certificates on same port (SNI)? It is curently impossible to use these features sith mutliple domains behind one ELB.

Colm

Josh,

Thanks for the feature request, in the meantime HSTS can be enabled by adding the HSTS "Strict-Transport-Security" header on backend instances. The header will be preserved by ELB load balancers.

Here's the cheat-sheet I use: The linked wiki includes sample configurations for Apache, lighttpd and nginx. HAProxy backends can also be configured to add a header by using the "rspadd" command. IIS can be configured with custom headers in its base configuration, Node can be configured by using res.header() in the first controller, and Ruby On Rails can be configured with by setting response.headers['Strit-Transport-Security'] in a handling method. Other web-servers likely have equivalent configuration parameters.

Colm
Elastic Load Balancing

James

SNI desperately needed... I second Jeff's comment.

Richard

Client side authentication on the load balancer also needed.

Chris

being able to enable gzip compression on https would also be extremely helpful. perhaps I'm missing something and this is available already -- if so, I don't know how to enable it.

Gabriel Pérez

"SNI desperately needed" +1! When? :-)

Adam Australia

SNI desperately needed... I third Jeff's comment. Adam Australia

Brian

While we're piling on suggestions, custom 503 error pages :)

Thomas Bachmann

I found out that newly created Elastic Beanstalk instances also use per default now ELBSecurityPolicy-2014-01.

What about RC4, it's considered weak/broken. What would be a good setting without RC4 but still support IE6 on WinXP?

Lionel

SNI +1!

Barryplatt

Another vote here for SNI. It is now supported in CloudFront, so can we expect this to come soon for ELB?

The comments to this entry are closed.

Featured Events

The AWS Report


Brought to You By

Jeff Barr (@jeffbarr):



Jinesh Varia (@jinman):


Email Subscription

Enter your email address:

Delivered by FeedBurner

April 2014

Sun Mon Tue Wed Thu Fri Sat
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30