Proxy through EC2 Instance on lambda functions locally using squid - amazon-web-services

So I have a lambda function that sends a request to an API through the EC2 IP and everything works fine...
Except when I try to send the request locally while testing it doesn't work as the EC2 IP is the only whitelisted IP and my IP is dynamic so it changes alot
What I thought of doing is adding Squid and proxying through it which works fine if I use ssh to connect to it whether requests sent to http or https but that created another problem not all the developers will have access to that EC2 instance...
So I made it publically available and made basic authentication on it except now it doesn't requests to HTTPS unless its google or certain websites.
My question is that why do requests to HTTPS always not work when connecting to the proxy without the SSH tunnel but if it's on something like google it works instantly cause they have less redirects

Related

Sending Requests from postman to AWS ec2 instance

I have my ec2 instance running a docker image and id like to test the functionality of my routes with postman, however whenever I ping the ec2 public dns, it says connection refused. I have the security group opened up for all traffic from my machine and am running the postman desktop app. The example route I'm trying to hit is
https://{IP address here}.compute-1.amazonaws.com:6000/register
and I'm sending a post request with some json in it. All of this works fine on my local machine. Please tell me what I'm missing?
You can't use https:. Instead you must use http: as default EC2 instance url does not support HTTPS. For valid https, the easiest way is to setup ALB or set it up on an instance directly.

How to allow calls to Cognito from an AWS ECS container instance?

I have a setup with an ALB and a target group created by ECS, I'm using Fargate and created a build pipeline by following this article. My app is built with NET core, I have an Angular frontend. Got all this working, I'm able to deploy my code changes, but I'm a bit stuck with the following issue.
I'm using Cognito for authentication and a custom domain that I set for the hosted UI. It seems that, from the browser, when I try to hit an endpoint that is secured, I get a 504 Gateway error, which somehow is not doing the redirect to Cognito in the browser. All this works fine when I run the application on localhost.
When I looked at the logs, I noticed the following exception:
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://cognito-idp.<region>.amazonaws.com/<region_and_a_code>/.well-known/openid-configuration'
Apparently, it can't establish a connection to Cognito. My containers are using only port 80, my target group instances are also using port 80, ALB uses HTTPS on 443 which directs the traffic to the target group, and for ALB port 80 I just redirect to 443.
I tried a few different things, like setting the authority value instead of the metadata address, tried using a BackChannelHttpHandler to execute the HTTPS call, tried updating the port mappings to allow communication on 443, but somehow it seems that it gets overridden by the task definition that I have created when I set up the build pipeline. The network mode in my task definition is now awsvpc, and if I try to set it to host, it will complain that I can't use it with Fargate.
What do I need to do to allow the HTTPS request from my Docker container instances to reach Cognito?
You are trying to set this up in a public ALB. This setup using a private NLB will work, might work with a private ALB as well. You can then set up vmc private links to get at the service's you need access too.

Connection refused error with AWS + Hashicorp Vault

I have configured a Hashicorp Vault server on a EC2 instance. When trying to use postman to test transit secret engine API I keep getting a error connection refused on postman, I went full ape mode and opened all ports on the security group inbound rule and it didn't work, I attached an elastic IP to the instance and didnt work either, im just trying with a simple GET and I just keep getting the same connectionrefused error.
When I use cUrl on the ssh connected session i have no issues though. The specified hosted adress is 127.0.0.1:8200, in postman I replaced that localhost with the public adress of the instance that i obviously censored in the screencap, in the headers theres the token needed to access vault, for simplicity I was just using the root token.
Postman screecap if it helps
#Emilio Marchant
I have faced similar issue (not with postman, but with telnet), Let's try to understand problem here.
The issue is with 127.0.0.1 IP. This is loopback IP and When you (or your computer) call an IP address, you are usually trying to contact another computer on the internet. However, if you call the IP address 127.0.0.1 then you are communicating with the localhost – in principle, with your own computer.
Reference link : https://www.ionos.com/digitalguide/server/know-how/localhost/
What you can try is below.
Start vault dev server with --dev-listen-address parameter.
Eg:
vault server -dev -dev-listen-address="123.456.789.1:8200"
in above command replace '123.456.789.1:8200' with '<your ec2 instance private IP : 8200'>
Next set VAULT_ADDR and VAULT_TOKEN parameter as below
export VAULT_ADDR='http://123.456.789.1:8200'
export VAULT_TOKEN='*****************'
Again replace 'http://123.456.789.1:8200' with 'http://[Your ec2 instance private IP]:8200'
For Vault_token : you should get a root token in console, when you start vault server , use that token
Now try to connect from postman or using curl command. It should work.
Reference question and solution :
How to connect to remote hashicorp vault server
The notable thing here is that the response is "connection refused". This error means that the connection is getting established and it found that there are no processes running on that port. This error means that there is no issue with firewall. A firewall will cause the connection to either drop (reject) or timeout (ignore), but won't give "Econnrefused".
The most likely issue is that the vault server process is not bound to the correct network interface. There must be a configuration in hashicorp-vault to setup the IP on which to bind. Most servers, by default, bind only on loopback address which is accessible only from 127.0.0.1. You need to bind it to "all" network interfaces by changing that to 0.0.0.0. I am not aware of the specific configuration option of hashicorp vault, but there has to be something to this effect.
Possible security issue:
Note that some servers expect you to run it behind a reverse proxy so that you can setup SSL (https) and other authentication if needed. Applications like vault servers should not be publicly accessible on http without SSL.

AWS Instance Security Group to give access to itself via TCP

I have an Apache server running the front end (Angular) which relies on an API which is hosted on the same instance as the Apache. I don't want my API (Express) open to public yet but need access to it with my front end which shares the same IP. Things I've tried,
Setting API base url as 'localhost' doesn't seem to work.
Adding a security rule in AWS security groups to allow connections only to the same IP (to itself) doesn't work.
Is there any workaround for this?
Connections to same IP are always open by default. You may need to add private IP of the ec2 instance as your api base URL. (Port you know better). Cors too should be enabled for that private IP.
First of all, using Angular as the front-end means needing an API that can access publicly you just need to implement securities, because you just serve the UI to the client user and their browsers are the one accessing the API not the server of the angular.
You can setup another API which can be deploy on the same server of your UI and same url which will serve as controller of your "Private API" that you can manage using Security groups in AWS
Replaced ${IP} to 172.17.0.1 so it can connect to the same EC2 after restarting. Add a rule for the inbound connection from the same SG

Curl the webpage hosted on the same EC2 instance not working

I have the web application hosted on EC2 instance and created the DNS for it. The web page works fine when I hit the URL in browser. However, when I curl the URL from EC2 instance, there is no response or rather getting connection error.
curl: (7) Failed connect to dnsurl.com:80; Operation now in progress
Also, in my web application, I am calling a servlet inside another servlet using Apache Post method. This is not working as well. The same code works fine on non-EC2 servers.
Not working:-
curl dnsurl.com
curl elburl.com
Working:-
Curl to other http urls are working fine from EC2 instance
curl http://www.w3schools.com/Tags/ref_urlencode.asp
Your URLs are resolved to the public IP addresses. So the request goes outside your EC2 instance. For that to work you need the following:
Your security group should allow outbound traffic on port 80.
Your network ACL should allow outbound traffic on port 80.
Opening the ALB (Application Load Balancer) to allow inbound traffic from the EC2 instance on port 80 has resolved the issue.