I have AWS EC2 instance that sends the response using HTTP. The URL link is as below:
http://ec2-18-233-225-132.compute-1.amazonaws.com:3030/api/status
This works fine with the. S3 bucket after the deployment, but, the Cloudfront blocks request that are not comes using HTTPS. How do I make sure that HTTPS also work with this URL:
https://ec2-18-233-225-132.compute-1.amazonaws.com:3030/api/status
Thanks.
ec2-18-233-225-132.compute-1.amazonaws.com domain belongs to AWS, not you. This means that you can't have valid SSL certificate for it. You must have your own domain if you want to enforce https between CF and EC2.
Once you get your domain, you can use https://letsencrypt.org/ to get valid free SSL cert for it. Alternatively, you can front your instance with a load balancer, and get free SSL cert for your domain using AWS ACM. Then you associate the SSL cert with the LB.
For cloudfront https handling:
Create certificate in ACM. Update cloudfront distribution to use that certificate and set ssl/TLS.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-procedures.html#cnames-and-https-updating-cloudfront
for EC2 https handling: You need to open HTTPS port (443). To do that, you go to https://console.aws.amazon.com/ec2/ and click on the Security Groups link on the left, then create a new security group with also HTTPS available. Then, just update the security group of the instance.
After these steps, if it's still not working it is an application problem.
You have to configure the Security Group of that Instance...
At left side ,down below the EC2 dashboard ; you can see Network and Security-- then click on Security Group.Click on it ...Then edit inbound Rules...Add https ,port 443
Related
I would like to make the following structure for my web application
Visitor ==>>> CloudFront-> ALB -> ASG (nginx servers)
I have only one HTTPS certificate for my domain name. I will upload it to ACM but where to attach?
To the Cloudfront? Or to the ALB? Maybe to the hosts? Or everywhere the same?
Can I use the same in all places?
I tried to add it only to the NGINX but it can be used only locally and others from acm
Firstly you can use SSL on all levels (cloudfront, ALB, and Nginx Servers).
For Cloudfront, you need to upload your cert to ACM on us-east-1 region.
On clodfrount configuration page select alternate domain and put your domain to be used, then it will ask cert you need to select it from selection options.
For ALB you need upload it to ACM on ALB region.
While you go to listeners, then you configure listener for 443 or another you can select SSL cert on there.
For Nginx, you can use configure your nginx.conf to use cert. It will ask cert and key, you will put them on somewhere at disk.
BTW, You can configure only on cloudfront for visitors and you don't need to use SSL for internal communication if your data is not too important (Credit card etc.)
I have following setup at AWS ECS:
Container with Caddy web-server at 80 port that serves static files and performs proxying of /api/* requests to backend
Container with backend at 8000 port
EC2 instance at ECS
ALB at subdomain http://some-subdomain-12345.us-east-2.elb.amazonaws.com/ (subdomain was provided automatically by AWS) with HTTP Listener
I want to setup SSL certificate and HTTPS Listener for ALB at this subdomain that was provided by AWS - how I can do it?
P.S. I have seen an option for ALB with HTTPS Listener when we are attaching custom domain i.e. example.com and AWS will provide SSL certificate for it. But this is a pet project environment and I don't worry about real domain.
You can put your ALB behind CloudFront, which unlike ALB gives you a TLS certificate by default. So you can address your application at e.g.:
https://d3n6jitgitr0i4.cloudfront.net
Apart from the TLS certificate, it will give you the ability to cache your static resources at CloudFront's edge locations, and improve latency on the TLS handshake roundtrips.
I want to setup SSL certificate and HTTPS Listener for ALB at this subdomain that was provided by AWS - how I can do it?
You can't do this. This is not your domain (AWS owns it) and you can't associate any SSL certificate with it. You have to have your own domain that you control. Once you obtain the domain, you can get free SSL certificate from AWS ACM.
