I have setup a GCP load balancer following the steps as displayed on https://cloud.google.com/load-balancing/docs/https/ext-http-lb-tf-module-examples#with_a_backend . I have create an A record at my dns provider and I am succesfully able to reach my service through the domain name. I have also created a http to https redirecting load balancer, which only redirects when visiting the domain name.
However my problem is that I can also still directly access my load balancers ip adress over http, which in turn redirects to my backend service thus allowing insecure access to my service. I am not sure what steps there are to debug my configurations or if anyone has experienced something similar.
The simplest method is to redirect HTTP to HTTPS at your backend. That method provides you with more options and control.
Tip: if the client arrives at an IP address, you most likely want to discard that traffic. That traffic is typically hackers, trolls, etc.
You can also set up a redirect in the load balancer:
Set up an HTTP-to-HTTPS redirect for global external HTTP(S) load balancer
Related
So I was able to get SSL certificate for my website and it is on AWS but for some reason when I input www.mydomain.com or mydomain.com it still shows unsecured on the browser but when I add https to mydomain.com it shows the secure icon. Please anyone with how to solve this?
The reason is the server has no redirection policy, you need to add redirection policy to redirect site from HTTP to HTTPs.
If you are using Application load balancer you can go through below article to set up HTTP to HTTPS redirection.
redirect-http-to-https-using-alb
If you are using Nginx, then you can look into redirect-http-to-https-in-nginx
https-everywhere
SSL in web applications is only carried out when your user loads the website using HTTPS. Generally in this situation you would want to perform a redirect (a 302 is more preferable initially than a 301 as it is not permanent in the event of a rollback).
There are a number of ways you can trigger a redirection without having to make any server changes, it all depends on your infrastructure setup.
If the first point of call is CloudFront you can update your viewer protocol policy to Redirect HTTP to HTTPS. CloudFront will redirect any HTTP request before they touch the origin.
If you're using an application load balancer then you can update your listener rule for HTTP to redirect HTTP to HTTPS. As with the above requests would not be forwarded to your host.
Otherwise if you're a Classic Load Balancer, Network Load Balancer or just plain EC2 then it falls to you modifying the configuration of your hosts to do the redirect (remembering to set to a 302).
Below are links for most common web servers:
Apache
Nginx
IIS
Tomcat
Once you're happy with the redirect, feel free to set as a 301.
The above answer work but in addition, if you are using a load balancer in your AWS EC2 instance you can follow this video link to the best explanation and practice.
How to redirect HTTP traffic to HTTPS in the EC2 Elastic Load Balancer
I made a AWS Load Balancer for a simple ECS fargate server (with flask). Because the server will be used as my main server's api, and because the main server use 'https', I have to use https on my Load Balancer's url.
But when I want to make SSL certificate using ACM, I can't verify the URL of Load Balancer is mine because the load balancer has any information (I think).
If I add my email info on the url(or Load Balancer), I can do this, but I have no idea..
Until now, I thought using AWS Route 53 can help me, but I don't know what I have to do.
What Can I do for this problem?
To use ACM you need to have control of the domain you're attempting to validate, as the load balancer URL is owned by Amazon (not yourself), only an Amazon employee with domain control is capable of performing the actions to validate the domain.
Instead you would need to generate an ACM certificate for your own domain which you can validate, you would then need to add a DNS record resolving the domain to the CNAME of the load balancer. When you access in the browser you would need to access from that domain and not the load balancers.
I have a kubernetes service I exposed with a custom domain name. When I try to access the service using custom domain, it fails (just loading forever). But if I use the IP, it works. Do I need to configure something somewhere? I am using GKE.
When I ping the URL, its trying to hit the correct IP. Also ping works.
The LoadBalance service is a layer 4 load balancer and thus only uses the IP to route traffic to your backend pods. If ping works and the site loads correctly when you use the IP address, this shows that the load balancer is directing traffic correctly.
There is likely a setting in your webserver that is looking at the URL and is having issues loading when a URL is used. Check your container logs to see if any errors are returned when you use a URL instead of IP.
