Dear Stackoverflow community. This question has been asked before, but my question is little bit different.
So I am using Elasticbeanstalk to deploy my Django Backend and RDS for database (PostgreSQL).
EB generated a link for my backend --> http://XXXXX.region.elasticbeans.com. The issue is that when I send a request from the frontend side (HTTPS), it gives a "Blocked loading mixed active content" error, which comes from HTTPS to HTTP request. As far as I am concerned I have to change configuration of the Load Balancer of my EC2 instance and add redirection. In order to successfully do that I am required to have a SSL certificate. However, when I use ACM (Certificate Manager) in order to generate one using the exact same link for the backend, it automatically rejects my request.
So my question is that what is the exact process of obtaining the SSL cert. for the default EB link, or maybe there are easier ways to redirect HTTP to HTTPS from the AWS console?
Regards.
So my question is that what is the exact process of obtaining the SSL cert. for the default EB link,
There is no process as this is not possible. You need to have your own domain (e.g. myapp.com). Only then you can setup SSL using ACM. Once you have your own domain, the full process of setting up https on EB is in AWS docs.
Related
I have a backend service i'm running in Fargate. I need this service to have an SSL cert on its load balancer so that it can talk to other HTTPS services. I've created the load balancer and it gives me an AWS domain (my-cool-app.us-east-1.elb.amazonaws.com).
Now, when I try to request a certificate through acm, it fails and says "Additional verification required". So i'm not sure if it's possible to add an SSL cert to this load balancer without registering a custom domain?
Also, this is a Django app and I haven't done anything other than keep it as runserver which I know isn't good for production but I just need to start by making it work as a dev environment. Do I need to change the way Django runs in order for SSL to work? Or is the load balancer sufficient?
To use an SSL for a domain you need to have control over that domain. For the AWS managed certificate service (ACM) you can verify through either DNS validation or email validation both of which you must essentially have domain control to validate.
As you're trying to use ACM for a AWS owned domain, someone from AWS would need to approve the SSL (which they won't).
Regarding your second point what you're describing is SSL offloading, in which the load balancer will serve HTTPS and then terminate encryption in transit. It will then forward the request to the Fargate container using the protocol and port defined in the target group.
The only thing you want to consider is how you display to the user, for example ensure that all CSS, JS ans links on your site are HTTPS. You can detect whether the incoming request used HTTPS at the load balancer by inspecting the X-Forwarded-Proto header in your application.
Background
I am trying to deploy a dummy application with React frontend and Django backend interacting via REST api. I have done the following:
Use a S3 bucket to host static website and deploy my react code to it
Put Cloudfront for S3 bucket - set up certificate and changed my domain name (from GoDaddy) to link to this address
Kicked off Elastic Beanstalk environment following the python environment tutorial of AWS
Set up Postgres RDS and linked the Django server with it
So now I can do the following
Access my frontend using https via my domain name (https://www.example.com)
Access django admin site using the path of elastic beanstalk and update items
i.e. each component is up and running
Problem
I am having trouble with:
Making a secure REST API call from the static page to Elastic Beanstalk environment. Before I set up certificates I could easily make REST API calls.
The guides I can find usually involve putting a domain name for Elastic Beanstalk, which I imagine does not apply to my case (or does it?)
I tried to follow this faq and updated configuration in load balancer that accepts 443 https and redirects to 80 http. But I am using same certificate as from CloudFront, which does not sound right to me.
Would appreciate help with
how to solve the above ssl connection issue
or is there a better architecture for what I'm trying to achieve here?
According to Request a certificate in ACM for Elastic Beanstalk backend, it sounds like I have to use a subdomain and request a certificate for that subdomain, and use Cloud 53 to direct requests to that subdomain to Elastic Beanstalk environment. Would that be the case?
Thank you in advance!
By default EB url will HTTP only. To use HTTPS you need to deploy SSL certificate on your ALB.
In order to do that you need a custom domain, because you can only associated an SSL certificates with domains that you control. Thus, normally you would get a domain (you seem to already have one from godaday). So in this case you can setup a subdomain (e.g. api.my-domian.com) on godady. Then you can use AWS ACM to register a free public SSL certificate for api.my-domian.com.
Once the certificate is verified, using either DNS (easier) or email technique, you deploy it on your ALB using HTTPs listener. Obviously you will need to point api.my-domian.com to the EB's https url. You can also redirect on your ALB http traffic from port 80 to 443 to always use https.
Then in your front-end application you only use https://api.my-domian.com, not the original EB url.
