I have a VueJS front-end application running on S3 being served as a static website.
I have a NodeJS (behind an nginx reverse proxy, plus a few other services) backend application running on an EC2 instance that the VueJS app talks to (over http currently).
I have a domain successfully pointed at the VueJS app (S3 bucket) with the configured SSL certificates using Route53 / CloudFront / ACM.
However, now the VueJS app will not communicate with the EC2 instance backend as it is still using HTTP which is now not allowed.
So what is the best way to configure this? I can't run certbot on the ec2 instance and generate an SSL certificate for my domain as there are certificates already being used for the S3 bucket.
Should I just create a self-signed certificate?
Can I create another certificate for a subdomain perhaps (api.example.com say) and set up DNS record for that to point to my EC2 instance IP address?
How is this usually done, what is best practice?
So a self-sign cert wont work, it wont pass validation as there is no known CA behind it ( Certificate authority) I mean you can install it but the browser is going to complain..
Im not sure I understand why you cant use certbot.. s3 / ec2 are two seperate services so I'm a bit confused here?
You can use letencrypt to generate a cert for the server and have it installed as well but if you have clusters you may be better served by installing it on the actual ALB, however this does not ensure end-to-end if the cert is not installed on all backend systems, (that would require installing the cert on all systems in the cluster) You requirements will dictate this really.
If you are unable to generate a cert with letsencrypt you can get an SSL from ssls.com and just installed the PEM or CRT on the server / load balancer too though.
Usually you create some subdomain like you said for your api and create a certificate for that subdomain. On AWS in particular, you can use an elastic load balancer and use ACM /Route53 with that for ease of certificate management, but that does carry costs of the load balancer.
Alternative is to just put an API gateway in front of your EC2 instance as a reverse proxy, which will carry some costs, but maybe not as much depending on traffic volume.
Related
Context: Right now I have an Angular static site setup on S3, a domain registered through Route53, and SSL through Cloudfront. I have an express backend on Elastic Beanstalk that I want to interface with using https. The EB app has a load balancer and nginx proxy by default.
Possible Solutions:
Assign my load balancer a SSL certificate but it seems I can only do this with a custom domain at least through the AWS certificate manager. It does give me the option to use the certificate I generated from the frontend but I'm not sure if that is a good idea.
Add an origin on my cloudfront that points to my EB express app. I'm not sure if this is secure or even possible. The idea is that I could make API calls from www.myapp.org (s3 hosted) to www.myapp.org/api (EB hosted).
Get a new custom domain and give that an ssl certificate and point it to my EB app?
If there are any other options, I would be happy to hear about them.
Background
I am trying to deploy a dummy application with React frontend and Django backend interacting via REST api. I have done the following:
Use a S3 bucket to host static website and deploy my react code to it
Put Cloudfront for S3 bucket - set up certificate and changed my domain name (from GoDaddy) to link to this address
Kicked off Elastic Beanstalk environment following the python environment tutorial of AWS
Set up Postgres RDS and linked the Django server with it
So now I can do the following
Access my frontend using https via my domain name (https://www.example.com)
Access django admin site using the path of elastic beanstalk and update items
i.e. each component is up and running
Problem
I am having trouble with:
Making a secure REST API call from the static page to Elastic Beanstalk environment. Before I set up certificates I could easily make REST API calls.
The guides I can find usually involve putting a domain name for Elastic Beanstalk, which I imagine does not apply to my case (or does it?)
I tried to follow this faq and updated configuration in load balancer that accepts 443 https and redirects to 80 http. But I am using same certificate as from CloudFront, which does not sound right to me.
Would appreciate help with
how to solve the above ssl connection issue
or is there a better architecture for what I'm trying to achieve here?
According to Request a certificate in ACM for Elastic Beanstalk backend, it sounds like I have to use a subdomain and request a certificate for that subdomain, and use Cloud 53 to direct requests to that subdomain to Elastic Beanstalk environment. Would that be the case?
Thank you in advance!
By default EB url will HTTP only. To use HTTPS you need to deploy SSL certificate on your ALB.
In order to do that you need a custom domain, because you can only associated an SSL certificates with domains that you control. Thus, normally you would get a domain (you seem to already have one from godaday). So in this case you can setup a subdomain (e.g. api.my-domian.com) on godady. Then you can use AWS ACM to register a free public SSL certificate for api.my-domian.com.
Once the certificate is verified, using either DNS (easier) or email technique, you deploy it on your ALB using HTTPs listener. Obviously you will need to point api.my-domian.com to the EB's https url. You can also redirect on your ALB http traffic from port 80 to 443 to always use https.
