I'm developing a django web app which runs on a gunicorn-nginx local server.
I've followed this digitalocean guide to setup the web app but I don't understand how to create a ssl certificate and use it without having a domain name.
I've found a lot of guides but none of them specify how to enable HTTPS without a domain and using a local IP.
How can I make this happen?
One way would be to create a self-signed certificate using openssl (How to generate a self-signed SSL certificate using OpenSSL?). But these certificates will not have the security layer provide by CA certificate providers.
Once you have a certificate, then you can run the gunicorn server in HTTPS mode by providing the certificate and the key (Running gunicorn on https?)
Related
I have spring app A running in beanstalk.
A is internally calling app B using http. It’s working fine.
Now I added a listener in load balancer in app B and enabled https.
Now A is not able to call B using https and having certificate exception.
Please let me know if I need to make any change in app A for disabling certificate validation or if there is any other way.
App A is calling app B using web client. Both apps are running in beanstalk.
You need to have your own domain (e.g. myapp.org). You can't use HTTPS with a default EB domain provided to you by AWS. Once you have your own domain you can get an SSL certificate using AWS ACM. The full procedure for setting up HTTPS on EB is described in AWS docs.
I have created a nodejs app and hosted it on aws ec2.
Enabled HTTPS, HTTP in the security. I purchased a domain from an external domain provider and connected nameservers using route53.
Now, when I am opening the domain it showing not secure. How Can I make it secure. I tried listen port in 443 but then domain was not opening.
Can Someone please help how to make it secure or provide some good documentation for begineers.
If you don't want use a load balancer to front your instance, then you have to get and install a third party SSL certificate on your instance for your domain.
A popular choice are certificates from https://letsencrypt.org/ (StackOverflow uses them as well). They also provide https://certbot.eff.org/ tool for easy installation and setup of the SSL certs on a variety of operating systems and servers.
Background
I am trying to deploy a dummy application with React frontend and Django backend interacting via REST api. I have done the following:
Use a S3 bucket to host static website and deploy my react code to it
Put Cloudfront for S3 bucket - set up certificate and changed my domain name (from GoDaddy) to link to this address
Kicked off Elastic Beanstalk environment following the python environment tutorial of AWS
Set up Postgres RDS and linked the Django server with it
So now I can do the following
Access my frontend using https via my domain name (https://www.example.com)
Access django admin site using the path of elastic beanstalk and update items
i.e. each component is up and running
Problem
I am having trouble with:
Making a secure REST API call from the static page to Elastic Beanstalk environment. Before I set up certificates I could easily make REST API calls.
The guides I can find usually involve putting a domain name for Elastic Beanstalk, which I imagine does not apply to my case (or does it?)
I tried to follow this faq and updated configuration in load balancer that accepts 443 https and redirects to 80 http. But I am using same certificate as from CloudFront, which does not sound right to me.
Would appreciate help with
how to solve the above ssl connection issue
or is there a better architecture for what I'm trying to achieve here?
According to Request a certificate in ACM for Elastic Beanstalk backend, it sounds like I have to use a subdomain and request a certificate for that subdomain, and use Cloud 53 to direct requests to that subdomain to Elastic Beanstalk environment. Would that be the case?
Thank you in advance!
By default EB url will HTTP only. To use HTTPS you need to deploy SSL certificate on your ALB.
In order to do that you need a custom domain, because you can only associated an SSL certificates with domains that you control. Thus, normally you would get a domain (you seem to already have one from godaday). So in this case you can setup a subdomain (e.g. api.my-domian.com) on godady. Then you can use AWS ACM to register a free public SSL certificate for api.my-domian.com.
Once the certificate is verified, using either DNS (easier) or email technique, you deploy it on your ALB using HTTPs listener. Obviously you will need to point api.my-domian.com to the EB's https url. You can also redirect on your ALB http traffic from port 80 to 443 to always use https.
Then in your front-end application you only use https://api.my-domian.com, not the original EB url.
There can be also CORS issues alongside this, so have to be vary of them as well.
I have made a flask application to use only as API. I have hosted it on aws using nginx and gunicorn. I intend to use the API to run my android application. There is a part in the application where i have to download something using Android Download Manager, but it only downloads things hosted in https domains. So i want to make my application https instead http. But every tutorial shows me a way with a purchased domain. I dont have much information on it yet, but I cant get an SSL Certificate from amazon without purchased domain name(which is pointless for an API). I just want to know how can I do this? How can I make my nginx server listen to https requests?
I have hosted it on aws using nginx and gunicorn.
I think you need a domain name to get ssl on AWS.
It is not allowed in AWS.
One part of HTTPS is encryption, the other part is identity verification. What you're asking for is impossible since it is required that you have to verify your domain name. Without this no Certificate authority will sign a certificate. You cannot have publicly valid certificate if it's self-signed. ACM (Amazon Certificate Manager) an AWS service, will not allow you to create a certificate without a valid domain name.
I need to add SSL to several Node.js services, each of one is listening on its own port, and that have NGINX to map them to our public "api" domain.
Due to the release of a new security policy now all services must be enforced to only work on SSL connections.
Since I'm not used to work with SSL certificates it's not clear to me what can be the advantage of setting the SSL on NGINX and make NGINX itself to proxy-pass to a http:// connection or have the real node.js endpoint to be a SSL server and (then proxy-pass to https://).
I guess with the NGINX solution, I could re-use the same SSL cert adding it to our "api" domain, while each different SSL node server would need a different cert.
Then it's not clear to me if into a production environment like this I should be using self-signed certificates (since the endpoint is touched through other services) or if it should be a CA trusted certificate exactly like it should be a public domain.
What am I missing in this considerations?
I assume the NGINX is public facing, and the nodejs services are internal (ie. not accessed directly by public web users).
You would only secure the connection between the public web to your NGINX. The transport between the NGINX and the NodeJS services is internal, and doesn't need to be secured. it's a big waste of CPU.
For the NGINX you buy a certificate from a valid certificate authority. For internal services you may use self-signed (ie. your own internal certificate authority generated certificates), but as said above, you shouldn't need to use SSL internally.