I agree with the above answer for Nginx by Garth Kerr.
In case of Apache:
You can terminate SSL certificates either at ELB or Apache/Nginx(server) level
In case of multi-tenant(multi-client) architecture, we may need to support different customers(with different domains - *.abc.com, *.xyz.com) under a single ELB, which will not work in an existing ELB setup.
Solution:
You can do this by adding listeners in ELB like below:
TCP 443 (instead of HTTPS - 443) - this will pass through the 443 requests
Then, you can terminate the SSL certificates at the server level
You have to purchase the certificate from external vendors (like GoDaddy) and install & terminate the certificates at the server level.
E.g.,
Apache virtual host looks like
NameVirtualHost *:443
<VirtualHost *:443>
ServerName abc.com
####abc HTTPS Certificate
SSLEngine on
SSLCertificateFile /opt/organization/site/ssl_keys/abc/abc_gd.crt
SSLCertificateKeyFile /opt/organization/site/ssl_keys/abc/abc.pem
SSLCertificateChainFile /opt/organization/site/ssl_keys/abc/abc_gd_bundle.crt
WSGIScriptAlias / /opt/organization/site/deployment-config/abc.wsgi
ServerSignature On
Alias /media/ /opt/organization/site/media/
<Directory /opt/organization/site/media/>
Order deny,allow
Allow from all
</Directory>
</VirtualHost>
NameVirtualHost *:80
<VirtualHost *:80>
ServerName abc.com
#Rewrite to HTTPS in case of HTTP
RewriteEngine On
RewriteCond %{SERVER_NAME} abc.com
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule . https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
WSGIScriptAlias / /opt/organization/site/deployment-config/abc.wsgi
ServerSignature On
Alias /media/ /opt/organization/site/media/
<Directory /opt/organization/site/media/>
Order deny,allow
Allow from all
</Directory>
</VirtualHost>