This is my first time playing around with web development. I'm trying to deploy a simple dockerized Flask application to my domain (example.com).
First, I've deployed the Flask application listening on port 80 of my EC2 instance. All it does is render a frontend on the index path ('/').
I've connected the Cloudfront to https://example.com with a certificate created through ACM.
Next, I created an application load balancer (ALB) on top of the EC2 instance, by adding a listener on port 443 and forwarding traffic to a target group on the EC2 instance instance and port 80.
Within the Cloudfront settings, I have set my the origin as my load balancer through the AWS Cloudfront "add custom origin" settings.
However, once I navigate to either the Cloudfront URL or https://www.example.com, I run into a 502 error.
I've tried several steps to debug including checking the security group of the application load balancer and invalidating Cloudfront cache. I'm also able to view the http:// version of my EC2 instance just fine so I think it is something with the connection between cloudfront and the load balancer. After Googling around, my thought was that this particular 502 error might be an issue with the certificate of the load balancer, since I'm using that same certificate for the cloudfront.
I tried to follow steps to add my load balancer URL (ending in .com) to ACM but got that my certificate status was failed. I was wondering: is this what is going on and how can I issue a free valid certificate for my application load balancer using ACM? There are many sources that say this is possible, but I haven't been able to figure it out. Thanks!
Related
I have an application running on an AWS EC2 instance, port 8501. I cannot change the port for multiple reasons. I set up a reverse proxy with nginx using this YT tutorial to redirect http://[domain].com to port 8501.
That works fine.
I obtained an SSL certificate from AWS Certificate Manager and have since learned that AWS certificates only work with certain AWS services, here, here, and here. However, none of those StackOverflow links--or the AWS instruction pages linked therein--actually described how to connect the https request to the Application Load Balancer to the EC2 instance as set forth by my nginx reverse proxy above.
That is, I've more or less followed this YT tutorial to set up a load balancer and attach the SSL certificate obtained from AWS Certificate Manager, but when I type https://[domain].com, I receive a "site can't be reached" error. http://[domain].com still works.
I've tried both HTTP:80 and HTTPS:443 for the Protocol:Port in my Target Group required by AWS Load Balancer. What more do I need to do?
EDIT: added images with ALB settings, etc:
load balancer listeners
target group overview
nginx config settings
Background of the Application
I have MERN Stack Application running (where frontend reactJS is running inside NodeJS backend server)
The whole application is then wrapped inside Docker Container
Then Deployed in AWS ECS EC2 (using single Service & Task) behind a single Application Load Balancer.
Created a Hosted Zone in AWS Route 53 to Point my domain name to Load Balancer
Now the application is successfully running when I visit my domain name.
Problem Araised Here
The website is "Not Secure"!! — I want to install SSL Certificate
I went to AWS Certificate Manager
Successfully got a certificate by adding CNAME in the AWS Hosted Zone Records
Configured Security Group, Load balancer Listeners to HTTPS
Added that Certificate to Load Balancer listener
Actual Problem
I got the certificate, connected to load balancer,
I can see my certificate in the address bar - "Certificate is Valid"
And still, it shows my the Site is "Not Secure" - Below image is for your reference.
Error in the Console (Edited)
Mixed Content: The page at 'https://example.com/' was loaded over HTTPS, but requested an insecure resource 'http://my-alb-XXXXXXX.us-xxxx-X.elb.amazonaws.com/api/goals'. This request has been blocked; the content must be served over HTTPS.
My Assumption of What Went Wrong
Since AWS ALB has its own DNS Name, which is "Not Secure"
Connecting my new secured domain name TO an unsecured AWS ALB DNS name would be the problem.
Appreciate Your Response
Thank you,
ARUN
I am running a Gatsby site in development mode as a dev server on EC2 with a loadbalancer pointing from port 80 to 8000. I have setup a cname on my domain dns to point to the load balancer this works fine. However I need to display this page as an iframe in sanity.io as a web preview and it requires https.
I've read through this https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html and most of it is pretty straight forward for the most part.
What I have done so far is created a listener for 443 https on the loadbalancer and added https 443 to the security group. i have succsufully issued a certificate to the subdomain I am using with aws and attached it to the loadbalancer listener.
Gatsby has a article about custom certs for development mode here https://www.gatsbyjs.org/docs/local-https/#custom-key-and-certificate-files What I am looking for is the cert file, the authority file and the key file in order to pass this command below
Where in the aws certificate manager do I find these files. I think that is the last piece I need to get https working, correct me if I am wrong.
thanks ahead of time.
gatsby develop --https --key-file ../relative/path/to/key.key --cert-file ../relative/path/to/cert.crt --ca-file ../relative/path/to/ca.crt
This is the process I used to request my certficate and it says it's issued
https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html
But how do I use it with the custom https command with gatsby?
