Recently, I purchases a domain from google domains namely, neurocognition.app. I initialized an EC2 instance from AWS (Free tier), got an elastic IP. added the A record, with the same elastic IP at the google website. Its been over 2 weeks but the site still won't work
What could be the possible reason? Do I have to setup my instance in a separate manner for HSTS domains. ???
So, looking at the dns: https://www.whatsmydns.net/#A/neurocognition.app your domain points to 65.0.156.79 which responds on http, but not https.
http://neurocognition.app redirects to https://neurocognition.app
this could mean one of the following:
your security group does not have port 443 open
your web server does not accept connections on port 443
Network Access Control Layer have been modified to block port 443
I would focus on the first two, which are most likely the issue here.
Check your security group, whether it has https port added in route.
Related
I was using an EC2 instance of AWS and deploy my app on root through HTTP.
Now I migrated to HTTPs but the app does not load correctly. But I cant see any errors on chrome developers tools. The only thing I noticed different is that there is a lot of connections (350) made to the root that is where I deployed the app. I suspect is because the change of https. To made my app HTTPs I am using a load balancer of AWS and the aws certificate manager. Sorry for my english.
Image 1
when you add SSL certificates to the Application Load Balancer, the encryption and decryption of the request is taken care of by the ALB. Read more about this here. This means that your app can operate normally and should not be concerned with the request policy.
You can create a target group and point both HTTP (port 80) and HTTPS (port 443) traffic to the same target group.
Coming to your question. It seems like you are having difficulty in connecting to the ALB on port 443 (HTTPS). If your application is working as expected on port 80 (HTTP) follow this checklist to zero down on your problem:
Make sure that the security group of the ALB allows port 443 to your users or to the world
Check if the ALB has a listener configured on port 443. Read more about this in the docs here
Check if this listener points to the application target group.
As a last step, if you are using a domain name, make sure that it is pointing to the ALB and not the origin servers (EC2 in this case)
If you would like to get better understanding of how the request flows from the users instance to your application server, I've answered a simmilar question here.
I am running a Gatsby site in development mode as a dev server on EC2 with a loadbalancer pointing from port 80 to 8000. I have setup a cname on my domain dns to point to the load balancer this works fine. However I need to display this page as an iframe in sanity.io as a web preview and it requires https.
I've read through this https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html and most of it is pretty straight forward for the most part.
What I have done so far is created a listener for 443 https on the loadbalancer and added https 443 to the security group. i have succsufully issued a certificate to the subdomain I am using with aws and attached it to the loadbalancer listener.
Gatsby has a article about custom certs for development mode here https://www.gatsbyjs.org/docs/local-https/#custom-key-and-certificate-files What I am looking for is the cert file, the authority file and the key file in order to pass this command below
Where in the aws certificate manager do I find these files. I think that is the last piece I need to get https working, correct me if I am wrong.
thanks ahead of time.
gatsby develop --https --key-file ../relative/path/to/key.key --cert-file ../relative/path/to/cert.crt --ca-file ../relative/path/to/ca.crt
This is the process I used to request my certficate and it says it's issued
https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html
But how do I use it with the custom https command with gatsby?
There is a export option but it says only for private keys. Do I need to create a private key and then I can export these files I need?
Do I even need to run https on gatsby's side. I watched a video using apache and no change was made to the apache server to get https working with the loadbalancer.
Here is a screenshot of my loadbalancer listenr
Here is a image of my security groups
If I run the --https for gatsby develop it breaks my site I can no longer visit it via the loadbalancer or port 8000. So not sure what to do here.
I would suggest not to encrypt the connection between your ELB and the EC2 instances. If your EC2 instances are not publicly reachable, but only through the load balancer instead, it is best practice to terminate the SSL connection on the load balancer. No need to encrypt HTTP requests inside an AWS VPC (i.e. between ELB and target instances).
You can create a load balancer that listens on both the HTTP (80) and HTTPS (443) ports. If you specify that the HTTPS listener sends requests to the instances on port 80, the load balancer terminates the requests and communication from the load balancer to the instances is not encrypted. [1]
There is some discussion (e.g. on the blog of Kevin Burke) whether it is necessary to encrypt traffic inside a VPC. [2] However, most people are probably not doing it.
