I have following setup at AWS ECS:
Container with Caddy web-server at 80 port that serves static files and performs proxying of /api/* requests to backend
Container with backend at 8000 port
EC2 instance at ECS
ALB at subdomain http://some-subdomain-12345.us-east-2.elb.amazonaws.com/ (subdomain was provided automatically by AWS) with HTTP Listener
I want to setup SSL certificate and HTTPS Listener for ALB at this subdomain that was provided by AWS - how I can do it?
P.S. I have seen an option for ALB with HTTPS Listener when we are attaching custom domain i.e. example.com and AWS will provide SSL certificate for it. But this is a pet project environment and I don't worry about real domain.
You can put your ALB behind CloudFront, which unlike ALB gives you a TLS certificate by default. So you can address your application at e.g.:
https://d3n6jitgitr0i4.cloudfront.net
Apart from the TLS certificate, it will give you the ability to cache your static resources at CloudFront's edge locations, and improve latency on the TLS handshake roundtrips.
I want to setup SSL certificate and HTTPS Listener for ALB at this subdomain that was provided by AWS - how I can do it?
You can't do this. This is not your domain (AWS owns it) and you can't associate any SSL certificate with it. You have to have your own domain that you control. Once you obtain the domain, you can get free SSL certificate from AWS ACM.
This could be a solution without using subdomains but using path redirection
https://caddy.community/t/caddy-2-reverse-proxy-to-path/9193
Related
I would like to make the following structure for my web application
Visitor ==>>> CloudFront-> ALB -> ASG (nginx servers)
I have only one HTTPS certificate for my domain name. I will upload it to ACM but where to attach?
To the Cloudfront? Or to the ALB? Maybe to the hosts? Or everywhere the same?
Can I use the same in all places?
I tried to add it only to the NGINX but it can be used only locally and others from acm
Firstly you can use SSL on all levels (cloudfront, ALB, and Nginx Servers).
For Cloudfront, you need to upload your cert to ACM on us-east-1 region.
On clodfrount configuration page select alternate domain and put your domain to be used, then it will ask cert you need to select it from selection options.
For ALB you need upload it to ACM on ALB region.
While you go to listeners, then you configure listener for 443 or another you can select SSL cert on there.
For Nginx, you can use configure your nginx.conf to use cert. It will ask cert and key, you will put them on somewhere at disk.
BTW, You can configure only on cloudfront for visitors and you don't need to use SSL for internal communication if your data is not too important (Credit card etc.)
Currently, I have a domain(mysite.com) bought in the Google Domain, it's just a domain. My application is hosted on AWS, where I have my application deployed, the setup is quite straightforward - access to the application goes thru ALB(lb-123.com), which has no SSL configured yet. My problem is how to link the domain to ALB throughout HTTPS to my application in AWS which is accessed throughout HTTP. I should be able to access mysite.com using HTTPS and it should access lb-123.com either thru HTTP or HTTPS, but for a client, it should look like it accesses HTTPS.
ALB doesn't have an IP, only DNS - I should use the only CNAME for redirection mysite.com to lb-123.com?
Should I configure HTTTs for ALB too - If so, then what is the right way to do it? What certificate should I use? Is there any free certificate for ALB?
How usually ppl link using HTTPS their domains with any sort of backend which has only DNS name(e.g. AWS ALB)?
The easiest way to get SSL for your ALB is through AWS ACM with provides free SSL certificates:
How can I associate an ACM SSL/TLS certificate with a Classic, Application, or Network Load Balancer?
So in your case, you have to got to AWS ACM, and request a free SSL public SSL cert for your domain. Domain can be at google, it does not matter. Once you verity that you control the domain, you will get a cert issued that you can associate with the ALB.
Then you use CNAME on google to point your domain to ALB's domain.
I have a CloudFront distribution already configured for an S3 bucket using Route53 domain with HTTPS enabled using a public certificate.
I want to use this CloudFront distribution with another origin (which is an EC2 instance running NGINX as a reverse proxy for an application on that same instance), but I also need to enable HTTPS.
The normal way I would enable HTTPS on EC2 with NGINX is to just setup the nginx configuration and point my domain "A record" to the instance then request a certificate with Let's Encrypt. But how should I do it when behind CloudFront? I won't use Let's Encrypt (not necessarily important to just use it) and would like to use an AWS public certificate as I did with my S3.