There can be also CORS issues alongside this, so have to be vary of them as well.
I´ve created a EC2 instance, installed a service and I was able to routed it to my address with Route 53. So I can go to example.com/myservice and see it on the browser.
However, in the browser, I get a small info card in the address bar that says
"Not secure" and information about not entering sensitive information.
What does this message mean? How can I avoid this message? What do I need to change in my existing setup?
All info is welcome, as this is fairly new for me.
This means that you are connecting to your website using HTTP protocol, not HTTPS. HTTP is not secure as all data is in plain text, while in HTTPS your data is encrypted.
To rectify the issue you can install an SSL certificate directly on your instance or leverage Load Balancer or CloudFront in front of the instance.
Some useful links from AWS documentation:
Tutorial: Configure SSL/TLS on Amazon Linux 2 for direct installation of the certificate
Add an HTTPS Listener for Application Load Balancer
Using Alternate Domain Names and HTTPS for CloudFront
my team is creating an app that involves sharing bank details. For a feature that involves instant verification of bank accounts, we have used a third party vendor, Dwolla, who provide a secure interface for entering the bank account details.
This is from Dwolla:
https://developers.dwolla.com/resources/dwolla-js/instant-account-verification.html
Our app is hosted on AWS Server, EC2 instance on iis, S3 storage.
First, do I need to install SSL on AWS server?
If yes, how should I do it?
I have been looking for answers everywhere, but I can't find an exact resolution.
Please help.
To install the SSL certificate, it will depends on some specifics of your environment:
If you use a single instance with IIS you must adquire a SSL certificate from a external CA. It will cost you some money and they will guide you how to request and emit the certificate. With the certificate emitted you'll need to upload it to your os and configure the IIS to use it;
If you use a pool of instances behind a load balancer provided by AWS you can request a certificate from AWS for free and configure the load balancer to use the emitted certificate (https://aws.amazon.com/certificate-manager/?nc1=h_ls).
If you do not use a AWS load balancer, you can create a AWS CloudFront Distribution (https://aws.amazon.com/cloudfront/), use your IIS as origin and configure your free AWS Certificate in the distribution.
We started using PKISharp win-acme to get free LetsEncrypt SSL certificates for our IIS in EC2 and it works like a charm, auto-renew every 2-3 months without issue, very easy to setup from "dos" prompt (run as administrator)...
To help pkisharp do its job, keep your 80 and 443 binding on the same site, you can configure a "url rewrite" rule to redirect all 80 requests to 443.
The tool will add a task in the windows scheduler to handle the auto-renew.
We've been using certify (https://certifytheweb.com) with no issues on IIS. Free for less than 3 domains, cheap for up to 100 domains. Use this on all our servers. Turnkey solution with great debugging tools.
What is my indication that I am using AWS Certificate Manager correctly and that any remaining problems getting my site to load at https are due to a mistake I am making in my Apache configuration?
In AWS Certificate Manager, I see "Success! Your certificate was issued successfully." Does that mean there are no further steps for me to complete in the AWS console, and I need only get my Apache configuration correct to finish?
Currently, when I try to visit a URL at my site with the http protocol, it loads fine, but when I visit at https, the browser tries to load the page but it never loads.
I have followed the instructions for creating an HTTPS listener, but still do not know if I am done with all necessary steps in AWS console. How would I know?
Edit: To clarify, I am using an Elastic Load Balancer (ELB), since the documentation indicated I need to use ELB with AWS Certificate Manager (ACM). However, I do not know how to determine if I have configured everything correctly in AWS console that I need to in order to access the site at HTTPS.
Edit 2: This might come close to answering my question, possibly, but I don't know how to do this: "You can use curl, telnet etc from your local machine to verify 443 port status on ELB" -- #vivekyad4v.
ACM(AWS Certificate Manager) supports the AWS resources like ELB, Cloudfront, API Gateway etc. You can add SSL certificates to these
resources via AWS console.
Currently, it doesn't support EC2. You cannot use ACM with EC2 instances, you will need a Load Balancer in front of it. Once you have a load balancer, SSL termination happens on the load balancer & not on the EC2 instance.
Once it is setup, you can change your apache server config to redirect all HTTP requests to HTTPS.
Add certificate to ELB - "https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-update-ssl-cert.html"
Update apache config - "https://aws.amazon.com/premiumsupport/knowledge-center/redirect-http-https-elb/"
No EC2 support - "https://aws.amazon.com/certificate-manager/faqs/"