My instance is a single instance, no load balancer.
I cannot seem to add a load balancer to my existing app instance.
Other recommendations regarding Elastic Load Balancer are obsolete - there seems to be no such service in AWS.
I do not need caching or edge delivery - my application is entirely transactional APIs, so probably don't need CloudFront.
I have a domain name and a name server (external to AWS). I have a certificate (generated in Certificate Manager).
How do I enable HTTPS for my Elastic Beanstalk Java application?
CloudFront is the easiest and cheapest way to add SSL termination, because AWS will handle it all for you through its integration with certificate manager.
If you add an ELB, you have to run it 24/7 and it will double the cost of a single instance server.
If you want to support SSL termination on the server itself, you're going to have to do that yourself (using your web container, such as apache, nginx, tomcat or whatever you're running). Its not easy to setup.
Even if you don't need caching, CloudFront is going to be worth it just for handling your certificate (which is as simple as selecting the certificate from a drop-down).
I ended up using CloudFront.
That created a problem that cookies were not being passed through.
I created a custom Caching Policy to allow the cookies, and in doing so, I also changed the caching TTLs to be very low. This served my purposes.
Related
I have a VueJS front-end application running on S3 being served as a static website.
I have a NodeJS (behind an nginx reverse proxy, plus a few other services) backend application running on an EC2 instance that the VueJS app talks to (over http currently).
I have a domain successfully pointed at the VueJS app (S3 bucket) with the configured SSL certificates using Route53 / CloudFront / ACM.
However, now the VueJS app will not communicate with the EC2 instance backend as it is still using HTTP which is now not allowed.
So what is the best way to configure this? I can't run certbot on the ec2 instance and generate an SSL certificate for my domain as there are certificates already being used for the S3 bucket.
Should I just create a self-signed certificate?
Can I create another certificate for a subdomain perhaps (api.example.com say) and set up DNS record for that to point to my EC2 instance IP address?
How is this usually done, what is best practice?
So a self-sign cert wont work, it wont pass validation as there is no known CA behind it ( Certificate authority) I mean you can install it but the browser is going to complain..
Im not sure I understand why you cant use certbot.. s3 / ec2 are two seperate services so I'm a bit confused here?
You can use letencrypt to generate a cert for the server and have it installed as well but if you have clusters you may be better served by installing it on the actual ALB, however this does not ensure end-to-end if the cert is not installed on all backend systems, (that would require installing the cert on all systems in the cluster) You requirements will dictate this really.
If you are unable to generate a cert with letsencrypt you can get an SSL from ssls.com and just installed the PEM or CRT on the server / load balancer too though.
Usually you create some subdomain like you said for your api and create a certificate for that subdomain. On AWS in particular, you can use an elastic load balancer and use ACM /Route53 with that for ease of certificate management, but that does carry costs of the load balancer.
Alternative is to just put an API gateway in front of your EC2 instance as a reverse proxy, which will carry some costs, but maybe not as much depending on traffic volume.
We have AWS EC2 instance where we have hosting of our website and we have domain and SSL from godaddy with cloudflare for cache policy.
Now we want to integrate ssl with our website but we are clueless regarding how to do this process with cloudflare as there are three different service providers like AWS, Godaddy and Cloudflare so it would be great if someone could help us how to deal with that.
The question is too generic (you don't mention what web server, or OS are using), let alone mentioning there are tons of documentation already on how to set up SSL in the most popular web servers: Apache and Nginx. One thing that I suggest, is that, if you are using Elastic Load Balancing, then you can use ACM service to deploy an SSL certificate, and attach it to your load balancer. It's the easiest, and cheapest way to do it.
Here on how to deploy a free SSL certificate managed by AWS, and here on how to attach it to the load balancer.
if you are not using load balancing, or need to implement fully end-to-end encryption, or simply don't want to do it this way, you will probably need to look into how to set up SSL on the web server you are using. An example can be found in https://www.digicert.com/csr-ssl-installation/apache-openssl.htm, but since you didn't specify what OS or webserver you are using, we can't really say much.
I have a node.js server I would like to deploy to AWS. My main site is example.com while the node server is on api.example.com
I am only using one EC2 instance (no load balancing) because I am only building an MVP and don't want to make things complicated.
I used Amazon Certificate Manager to register my domain name and I need to register api.example.com to also use https.
I right now have to put a CloudFront in front of my EC2 instance just so that I can use the ACM. This seems a little overkill since I don't need any of the caching benefits.
Is there any other way to do this?
You have 3 options:
Use CloudFront with SSL certificate from Amazon which doesn't bring any benefits for API that won't benefit from caching
Use Elastic Load Balancer with SSL certificate from Amazon. Load balancer will mantain HTTPS connection with client and communicate via HTTP with your EC2 server. You can follow this tutorial https://hackernoon.com/getting-a-free-ssl-certificate-on-aws-a-how-to-guide-6ef29e576d22
Or you can set up your certificate at EC2 instance directly. Here is how to do this with Nginx for example https://www.digicert.com/csr-ssl-installation/nginx-openssl.htm
EDIT: I have just realized that you could probably also use AWS API Gateway to point to your EC2 server API GateWay to server in ec2
Setup: Play Framework application deployed on Amazon EC2 instances via ECS, Elastic Load Balancer in front. I want to allow only HTTPS requests for the application.
I found several ways to use HTTPS with Play, but what are the pros and cons, or which one is best practice for a (dockerized) Play app?
Enable HTTPS directly within Play (with -Dhttps.port or https.port in config file).
Set up a front-end web server (e.g. Nginx) and let it handle the HTTP->HTTPS rewrite (example).
Implement a request filter in Play and redirect the requests within the application (as described here).
I'm not so keen to use the first version as I would have to manage the certificates separately on each instance, but I listed it for the sake of completeness.
One advantage I can think of for the third approach must be that the system architecture is simpler than in the second version and requires less configuration. Are there any disadvantages (e.g. performance) to using the third approach?
If you are using a load balancer then you should request a free SSL certificate from the Amazon Certificate Manager service and then attach that certificate to the load balancer.
To enable HTTP to HTTPS redirects you simply need to check the x-forwarded-proto header that the load balancer passes to the server. If it is http return a 301 with https. The article you linked covers this part.
We have a web application that serves both secure and public endpoints. We are currently deploying it with elastic beanstalk.
From now on, we want to apply client certification for secure endpoints. i.e. for some endpoints, certification check is needed.
However, elastic load balancer has not any configuration to assign different ssl certificates for different routes.
The only solution that we found is; setting up nginx instances before the application load balancer and check certificates in here.
Is there a way to achive this on AWS?
Although I have not personally used one yet, I believe the new Application Load Balancers might be able to handle this. You can do different types of listeners depending on the request. So it's definitely worth looking into before you go the nginx route:
https://aws.amazon.com/elasticloadbalancing/
You can test one out by going into your EC2 services panel, and create a new load balancer. Choose the Application Load Balancer type and see if you can configure it as needed.
Authenticating clients with client certificates require all of the SSL to be handled by the instances themselves.
Load balancing such a setup requires either a Classic ELB in TCP mode (transparent, no HTTP interpretation, with SSL not configured on the balancer)... or a Network Load Balancer, which would probably be the optimal configuration since it is handled by the network infrastructure itself, and is essentially infinitely scalable with no warm-up required.
Elastic Beanstalk recently announced support for Network Load Balancer.