There is a export option but it says only for private keys. Do I need to create a private key and then I can export these files I need?
Do I even need to run https on gatsby's side. I watched a video using apache and no change was made to the apache server to get https working with the loadbalancer.
Here is a screenshot of my loadbalancer listenr
Here is a image of my security groups
If I run the --https for gatsby develop it breaks my site I can no longer visit it via the loadbalancer or port 8000. So not sure what to do here.
I would suggest not to encrypt the connection between your ELB and the EC2 instances. If your EC2 instances are not publicly reachable, but only through the load balancer instead, it is best practice to terminate the SSL connection on the load balancer. No need to encrypt HTTP requests inside an AWS VPC (i.e. between ELB and target instances).
You can create a load balancer that listens on both the HTTP (80) and HTTPS (443) ports. If you specify that the HTTPS listener sends requests to the instances on port 80, the load balancer terminates the requests and communication from the load balancer to the instances is not encrypted. [1]
There is some discussion (e.g. on the blog of Kevin Burke) whether it is necessary to encrypt traffic inside a VPC. [2] However, most people are probably not doing it.
What it means for you: Use the same instance protocol for your targets as before: HTTP via port 8000 for both listeners. Do not set up SSL for your Gatsby service. Use a plain HTTP server config instead. No changes are necessary to ELB targets when using SSL termination on the load balancer.
References
[1] https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html
[2] https://acloud.guru/forums/aws-certified-security-specialty/discussion/-Ld2pfsORD6ns5dDK5Y7/tlsssl-termination?answer=-LecNy4QX6fviP_ryd7x
I am trying to setup HTTPS across my app which consists in a frontend (S3 bucket distributed with CloudFront), and a backend (node.js app inside Elastic Beanstalk).
For the CloudFront part, I created an SSL certificate in N. Virginia (apparently I don't have a choice here) and I made the binding in the CloudFront distribution. It works and my app is served over HTTPS.
For the Elastic Beanstalk part, I created an SSL certificate in Ireland (where my EBS app is hosted) and I bound this certificate to the EBS load balancer using the port 443. It works and I can reach my server with HTTPS using Postman.
However, when my frontend tries to make an API call to the backend I get this error :
I guess I made a mistake while creating the certificates, but I cannot find it. I gave both certificates the same set of CNAMES, I am not sure if I am supposed to do that.
EDIT :
I get the exact same error after updating the frontend so that it points the DName of the load balancer (also mapped to subdomain with Route 53).
CloudFront is attempting to load an HTTPS URL from your load balancer. I assume you have an SSL certification assigned to the load balancer. The domain name of the SSL certificate on the load balancer needs to match the domain name that CloudFront is requesting.
For example if the load balancer's SSL certificate is something like beanstalk.mydomain.com then CloudFront would need to be making requests for https://beanstalk.mydomain.com. The error CloudFront is giving you says that the domain name of the SSL certificate served by the load balancer does not match the domain name djumbo-back-debug.eu-west-1.elasticbeanstalk.co.
You need to setup something like the following:
DNS Name www.mydomain.com points to CloudFront Distribution
Configured to serve www.mydomain.com
Configured with an SSL certificate for the domain www.mydomain.com
Configure to pull from the origin beanstalk.mydomain.com
DNS Name beanstalk.mydomain.com points to Elastic Beanstalk application
With a Load Balancer, with an SSL certificate for beanstalk.mydomain.com
I am really struggling to get my basic website (literally just a template without any changes, just running ASP.NET) to work with HTTPS. I am using an Elastic Beanstalk environment to host the site, and the site EC2 virtual machine is behind a load balancer (classic).
I have followed the guide here
And believe I have everything configured correctly, however when I browse to https://www.playground.cloudy-skies.org/ or even the http:// version, I get a HTTP ERROR 503.
I have created an SSL certificate using AWS certificate manager:
I have the load balancer in AWS configured like so:
As per the website documentation, my domain name is pointing to the elastic beanstalk instance, not the load balancer. I've checked the AWS official doco and it says to do pretty much this. Where am I going wrong? if I browse the site with Fiddler active I get:
Please help? I'm a software developer more than I am a network guy, so I'm doing my best here but I'm struggling and have yet to successfully create a site that uses HTTPS.
First thing if you are using Beanstalk your Route 53 will be pointing to your Beanstalk Url only. You can change even force it your Loadblancer also but it doesn't make any change.
As your HTTPS (Port 443) is not working, just check the Security Group of EC2 instance and ELB (Elastic Load Balancer). Sometimes it happens Security Group block your Port.
So in Your Inbound Rules, (for both ELB and EC2) 443 port should be included