I have a backend service i'm running in Fargate. I need this service to have an SSL cert on its load balancer so that it can talk to other HTTPS services. I've created the load balancer and it gives me an AWS domain (my-cool-app.us-east-1.elb.amazonaws.com).
Now, when I try to request a certificate through acm, it fails and says "Additional verification required". So i'm not sure if it's possible to add an SSL cert to this load balancer without registering a custom domain?
Also, this is a Django app and I haven't done anything other than keep it as runserver which I know isn't good for production but I just need to start by making it work as a dev environment. Do I need to change the way Django runs in order for SSL to work? Or is the load balancer sufficient?
To use an SSL for a domain you need to have control over that domain. For the AWS managed certificate service (ACM) you can verify through either DNS validation or email validation both of which you must essentially have domain control to validate.
As you're trying to use ACM for a AWS owned domain, someone from AWS would need to approve the SSL (which they won't).
Regarding your second point what you're describing is SSL offloading, in which the load balancer will serve HTTPS and then terminate encryption in transit. It will then forward the request to the Fargate container using the protocol and port defined in the target group.
The only thing you want to consider is how you display to the user, for example ensure that all CSS, JS ans links on your site are HTTPS. You can detect whether the incoming request used HTTPS at the load balancer by inspecting the X-Forwarded-Proto header in your application.
Related
I have a EC2 server that serves the backend using HTTP to the S3 bucket Frontend and that works fine when I use the S3 address to run the app. However, after I deploy to the Cloudfront, I get the following error:
Mixed Content: The page at 'https://d3qxpzawaycmw5.cloudfront.net/#/employees' was loaded over HTTPS, but requested an
insecure resource 'http://ec2-3-86-60-146.compute-1.amazonaws.com:3030/api/Employees?'. This request has been blocked;
the content must be served over HTTPS.
This informs that the BE must be served using the HTTPS. If I can't change anything for the BE, is there any solution to use the Cloudfront?
Thanks.
You don't need to change anything in the instance if you don't want. The easiest way to get HTTPS for your instance, is to front it with Load Balancer as explained in:
How can I associate an ACM SSL/TLS certificate with a Classic, Application, or Network Load Balancer?
But for this, and any other method, you need your own domain, as you need a valid public SSL certificate for it. If you use load balancer, you can easily get free SSL cert from AWS ACM.
But if ALB is to much for you, then you need to deploy SSL on the instance. This still requires your own domain, but you can't use ACM. Instead you can get free SSL certificate from https://letsencrypt.org/.
Put http:// at the front of cloudfront domain name
This happens when you try to open the application with https but trying to connect the backend with http.
Installing/configuring SSL certificate for backend solves this problem.
If you want to use without SSL in cloudfront use HTTP and HTTPS like this
I bought a domain named studileih.de, then I deployed my Angular frontend on firebase: https://studileih-ceb70.web.app/ and redirected from my domain studileih.de to the firebase URL.
Then I deployed my Spring Boot backend to AWS Elastic Beanstalk on: http://studileih1.eu-central-1.elasticbeanstalk.com/
-> Problem: Since the frontend on firebase used https and the backend on AWS used http I got a Mixed content error. The frontend wasn't able to load any of the backend data.
So I tried to solve this by creating a SSL certificate for my backend in the AWS Certificate Manager (ACM) and adding this to my Elasting Beanstalk Load Balancer. This worked and I could now at least make a connection from my frontend to my backend.
But now I get this error whenever a request to my backend gets sent:
When I click on "Accept the Risk and Continue" once, it works fine and all my backend data gets loaded. But I can't ask my users to do that.
(You can try this out by following: https://studileih1.eu-central-1.elasticbeanstalk.com/products and clicking "Advanced" -> "Accept the Risk and Continue" (if you dare ^^)
after you've done that, click on studileih.de and it will now load with the backend data.)
I know the problem exists because when creating the SSL certificate, I entered studileih.de as the domain that the certificate is for. I think I have to create a SSL certificate for studileih1.eu-central-1.elasticbeanstalk.com instead.
But when I try to create a SSL certificate for studileih1.eu-central-1.elasticbeanstalk.com:
I get this error from ACM:
How do I create a SSL Certificate for the Elastic Beanstalk URL?
p.s. I also tried to issue a certificate for my firebase URL https://studileih-ceb70.web.app/ but this one already uses Https by default. Also I couldnt find out how to DNS/Email validate the ACM request in the firebase console. But I think I need a certificate for the Elastic Beanstalk backend at studileih1.eu-central-1.elasticbeanstalk.com, not for the firebase frontend, right?
p.p.s. I don't really need to use https, so a solution would be to make firebase use http instead of https, but I couldn't find anything on how to do that.
UPDATE:
I added a subdomain called api.studileih.de (the immediate access is blocked by spring security, as you're not logged in to my site, but you can test it with api.studileih.de/products, because this API is accessibly without login). Then I redirected that subdomain to my AWS Load Balancer as suggested by Mark B by adding a CNAME to the subdomain:
(it's not possible to change to english there, sorry)
this is my Load Balancer:
I tried to put the DNS-Name as A-Record into my subdomain, but it was only possible to enter a IP4 adress there, so I entered it as CNAME instead. I also tried to find out the IP Adress of the Load Balancer, but Load Balancer don't have a static IP Adress.
This approach with the subdomain and the CNAME unfortunately didn't work, so I'm still looking for a solution...
