Issues putting Cloudfront infront of ALB - amazon-web-services

I want to have CloudFront infront of a load balancer for a web app (built with VueJs and Nuxt). but the issue is that I get DNS_PROBE_FINISHED_NXDOMAIN when going to the Cloudfront Url {key}.cloudfront.net.
I found that it might have with Certificates to do, I have the same certificate on bout ALB and CloudFront, but CloudFront certificate is stored in N.virginia and ALB is in Ireland which is suppose to give me this issue.
My question is how it should be setup to work.
Today ALB has listeners
Https listener on port 443 with certificate (located in Ireland region)
Http listener on port 80 which redirect all request to Https.
The ALB is publically available therefore I wanted the Http to Https redirect.

Related

Front, backend https with one ACM, frontend is okay, but backend also https and htttp

One ACM was issued to *.example.com. With this, it was applied to public route 53 called example.com as CNAME, and two load balancers were connected using it. The two load balancers ran front and back-end services, respectively.
However, the problem is that the frontend was applied with https, but the backend was not applied.
The domain of the backend is, for example, api.example.com, which was accessible to both http and https.
I redirected HTTP 80 to HTTPS 443 on the back-end load balancer, but why didn't it apply?
The front end is redirected to https even if it is accessed through http.
Record A was given 'api.example.com' and the backend load balancer is equally http 80 redirect https 443.
However, if you access through http, you can see a server that does not display ssl authentication, and if you access through https, you can see a server that shows ssl authentication.
Naturally, it was set to 80 redirect 443 forward.
Check the backend load balancer if it has an SSL cert associated with it.
When you associate Route53 with an ACM SSL cert, it only validates the ownership of the domain. Route53 is a DNS service, it does not participate in SSL encryption. It is the load balancer's job in your topology.
Also, you can use an Alias record instead of CNAME to route to load balancers deployed on AWS; then the Route53 DNS calls are free. (I was not sure whether the CNAME record you mentioned was the actual routing record or just the validation one, so decided to mention that.)

Can't access server since switching to https on aws

I am deploying a MERN stack using EC2 on AWS.
I have created SSL certificates for the following domains:
example.com
*.example.com
www.example.com
The cname and cvalue for example.com and *.example.com are identical but they are different for www.example.com
I have set up target groups and a load balancer and edited the listener to redirect from http to https.
I have set up 3 different records in the hosted zone of route 53 so that www.example.com, *.example.com and example.com are directed to the loadbalancer
I can load https://example.com
http://example.com directs to https://example.com
When the website loads (either by typing http or https) it does not connect to the server.
I am getting the following error in the console:
Mixed Content: The page at 'https://example.com/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://54.220.212.131:5000/events'. This request has been blocked; the content must be served over HTTPS.
54.220.212.131 is the site's IP and 5000 is the server's port. This is hard coded in the front end.
How should I get the client to send requests to the server for a https connection?
It sounds like you have two services running, a front-end service that you have correctly configured to run behind a load balancer, and a back-end service that you are connecting directly to via the server's IP address on port 5000.
Your backend on port 5000 is not secure, and that is exactly what the web browser's error is telling you. You need to configure all your services to run behind the load balancer. You need to create a second target group that sends traffic to port 5000 on your server, and setup a routing rule on the load balancer's listener to send all traffic for api.ticketglen.com to that target group. Then you need to change your hard-coded values in from http://54.220.221.131:5000 to https://api.ticketglen.com.
What worked for me was to create the SSL certificates from the server and delete them and the load balancer altogether from the AWS platform.
Process is outlined here

Link domain to ALB keeping https

Currently, I have a domain(mysite.com) bought in the Google Domain, it's just a domain. My application is hosted on AWS, where I have my application deployed, the setup is quite straightforward - access to the application goes thru ALB(lb-123.com), which has no SSL configured yet. My problem is how to link the domain to ALB throughout HTTPS to my application in AWS which is accessed throughout HTTP. I should be able to access mysite.com using HTTPS and it should access lb-123.com either thru HTTP or HTTPS, but for a client, it should look like it accesses HTTPS.
ALB doesn't have an IP, only DNS - I should use the only CNAME for redirection mysite.com to lb-123.com?
Should I configure HTTTs for ALB too - If so, then what is the right way to do it? What certificate should I use? Is there any free certificate for ALB?
How usually ppl link using HTTPS their domains with any sort of backend which has only DNS name(e.g. AWS ALB)?
The easiest way to get SSL for your ALB is through AWS ACM with provides free SSL certificates:
How can I associate an ACM SSL/TLS certificate with a Classic, Application, or Network Load Balancer?
So in your case, you have to got to AWS ACM, and request a free SSL public SSL cert for your domain. Domain can be at google, it does not matter. Once you verity that you control the domain, you will get a cert issued that you can associate with the ALB.
Then you use CNAME on google to point your domain to ALB's domain.

Can I setup SSL on an AWS provided ALB subdomain without owning a domain?

I have following setup at AWS ECS:
Container with Caddy web-server at 80 port that serves static files and performs proxying of /api/* requests to backend
Container with backend at 8000 port
EC2 instance at ECS
ALB at subdomain http://some-subdomain-12345.us-east-2.elb.amazonaws.com/ (subdomain was provided automatically by AWS) with HTTP Listener
I want to setup SSL certificate and HTTPS Listener for ALB at this subdomain that was provided by AWS - how I can do it?
P.S. I have seen an option for ALB with HTTPS Listener when we are attaching custom domain i.e. example.com and AWS will provide SSL certificate for it. But this is a pet project environment and I don't worry about real domain.
You can put your ALB behind CloudFront, which unlike ALB gives you a TLS certificate by default. So you can address your application at e.g.:
https://d3n6jitgitr0i4.cloudfront.net
Apart from the TLS certificate, it will give you the ability to cache your static resources at CloudFront's edge locations, and improve latency on the TLS handshake roundtrips.
I want to setup SSL certificate and HTTPS Listener for ALB at this subdomain that was provided by AWS - how I can do it?
You can't do this. This is not your domain (AWS owns it) and you can't associate any SSL certificate with it. You have to have your own domain that you control. Once you obtain the domain, you can get free SSL certificate from AWS ACM.
This could be a solution without using subdomains but using path redirection
https://caddy.community/t/caddy-2-reverse-proxy-to-path/9193

AWS certificate manager https configuration for domain

I have a slight problem with SSL.
Currently if I were to route to my domain as example.com, it goes to the http version instead of the https version.
However, if I were to force https://example.com, it stays as https://example.com
I'm wondering what I have to do on the certificate manager side of AWS to get https working when I type in example.com without the https.
I have already configured my route 53 aliases for my domain to route to my elastic beanstalk url. I also have an SSL certificate for my domain example.com and *.domain.com that were both validated successfully, that are Amazon issued and also In Use.
Have you tried redirecting http traffic (80) to https (443)? This answer contains the steps
For ALBs, you can follow the below steps,
1.Add lister for https and forward the traffic to the target group
2.Add Lister for http and forward the traffic to https
Final Setup: