In the end, I implemented the requirement of our partner as follows:
- launch an instance in AWS
- allocate and attach an Elastic IP (EIP) to it
- Installed Apache
- (in our case, installed our SSL certificate)
- Configured Apache as a reverse proxy server, forwarding to a CNAME that pointed to our ELB
Here's a sample Apache virtual host configuration. I turned off NameVirtualHost and specified the address of our EIP. I also disabled a default host. If the partner desires, I will add a <Directory> block that accepts requests only from their IP range.
<IfModule mod_ssl.c> # Catch non-SSL requests and redirect to SSL <VirtualHost 12.34.567.890:80> ServerName our-static-ip-a-record.example.com Redirect / https://our-elb-cname.example.com </VirtualHost> # Handle SSL requests on the static IP <VirtualHost 12.34.567.890:443> ServerAdmin [email protected] ServerName our-static-ip-a-record.example.com # SSL Configuration SSLEngine on SSLProxyEngine on SSLProxyCACertificateFile /etc/apache2/ssl/gd_bundle.crt SSLCertificateFile /etc/apache2/ssl/example.com.crt SSLCertificateKeyFile /etc/apache2/ssl/private.key # Additional defaults, e.g. ciphers, defined in apache's ssl.conf # Where the magic happens ProxyPass / https://our-elb-cname.example.com/ ProxyPassReverse / https://our-elb-cname.example.com/ # Might want this on; sets X-Forwarded-For and other useful headers ProxyVia off # This came from an example I found online, handles broken connections from IE BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown </VirtualHost> </IfModule>
Hope this saves someone else some time in the future :-)
