This documents the state of Amazon Web Services' TLS termination when using an ELB:
What you can and can't control about TLS in an ELB
The drawbacks and ramifications of terminating on an ELB vs terminating in nginx
The specific protocol and cipher choices to select when configuring an ELB to do the best with what we've got
In my opinion, from a TLS perspective the downsides of terminating via an ELB (versus terminating at nginx) outweigh the scalability benefits of using an ELB. I'd rather see us use Elastic IPs that we assign to load balancing servers (running e.g. haproxy or nginx) ourselves, or simply omitting load balancing from the equation when sites don't need it.
For example, https://18f.gsa.gov omits load balancing and terminates at a single medium EC2 instance. I suspect more of our sites could do the same, rather than prematurely optimize for load which may never occur.
This documents the state of Amazon Web Services' TLS termination when using an ELB:
In my opinion, from a TLS perspective the downsides of terminating via an ELB (versus terminating at nginx) outweigh the scalability benefits of using an ELB. I'd rather see us use Elastic IPs that we assign to load balancing servers (running e.g. haproxy or nginx) ourselves, or simply omitting load balancing from the equation when sites don't need it.
For example, https://18f.gsa.gov omits load balancing and terminates at a single medium EC2 instance. I suspect more of our sites could do the same, rather than prematurely optimize for load which may never occur.