This could be a solution without using subdomains but using path redirection
https://caddy.community/t/caddy-2-reverse-proxy-to-path/9193
I have enabled HTTPS for my custom domain name (haydenclay.page), but I also need the Beanstalk url (app-name.elasticbeanstalk.com) to run through HTTPS as well.
HTTPS does not work currently, because the cert name matches my custom domain name, yielding: ERR_CERT_COMMON_NAME_INVALID
I need HTTPS because I make API requests, and going from HTTPS to HTTP throws a mixed content error. How can I enabled HTTPS on the beanstalk url?
I have already tried making an alias
Sadly you can't enable https directly for app-name.elasticbeanstalk.com domain. This is because this domain is controlled by AWS. You can only register SSL certificates for domains that you control.
If you want to server your content from EB over ssl, you have generally three options.
Front your instance with load balancer. This is the easiest* way as you can associated ACM SSL certificate with the balancer for your domain.
Front your EB instance with CloudFront (CF). You can setup alternative name for your cloudfront domain with your CF distro and your SSL cert. You can also use ACM for that. Also easy setup, but it should be noted that traffic between CF and your EB instance will be http only, unless you also setup your own SSL cert (not from ACM) on the instances (point 3).
Install your own SSL certificate (not from ACM) directly on the EB instance, using nginx. This requires manual setup and a valid public certificate. Popular choice is LetsEncrypt, to get the SSL cert from.
If you use CloudFlare, go to DNS -> Records
Type: CNAME
name: api
Content: "YOUR_URL.eu-west-1.elasticbeanstalk.com"
Proxy status: Proxied
And call your new url: api.your_domain.com
I want to add my ec2 load balancer to my domain, under mysite.com/api/etc. On route53 it only lets me add a subdomain. In theory I could do api.mysite.com but I want to see if mysite.com/api is possible first. Currently in my route53 record sets, I just have one for mysite.com and www.mysite.com, (www.mysite.com points to my cloudfront which points to my s3 bucket which redirects to the mysite.com bucket). The reason for all of this is that I want to be able to make https api calls to my ec2 server, but it appears I get a several errors with my current configuration. When I access it via browser, I receive an ERR_CONNECION_TIMED_OUT, and when I use python.requests, I get a
SSL.ERROR: HTTPSConnectionPool...(Casused by SSLError(CertificatError
("hostname 'my-ec2-env-us-east-1.elasticbeanstalk.com'
doesn't match either of 'mysite.com, www.mysite.com)
I assume this certificate error is causing my browser timed out error (I'm fairly certain my other configurations are correct, I added my HTTPS port 443 to security groups with inbound settings to allow 0.0.0.0/0 and ::/0, and I selected the 2016-8 SSL Policy. To resolve this certificate error, I assume I need to purchase another domain/add it onto my existing domain, add a certificate to it, and have the endpoint be my EC2 load balancer.
I have a blog(codeoverflow.in) hosted on aws-ec2 instance. I am using cloudfront and acm certificate to provide ssl for my blog. But when I access codeoverflow.in or www.codeoverflow.in, cloudfront redirect me to https version successfully but gives the following error:
The request could not be satisfied. CloudFront wasn't able to connect
to the origin. Generated by cloudfront (CloudFront) Request ID:
TE89T-COJiVFgBGUpBG_2gWd6Iim3c-svHsborUct49O9Owjb3nl6g==
I have type A and type AAAA alias records for both codeoverflow.in and www.codeoverflow.in in route 53, all pointing to cloudfront distribution.custom ssl certificate is also configured for both domains.as of now I have dissociated elastic ip from ec2, but I want to use it as well together with cloudfront and ec2. Please help me to configure all three together.
It looks like you're trying to connect to your origin via HTTPS, but it doesn't sound like you have SSL enabled on your instance.
The easiest thing to do is use a hostname for your origin - i.e. www-origin.codeoverflow.in. Create a load balancer that listens on both 80 & 443, deploy an appropriate cert to that (you may have to create a new one, or create a wildcard) and put your instance behind that listening on port 80. Finally, create an ALIAS record in Rour53 from www-origin to your load balancer.