Could I just configure NGINX to listen on port 80 and add this EC2 instance as an origin on the CloudFront distribution then enable HTTPS and choose my public certificate there or how should this be done to work properly?
This time I am not going to use a Load Balancer, I want a direct connection between the EC2 and CloudFront. But I would also like to know how to set this up when using a Load Balancer (for the future).
Could I just configure NGINX to listen on port 80 and add this EC2 instance as an origin on the CloudFront distribution then enable HTTPS and choose my public certificate there or how should this be done to work properly?
Yes you can do this, but all traffic pattern will be:
Clinet---(HTTPS)--->CF---(HTTP)--->Instance
Which means that half of your connection (CF->Instance) will be in HTTP, which may not be desired.
If you want to have HTTPs on every path, you still need to have public valid SSL cerfiicate on the instance. CF will not work with self-signed certificates.
I have enabled HTTPS for my custom domain name (haydenclay.page), but I also need the Beanstalk url (app-name.elasticbeanstalk.com) to run through HTTPS as well.
HTTPS does not work currently, because the cert name matches my custom domain name, yielding: ERR_CERT_COMMON_NAME_INVALID
I need HTTPS because I make API requests, and going from HTTPS to HTTP throws a mixed content error. How can I enabled HTTPS on the beanstalk url?
I have already tried making an alias
Sadly you can't enable https directly for app-name.elasticbeanstalk.com domain. This is because this domain is controlled by AWS. You can only register SSL certificates for domains that you control.
If you want to server your content from EB over ssl, you have generally three options.
Front your instance with load balancer. This is the easiest* way as you can associated ACM SSL certificate with the balancer for your domain.
Front your EB instance with CloudFront (CF). You can setup alternative name for your cloudfront domain with your CF distro and your SSL cert. You can also use ACM for that. Also easy setup, but it should be noted that traffic between CF and your EB instance will be http only, unless you also setup your own SSL cert (not from ACM) on the instances (point 3).
Install your own SSL certificate (not from ACM) directly on the EB instance, using nginx. This requires manual setup and a valid public certificate. Popular choice is LetsEncrypt, to get the SSL cert from.
If you use CloudFlare, go to DNS -> Records
Type: CNAME
name: api
Content: "YOUR_URL.eu-west-1.elasticbeanstalk.com"
Proxy status: Proxied
And call your new url: api.your_domain.com
I am not into SSL at all, so bear with me please. I have no idea how to start to actually solve my problem.
Current situation:
1x Webserver with Webspace for a Website and it includes a Domain Administration, also to order SSL Certificates etc.
1x Different Webserver at Amazon Web Services with a PHP-based Software on it with Login etc.
A Subdomain that I created in the Domain Administration is pointing via DNS to the IP of the AWS.
What I need:
I want an https Connection (SSL) for the Subdomain that is pointing to the AWS so that the connection/login is secure.
My question is what I have to do on the side where I have the Domain Administration and after that what I have to do on the side of the AWS.
Thank you so much!
You have several options in hand,
If you already have a SSL certificate purchased, you can include it inside the webserver (e.g; configure apache for SSL).
If you plan to use free SSL certificates from Amazon, you can use one of the following options after creating a SSL certificate in AWS Certificate Manager.
Create a AWS CloudFront Distribution and attach the SSL certificate there while configuring an origin to forward traffic to the specific web server. However, you need to create the SSL certificate in North Virginia region and there won't be any upfront costs for CloudFront). CloudFront acts as a proxy and you can explicitly instruct to cache the static content reducing the load for web server and improving the performance.
The other option is to create a Application Load Balancer (ALB) and attach the SSL certificate there ( Create the SSL certificate in the same region) while forwarding traffic to the web server. However, this will add a monthly reoccurring costs for the ALB.
All you need to do is, on AWS ACM (AWS Certificate Manager) procure a certificate for your subdomain and use AWS ELB to use the certificate and point to the AWS webserver.
After this use the ELB IP in the DNS settings.
There are other options too like procuring the subdomain certificate and installing it on the webserver on AWS.