Then in your front-end application you only use https://api.my-domian.com, not the original EB url.
There can be also CORS issues alongside this, so have to be vary of them as well.
I am using EC2 and working with NGINX (by PuTTY); I chose AWS Public Certificate therefore I understood that to use HTTPS I need to configure the NGINX too.
I found some tutorial about it, but everywhere they add ssl_certificate and ssl_certificate_key that I haven’t seen in AWS certification.
How I can find AWS SSL certificates and ssl_certificate_key?
Or is there another solution for this?
You can only use ACM SSL certificates with AWS Load Balancers, CloudFront and API Gateway. it is not possible obtain the certificate from ACM and install it directly on a server.
You can attach certificates issued with ACM to the AWS Load balancer and hide your instance behind the load balancer, more on this here
If you want to manage ssl directly on your Nginx you will need to issue certificate with another tool i.e letsencrypt.
Using Free Let’s Encrypt SSL/TLS Certificates with NGINX
it is now possible by using:
AWS Certificate Manager for Nitro Enclaves
https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-refapp.html
https://aws.amazon.com/about-aws/whats-new/2020/10/announcing-aws-certificate-manager-for-nitro-enclaves/
It is now possible with Nitro Enclaves, but is rarely a good solution for a single-instance NGINX host. At the moment, an ec2 nitro enclave demands a full 2 vcpus for itself. Unless the instance is large enough to trivially spare 2 vcpus, this method likely involves a bump in ec2 instance size, which eliminates any cost or simplicity advantage over using a load balancer.
I have a node.js server I would like to deploy to AWS. My main site is example.com while the node server is on api.example.com
I am only using one EC2 instance (no load balancing) because I am only building an MVP and don't want to make things complicated.
I used Amazon Certificate Manager to register my domain name and I need to register api.example.com to also use https.
I right now have to put a CloudFront in front of my EC2 instance just so that I can use the ACM. This seems a little overkill since I don't need any of the caching benefits.
Is there any other way to do this?
You have 3 options:
Use CloudFront with SSL certificate from Amazon which doesn't bring any benefits for API that won't benefit from caching
Use Elastic Load Balancer with SSL certificate from Amazon. Load balancer will mantain HTTPS connection with client and communicate via HTTP with your EC2 server. You can follow this tutorial https://hackernoon.com/getting-a-free-ssl-certificate-on-aws-a-how-to-guide-6ef29e576d22
Or you can set up your certificate at EC2 instance directly. Here is how to do this with Nginx for example https://www.digicert.com/csr-ssl-installation/nginx-openssl.htm
EDIT: I have just realized that you could probably also use AWS API Gateway to point to your EC2 server API GateWay to server in ec2
I am not into SSL at all, so bear with me please. I have no idea how to start to actually solve my problem.
Current situation:
1x Webserver with Webspace for a Website and it includes a Domain Administration, also to order SSL Certificates etc.
1x Different Webserver at Amazon Web Services with a PHP-based Software on it with Login etc.
A Subdomain that I created in the Domain Administration is pointing via DNS to the IP of the AWS.
What I need:
I want an https Connection (SSL) for the Subdomain that is pointing to the AWS so that the connection/login is secure.
My question is what I have to do on the side where I have the Domain Administration and after that what I have to do on the side of the AWS.
Thank you so much!
You have several options in hand,
If you already have a SSL certificate purchased, you can include it inside the webserver (e.g; configure apache for SSL).
If you plan to use free SSL certificates from Amazon, you can use one of the following options after creating a SSL certificate in AWS Certificate Manager.
Create a AWS CloudFront Distribution and attach the SSL certificate there while configuring an origin to forward traffic to the specific web server. However, you need to create the SSL certificate in North Virginia region and there won't be any upfront costs for CloudFront). CloudFront acts as a proxy and you can explicitly instruct to cache the static content reducing the load for web server and improving the performance.
The other option is to create a Application Load Balancer (ALB) and attach the SSL certificate there ( Create the SSL certificate in the same region) while forwarding traffic to the web server. However, this will add a monthly reoccurring costs for the ALB.
All you need to do is, on AWS ACM (AWS Certificate Manager) procure a certificate for your subdomain and use AWS ELB to use the certificate and point to the AWS webserver.
After this use the ELB IP in the DNS settings.
There are other options too like procuring the subdomain certificate and installing it on the webserver on AWS.