(Here's the menu for setting a A-Record. You can only enter IP Adresses there:)
I know the problem exists because when creating the SSL certificate, I
entered studileih.de as the domain that the certificate is for. I
think I have to create a SSL certificate for
studileih1.eu-central-1.elasticbeanstalk.com instead.
You can only create an SSL certificate for a domain you own. You need to point a subdoomain of studileih.de, like api.studileih.de, at the Elastic Beanstalk load balancer, and then attach an SSL certificate to that load balancer that matches that subdomain.
Background
I am trying to deploy a dummy application with React frontend and Django backend interacting via REST api. I have done the following:
Use a S3 bucket to host static website and deploy my react code to it
Put Cloudfront for S3 bucket - set up certificate and changed my domain name (from GoDaddy) to link to this address
Kicked off Elastic Beanstalk environment following the python environment tutorial of AWS
Set up Postgres RDS and linked the Django server with it
So now I can do the following
Access my frontend using https via my domain name (https://www.example.com)
Access django admin site using the path of elastic beanstalk and update items
i.e. each component is up and running
Problem
I am having trouble with:
Making a secure REST API call from the static page to Elastic Beanstalk environment. Before I set up certificates I could easily make REST API calls.
The guides I can find usually involve putting a domain name for Elastic Beanstalk, which I imagine does not apply to my case (or does it?)
I tried to follow this faq and updated configuration in load balancer that accepts 443 https and redirects to 80 http. But I am using same certificate as from CloudFront, which does not sound right to me.
Would appreciate help with
how to solve the above ssl connection issue
or is there a better architecture for what I'm trying to achieve here?
According to Request a certificate in ACM for Elastic Beanstalk backend, it sounds like I have to use a subdomain and request a certificate for that subdomain, and use Cloud 53 to direct requests to that subdomain to Elastic Beanstalk environment. Would that be the case?
Thank you in advance!
By default EB url will HTTP only. To use HTTPS you need to deploy SSL certificate on your ALB.
In order to do that you need a custom domain, because you can only associated an SSL certificates with domains that you control. Thus, normally you would get a domain (you seem to already have one from godaday). So in this case you can setup a subdomain (e.g. api.my-domian.com) on godady. Then you can use AWS ACM to register a free public SSL certificate for api.my-domian.com.
Once the certificate is verified, using either DNS (easier) or email technique, you deploy it on your ALB using HTTPs listener. Obviously you will need to point api.my-domian.com to the EB's https url. You can also redirect on your ALB http traffic from port 80 to 443 to always use https.
Then in your front-end application you only use https://api.my-domian.com, not the original EB url.
There can be also CORS issues alongside this, so have to be vary of them as well.
What is my indication that I am using AWS Certificate Manager correctly and that any remaining problems getting my site to load at https are due to a mistake I am making in my Apache configuration?
In AWS Certificate Manager, I see "Success! Your certificate was issued successfully." Does that mean there are no further steps for me to complete in the AWS console, and I need only get my Apache configuration correct to finish?
Currently, when I try to visit a URL at my site with the http protocol, it loads fine, but when I visit at https, the browser tries to load the page but it never loads.
I have followed the instructions for creating an HTTPS listener, but still do not know if I am done with all necessary steps in AWS console. How would I know?
Edit: To clarify, I am using an Elastic Load Balancer (ELB), since the documentation indicated I need to use ELB with AWS Certificate Manager (ACM). However, I do not know how to determine if I have configured everything correctly in AWS console that I need to in order to access the site at HTTPS.
Edit 2: This might come close to answering my question, possibly, but I don't know how to do this: "You can use curl, telnet etc from your local machine to verify 443 port status on ELB" -- #vivekyad4v.
ACM(AWS Certificate Manager) supports the AWS resources like ELB, Cloudfront, API Gateway etc. You can add SSL certificates to these
resources via AWS console.
Currently, it doesn't support EC2. You cannot use ACM with EC2 instances, you will need a Load Balancer in front of it. Once you have a load balancer, SSL termination happens on the load balancer & not on the EC2 instance.
Once it is setup, you can change your apache server config to redirect all HTTP requests to HTTPS.
Add certificate to ELB - "https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-update-ssl-cert.html"
Update apache config - "https://aws.amazon.com/premiumsupport/knowledge-center/redirect-http-https-elb/"
No EC2 support - "https://aws.amazon.com/certificate-manager/faqs/"
Greeting
I have created the Certificate through Certificate Manager in AWS, the free one. And successfully verified as well as put it in the Elastic Load Balancer (ELB). The status of the certificate shows it's issued and Is Used? shows Yes in the Certificate Manager.
Overall, I have completed these two steps without any problem, but the SSL does not work with my domain name. When I type "mydomain.com" with or without prefix http://, it works, but when I type "mydomain.com" with https:// prefix, it does not work
I have researched to find the solution and a way to install SSL into Microsoft Windows IIS on AWS, but no document describes about that.
Can anyone share this experience? I really appreciate
Looking forward for the reply and thanks
You do not need to setup SSL on your web server when you use a load balancer. Assign the SSL certificate to the load balancer (as you did). Then in your HTTPS listener in the load balancer listen on HTTPS, but connect to your web server over HTTP.
In the Amazon Console for your load balancer under the "Listeners" tab, the "Load Balancer Protocol" will be HTTPS and the "Instance Protocol" will be HTTP.
This has the benefit of offloading SSL to the load balancer which decreases CPU load on your web server.
If you do want to setup SSL on your web server, then you cannot use the Amazon SSL certificate. You will need to use the standard methods and purchase a certificate from someone else.