I have an EC2 instance which hosts a web site running in IIS. I have also set up a AWS Application Load Balancer with a HTTPS listener into which I have added my web site's SSL certificate (held in AWS Certificate Manager). The HTTPS listener redirects traffic to my target group which in turn points to my EC2 instance. The EC2 instance uses a security group to only allow traffic from the Load Balancer.
Firstly, am I correct in thinking that the Application Load Balancer decrypts the SSL traffic and as a result, this is forwarded to my target group using HTTP (in other words, my EC2 instance's security group only needs to accept HTTP traffic from the Load Balancer and I can remove my SSL certificate from IIS)?
Secondly, the main problem that I am experiencing at the moment is that the site has relative paths to some of the resources (CSS, JavaScript, etc). As a result I am getting mixed content errors in my FireFox console when I browse the site. I set up a HTTP listener in my Load Balancer to redirect traffic to HTTPS but this doesn't seem to be working for relative paths.
I don't particularly want to edit the site to change relative paths to fully qualified HTTPS URLs as it is a very complex content management system. Also, before using the Load Balancer the site was serving content perfectly (the DNS entry pointed to my EC2 instance's public IP address and there was a rewrite rule in IIS to handle non HTTPS traffic).
Any advice would be greatly appreciated.
For your first query, I think Yes. You can remove my SSL certificate from IIS and point EC2 instance's security group to accept HTTP traffic from the Load Balancer.
For your concern on relative path's problem, please go through this link: After introducing ALB, Mixed Content Error happened
I think it will be helpful.
Open your browser and click on the Network tab and check these call should be going somewhere else which is using HTTP, these are an outgoing call from your application and redirect will not fix these issue. see the screenshot
Seems like same error in your case, you serving images from some other side, not from the EC2, It's mean those request which EC2 server is supposed to answer will work fine, but those which your code try to pull JS file or other resources these are outgoing call and this is nothing to do with LB redirect rule.
Better to update your application and all the URLs to https.
When a user visits a page served over HTTPS, their connection with the
web server is encrypted with TLS and is therefore safeguarded from
most sniffers and man-in-the-middle attacks. An HTTPS page that
includes content fetched using cleartext HTTP is called a mixed
content page. Pages like this are only partially encrypted, leaving
the unencrypted content accessible to sniffers and man-in-the-middle
attackers. That leaves the pages unsafe.
Thanks for the replies. I managed to get to the bottom of the second issue. The site's web.config had a rewrite rule which was forcing URLs to lowercase (something to do with SEO). This was causing the problems when serving the CSS and JS files. I've made the necessary updates to this rule and it now appears to work (see IIS URL rewrite module url's to lowercase).
For the first issue, the SSL certificates do not need to be installed on the IIS web server - they are only required in AWS Certificate Manager and then to be assigned to the Load Balancer which in turn has 2 listeners - one to direct HTTPS traffic to my Target Group and one to redirect HTTP traffic to HTTPS.
My IIS site now only has HTTP bindings and only accepts HTTP traffic from the Load Balancer.
All seems to work!
Good evening, I am currently trying to set up a load balancer for my server, I successfully set everything up, however when I go to google domains to set ip record I get the following error "mysite.com unexpectedly closed the connection."
http://prntscr.com/npm04o
http://prntscr.com/npm0ot
Also when i type the ip manually in the browser I get the same error. However when I set my ip record to a VM machine ip that comes from my instance group the load balancer ip starts to redirect to my site. I would like to get the load balancer ip to work with my google domain records.
Picture of configuration
http://prntscr.com/npm3ye
I think you are connecting to the load balancer using HTTPS. You do not have a front-end configured for HTTPS. Specify http:// and try again. If this is not the case, then go to Stackdriver and check the logs for your HTTP(s) Load Balancer.
Note: You have not provided enough information in your question. You need to provide the frontent, backend and healthcheck configurations.
Once you have everything working, your DNS resource record TTL should be longer than 1 minute - clients will constantly have to resolve your DNS names. Using a CNAME instead of A record adds another lookup. Use an A record instead.