I have looked after so many webpages and tutorials but every source is different from each other and I don't really know how to start and where to search. My scenario: I have launched a javascript webapp on a Tomcat which I installed on an AWS EC2 instance like it is done in this video: https://www.youtube.com/watch?v=_d-c9uGcUrU
Now I want to secure this webapp via HTTPS. So what I've done yet? I added port 443 to my security group and added 0.0.0.0/0 and ::/0 to the sources. Furthermore I edited the server.xml file in the Apache Tomcat conf directory, made the tomcat accessible under port 80 instead of 8080 and added a redirect to port 443:
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
But when I enter the URL https://ec2-[IPv4-adress].eu-central-1.compute.amazonaws.com in my browser I get a connection refused error. What else I should do to get this going? Do I need an extra SSL certificate for my AWS URL? And if yes is the AWS certificate manager the right way? It seems like I can enter every domain in the world in the certificate formular. That confuses me. I just want the ec2-[...].eu-central-1.amazonaws.com/ URL to use HTTPS so what should I enter there?
Related
I was using an EC2 instance of AWS and deploy my app on root through HTTP.
Now I migrated to HTTPs but the app does not load correctly. But I cant see any errors on chrome developers tools. The only thing I noticed different is that there is a lot of connections (350) made to the root that is where I deployed the app. I suspect is because the change of https. To made my app HTTPs I am using a load balancer of AWS and the aws certificate manager. Sorry for my english.
Image 1
when you add SSL certificates to the Application Load Balancer, the encryption and decryption of the request is taken care of by the ALB. Read more about this here. This means that your app can operate normally and should not be concerned with the request policy.
You can create a target group and point both HTTP (port 80) and HTTPS (port 443) traffic to the same target group.
Coming to your question. It seems like you are having difficulty in connecting to the ALB on port 443 (HTTPS). If your application is working as expected on port 80 (HTTP) follow this checklist to zero down on your problem:
Make sure that the security group of the ALB allows port 443 to your users or to the world
Check if the ALB has a listener configured on port 443. Read more about this in the docs here
Check if this listener points to the application target group.
As a last step, if you are using a domain name, make sure that it is pointing to the ALB and not the origin servers (EC2 in this case)
If you would like to get better understanding of how the request flows from the users instance to your application server, I've answered a simmilar question here.
I am running a Gatsby site in development mode as a dev server on EC2 with a loadbalancer pointing from port 80 to 8000. I have setup a cname on my domain dns to point to the load balancer this works fine. However I need to display this page as an iframe in sanity.io as a web preview and it requires https.
I've read through this https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html and most of it is pretty straight forward for the most part.
What I have done so far is created a listener for 443 https on the loadbalancer and added https 443 to the security group. i have succsufully issued a certificate to the subdomain I am using with aws and attached it to the loadbalancer listener.
Gatsby has a article about custom certs for development mode here https://www.gatsbyjs.org/docs/local-https/#custom-key-and-certificate-files What I am looking for is the cert file, the authority file and the key file in order to pass this command below
Where in the aws certificate manager do I find these files. I think that is the last piece I need to get https working, correct me if I am wrong.
thanks ahead of time.
gatsby develop --https --key-file ../relative/path/to/key.key --cert-file ../relative/path/to/cert.crt --ca-file ../relative/path/to/ca.crt
This is the process I used to request my certficate and it says it's issued
https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html
But how do I use it with the custom https command with gatsby?
There is a export option but it says only for private keys. Do I need to create a private key and then I can export these files I need?
Do I even need to run https on gatsby's side. I watched a video using apache and no change was made to the apache server to get https working with the loadbalancer.
Here is a screenshot of my loadbalancer listenr
Here is a image of my security groups
If I run the --https for gatsby develop it breaks my site I can no longer visit it via the loadbalancer or port 8000. So not sure what to do here.
I would suggest not to encrypt the connection between your ELB and the EC2 instances. If your EC2 instances are not publicly reachable, but only through the load balancer instead, it is best practice to terminate the SSL connection on the load balancer. No need to encrypt HTTP requests inside an AWS VPC (i.e. between ELB and target instances).
You can create a load balancer that listens on both the HTTP (80) and HTTPS (443) ports. If you specify that the HTTPS listener sends requests to the instances on port 80, the load balancer terminates the requests and communication from the load balancer to the instances is not encrypted. [1]
There is some discussion (e.g. on the blog of Kevin Burke) whether it is necessary to encrypt traffic inside a VPC. [2] However, most people are probably not doing it.
