AWS EC2 - access dockerized rest api service over https - amazon-web-services

I have a nodejs API hosted on an EC2 instance (ubuntu server) which is running on PORT 5000.
Using http:// i can access this API over public-api:5000 but I can not access it over https.
I have opened all ports in the security group and allowed access from anywhere but still it is not possible.
What do I have to do, in order to access my API via https instead of only http?

For HTTPS to work you need TLS/SSL Certificates. Just enabling the port (default is 443 for https) will not work. You can get free TLS certs on AWS using AWS ACM service. You should have access to Domain and should be able to update the domain records for ACM to verify your cert.
You can terminate TLS on Load Balancer or on your application. You have to handle https traffic. Reference here

Related

Can I setup SSL on an AWS provided ALB subdomain without owning a domain?

I have following setup at AWS ECS:
Container with Caddy web-server at 80 port that serves static files and performs proxying of /api/* requests to backend
Container with backend at 8000 port
EC2 instance at ECS
ALB at subdomain http://some-subdomain-12345.us-east-2.elb.amazonaws.com/ (subdomain was provided automatically by AWS) with HTTP Listener
I want to setup SSL certificate and HTTPS Listener for ALB at this subdomain that was provided by AWS - how I can do it?
P.S. I have seen an option for ALB with HTTPS Listener when we are attaching custom domain i.e. example.com and AWS will provide SSL certificate for it. But this is a pet project environment and I don't worry about real domain.
You can put your ALB behind CloudFront, which unlike ALB gives you a TLS certificate by default. So you can address your application at e.g.:
https://d3n6jitgitr0i4.cloudfront.net
Apart from the TLS certificate, it will give you the ability to cache your static resources at CloudFront's edge locations, and improve latency on the TLS handshake roundtrips.
I want to setup SSL certificate and HTTPS Listener for ALB at this subdomain that was provided by AWS - how I can do it?
You can't do this. This is not your domain (AWS owns it) and you can't associate any SSL certificate with it. You have to have your own domain that you control. Once you obtain the domain, you can get free SSL certificate from AWS ACM.
This could be a solution without using subdomains but using path redirection
https://caddy.community/t/caddy-2-reverse-proxy-to-path/9193

EC2 instance server not accepting HTTPS requests

I Created an EC2 instance that is running perfectly over http.but when i try to replace http to https i got this printed on the browser This site can’t provide a secure connection. the security group that is associated to this instance is configured to allow requests from both HTTP and HTTPS as in the attached image:
You are trying to run https over a port that has been configured for HTTP.
There are multiple options to get around this:
Setup a proxy on your local server, such as Nginx. Setup certbot to generate your SSL and then serve this from your proxy.
Create an ELB in front of your server, generate a certificate in ACM and add your server as a target (running http) to the ELB. Use the load balancer for SSL termination.
Create a CloudFront distribution in front of your server, generate a certificate in ACM and forward traffic to your server as the origin (running http).

Does AWS NLB pass through SNI values when terminating TLS? (Routing via SNI)

AWS Network Load Balancers support TLS termination. This means a certificate can be created in AWS Certificate Manager and installed onto a NLB and then TCP connections using TLS encryption will be decrypted at the NLB and then either re-encrypted or passed through to a non-encrypted listener. Details are here: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html.
The benefits of using AWS Certificate Manager are that the certificate will be managed and rotated automatically by AWS. No need to put public-facing certificates on private instances.
I'd like to route TCP connections to the NLB based on the SNI, i.e. connections to the same port and IP can be routed to different targets based on the server name that was requested by the client. Whilst I can see that multiple TLS certificates for a given listener are supported using SNI to determine which certificate to serve up, I don't see how to configure listeners based on SNI.
I have therefore put HAProxy behind a NLB and want to route to different backends using SNI. I terminate TLS with the client at the NLB, reencrypt the traffic between NLB and HAProxy using a self-signed certificate on HAProxy, then route to the backends using unencyrpted TCP.
(client) --TLS/TCP--> (NLB on port 443) --TLS/TCP--> (AWS target group on port 5000, running HAProxy) --TCP--> backends on different IPs/ports
Does AWS NLB pass through the SNI details to the target groups?
If I connect directly to HAProxy (not via NLB) then I can route to the backend of choice by using SNI, but I can't get the SNI routing to work if I connect via the NLB.
According to this SO answer and to the istio docs, if you terminate TLS on the load balancer it won't carry SNI to the target group. I had the exact same issue and I ended up solving it by setting the host as '*' on the ingress Gateway and then specifying the hosts on the different VirtualServices (as recommended here).
I think that this solution could also work but didn't tried it. You would have to set the certificate on istio Gateway secret and do a TLS pass through on the NLB, but then you can't use the AWS ACM SSL certificates as pointed out on the previous link.

AWS - Load balancer with TLS termination but using self-signed certs to back-ends?

Question
Is it possible to have a load balancer in AWS handle TLS termination for a real certificate, while also having it use a self-signed certificate on the back-end? If so, how?
Conext
This way, I could pay for the certificate once for one server (the LB) and then still have TLS between the LB and the large number of back-end servers. The front-end user would be happy as they would get a real cert and no warnings, and the back-end app would be secure via the self-signed cert.
Thats possible, You can use trusted cert on ELB and self signed cert on backend. once you configure listener (for frontend on port 443 and valid cert) and Target group on port 443 for backend, the entire traffic should be encrypted. Client would see cert used on ELB/ALB and you can also restrict backend to allow connects only from ELB/ALB.
You can use ACM cert on ELB/ALB which is free.

https secure on AWS ec2

I have an app running on aws ec2 (all is fine) but I want to use https do I need a certificate? And do the input traffics ports have to be set to a speciffic number - the app is supported by node and express
For HTTPS, yes you need a certificate. You can use AWS Certificate Manager to obtain a certificate.
Since you are using a NodeJS application, you can use a Nginx proxy to terminate the HTTPS.
For HTTPS default port is 443.
You can refer this documentation to configure HTTPS termination.