What it means for you: Use the same instance protocol for your targets as before: HTTP via port 8000 for both listeners. Do not set up SSL for your Gatsby service. Use a plain HTTP server config instead. No changes are necessary to ELB targets when using SSL termination on the load balancer.
References
[1] https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html
[2] https://acloud.guru/forums/aws-certified-security-specialty/discussion/-Ld2pfsORD6ns5dDK5Y7/tlsssl-termination?answer=-LecNy4QX6fviP_ryd7x
I deployed my application in AWS ec2 instance and it is working well with instances's IP address. Instead of using IP address I bought a domain from godaddy and connected to my ec2 instance with load balancer and target group. And also generated a SSL certificate for https. Now my domain http://example.com is working fine but while I changed http to https it is working with port number like https://example.com:5005
How can I remove that port number in url? Do I need to add anything in target group or load balancer?? Can someone help me to resolve this.
thanks in advance!
If you don't provide the port number in the URL , the standard port for the protocol is used, which in your case will be 443 for https.
You need to create a standard HTTPS listener on your load balancer, which can forward the traffic recevied on 443 to your instance(s) port 5005 as part of the target group.
I have an api running in a EC2 instance in AWS in certain port (ej 8000). I have register a domain in bluehost provider.
Currently my app is pointing to the IP that offer the EC2 instance, but I want to change to the domain in order to use like api.mydomain.com:8000.
I tried to create a configuration in the DNS zone of panel control in the bluehost account, but it does not work, I think the DNS type I have to use is the 'SRV record', but I tried some configuration but the cpanel dont take it.
How I can make that the request to 'api.mydomain.com:8000' redirect to the EC2 instance's IP and the configurated port?. Thank you
You can use a normal A record for api.mydomain.com and point that to your instances IP address. You don't include the port anywhere in the DNS configuration.
If it was a website that was on port 8000 you would type api.mydomain.com:8000 in your browser url.
Make sure that your instances security group is open on port 8000, and that your instance is listening on port 8000.
When you say "it didn't work", what do you mean? Where was there a failure?
Normally you would create an 'A'record to point a domain name to a IP address, not a 'SRV' record.
I have a registered domain, let's say example.com, and 3 different services running at AWS:
Static web application, currently hosted at Amazon S3; port 80
TCP service, hosted in an EC2 instance; port 3333
TCP service, hosted in another EC2 instance; port 4444
All 3 services should be accessible - if possible - from the Internet by using the same hostname but different ports, i.e.
www.example.com:80 --> S3 web app
www.example.com:3333 ---> EC2 instance 1
www.example.com:4444 ---> EC2 instance 2
First question is: Is this possible at all? Or should I rather use different host names like www.example.com, service1.example.com...?
If it is possible, how would it be set up and which AWS services can I use? I am still pretty new to AWS and read about (Elastic) Load Balancer, CloudFront, Route 53 but I still don't get how I could achieve my goal.
Without any further AWS service it seems to be impossible to configure a DNS entry to point to the S3 bucket, as this doesn't have a static IP address.
Any hints for a quick solution would be appreciated, as this setup is for a demo only. There won't be many users accessing the services, so from this perspective, a load balancer is not necessary and it's also not necessary for the setup to scale up at the moment.
Is this possible at all?
Answer is Yes.
You could have a proxy server setup to proxy the traffic according to your needs:
Setup a DNS record for www.example.com which resolves to your proxy
IP (Could be one of those instances you already have).
Configure your proxy (multiple choices nginx, squid etc) to
listen on www.example.com and the given ports and forward the traffic
accordingly to the EC2 server IPs and the S3 website CNAME.
Is it worth it for your use case? No Unless you want to try it as an exercise.
Should I rather use different host names ...? Yes
Just create a hosted zone in Route53 for your domain, and create subdomains for the different services www.example.com, service1.example.com.
First question is: Is this possible at all?
Without super-complex setups, it is only possible for your TCP apps with a type of load balancers called Application Load Balancer. http://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html
With ALB you can create different target groups each of your TCP apps (EC2 instance 1 port 3333 and EC2 instance 2 port 4444), then define custom listeners on the load balancer to route port 3333 to the first target group and port 4444 to the second target group.
But ALB is unable to route to S3 or CloudFront distribution.