What it means for you: Use the same instance protocol for your targets as before: HTTP via port 8000 for both listeners. Do not set up SSL for your Gatsby service. Use a plain HTTP server config instead. No changes are necessary to ELB targets when using SSL termination on the load balancer.
References
[1] https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html
[2] https://acloud.guru/forums/aws-certified-security-specialty/discussion/-Ld2pfsORD6ns5dDK5Y7/tlsssl-termination?answer=-LecNy4QX6fviP_ryd7x
I have an AWS setup with ECS and ALB. The ALB has https listener which I am trying to configure the SSL Certificate for and forward the traffic to my ECS task.
My problem here is that in development environment we run the application using localhost, and when trying to send data to the ALB and ECS task, traffic gets rejected, because I cant add localhost as my domain is the SSL.
Is there any way I can solve this problem?
Maybe you can add your domain name in your hosts file.
127.0.0.1 dev.example.com
That way, when you request dev.example.com, it will go to your localhost.
Your local application can then talk to the ALB and your browser will see it with the right SSL certificate.
The issue was in Route53 and the record sets. I created a new subdomain in Route53 services.example.com, with A Record Type and Alias targeting the ALB. Then used this subdomain in frontend.
There is no need to add anything to hosts file.
I am working on docker swarm and aws. I am not having much idea in it.
Please correct me if my question is wrong and kindly help me to solve my problem.
I have my docker swarm cluster running in AWS under a loadbalancer.
I created a certificate from Amazon certificate Manager for https to my load balancer.
In loadbalancer tab under listener if I set https for load balancer protocol and http to instance protocol like below, when I type https://website-url in the browser it automatically redirects to http.
LoadBalancerProtocol LoadBalancerPort InstanceProtocol InstancePort Cipher SSL Certificate
HTTPS 443 HTTP 80 Change 6e7528d6-8261-4d61-b1d3-3c2548e1b575 (ACM) Change
But I want the website to be run as https not as http.
So I changed like below. That is making Instance port and its protocol as 443 and https.
LoadBalancerProtocol LoadBalancerPort InstanceProtocol InstancePort Cipher SSL Certificate
HTTPS 443 HTTPS 443 Change 6e7528d6-8261-4d61-b1d3-3c2548e1b575 (ACM) Change
But After this https://website-url is continuously running without any response in the browser.
After doing some search, I came to know that ACM certificate only works for load balancer not for backend instance.
That is for instance level I need to enable https for apache.
The docker swarm cluster has 1 manager and 3 worker nodes. All the host instance OS is Alpine OS. The containers inside the nodes are Centos-7.
The containers are running as a service in the cluster.
Please guide me on this,
Do I need to configure self signed certificate for apache inside the container or on the host instance.
I want my website to be run as https not http.
Kindly show me What are the steps required.
Thanks
The load balancer port is what people talk to your load balancer on, so load balancer port 80 and 443 is correct.
The instance port is what port the load balancer talks to your webserver on. In this case for you both should be 80, unless your webserver is listening on 443 with a valid SSL cert (Not the case as you are using an AWS cert.)
Then in your code or your webserver what you need to do is check the X-Forwarded-Proto header http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/x-forwarded-headers.html and if it's not https re-direct to https.
https://www.allcloud.io/how-to/how-to-force-https-behind-aws-elb/ has a couple examples.
I have an application deployed on Elastic Beanstalk which is build using Ruby on Rails, Nginx-Passenger, Multi-container docker configuration. Load-balancer is also configured for the same.
I have also uploaded an SSL certficate(from third-party) to IAM. If I configure ContainerPort as 80 in Dockerrun.aws.json, then the application responds only over http, if Containerport configured as 443, then it responds only over https. Even if both ContainerPorts are specified in Dockerrun.aws.json, then Beanstalk uses only one out of them.
With beanstalk, I am not able to expose more than one port for my container. That is, I can either open it for http or https. Both does not work together. What I'm trying to achieve is if anyone visits the link on http, it should automatically re-direct to https and serve the request. Currently, at a time , only one of both will work due to Dockerrun.aws.json configuration.
I have also configured Load balancer configuration to use HTTPS. Screenshot below for your reference. Please let me know if I'm missing any configuration.
Load_balancer