I was using an EC2 instance of AWS and deploy my app on root through HTTP.
Now I migrated to HTTPs but the app does not load correctly. But I cant see any errors on chrome developers tools. The only thing I noticed different is that there is a lot of connections (350) made to the root that is where I deployed the app. I suspect is because the change of https. To made my app HTTPs I am using a load balancer of AWS and the aws certificate manager. Sorry for my english.
Image 1
when you add SSL certificates to the Application Load Balancer, the encryption and decryption of the request is taken care of by the ALB. Read more about this here. This means that your app can operate normally and should not be concerned with the request policy.
You can create a target group and point both HTTP (port 80) and HTTPS (port 443) traffic to the same target group.
Coming to your question. It seems like you are having difficulty in connecting to the ALB on port 443 (HTTPS). If your application is working as expected on port 80 (HTTP) follow this checklist to zero down on your problem:
Make sure that the security group of the ALB allows port 443 to your users or to the world
Check if the ALB has a listener configured on port 443. Read more about this in the docs here
Check if this listener points to the application target group.
As a last step, if you are using a domain name, make sure that it is pointing to the ALB and not the origin servers (EC2 in this case)
If you would like to get better understanding of how the request flows from the users instance to your application server, I've answered a simmilar question here.
Related
So I have a flask web application. I need to have this be HTTPS only. So I'm pretty lost here:
Application Load Balancer -> Target Group -> EC2 Instance (:443) -> ??? -> Flask
So originally I had the following in my http stack:
nginx -> gunicorn -> Flask
That worked for http. And it makes sense how to set up a target group to point to the exposed port of nginx in http. You just provide the port. easy.
However where I am completely lost is when you add HTTPS into the equation. You have AWS provide you with the certificate itself through ACM (Aws certificate manager). However, very specifically AWS Certificate Manager does not allow the created certificates to be exported. So you cannot provide nginx with the certificate, but to use https (443) on nginx you have to provide the ssl_certificate.crt on the server block itself...
So from reading it seems like you don't need nginx... do I need gunicorn? Do I just run flask? If so how does it 'expose' port :443?
I am truly at a loss at how to connect Flask to the target group. Can any one point me to the correct directon? I've exhausted all googling options.
Your confusion is in thinking you need SSL between the load balancer and the Flask application. You can terminate SSL at the load balancer. This will provide SSL between any clients like web browsers and your AWS infrastructure, and you will only have non-SSL traffic inside your virtual private network, between the load balancer and the EC2 instance.
Create the SSL certificate in AWS ACM, and attach it to a listener on the Application Load Balancer. Have both listeners in your load balancer (the port 80 listener without SSL, and the port 443 listener with SSL) forward to the target group. Have the target group connect to your EC2 instance over port 80, or 8080 or 5000 or whatever port you have Flask running on. I think Flask defaults to port 5000?
If you are under some sort of requirements for end-to-end encryption that requires you to setup SSL between the load balancer and the EC2 instance, like some regulatory requirements, then you would need to go back to using Nginx and either purchase an SSL certificate somewhere, or setup a free Let's Encrypt certificate, that you could use with Nginx.
I am trying to point CloudFront for my ec2 machine.
under origin, I am giving the public DNS name of the ec2 :(e.g. ec2-52-64-xxx-xxx.ap-southeast-2.compute.amazonaws.com)"
But I am getting this error:
I have opened 443 port also open on my ec2.
How can I solve this error?
Based on the chat discussion.
The application on the instance works over HTTP and port 80. It does not server HTTPS traffic in itself. So if you want to use the current setup with CF, you need to allow port 80 (not 443) and in CF using HTTP for origin protocol (not HTTPS). The way this works is that HTTPS and SSL will be only between client and CF, not between CF and your instance:
client----(HTTPS:443)--->CF----(HTTP:80)---->EC2 instance
As you can see above, there is a security issue. All traffic between CF and your instance will be in pain text over the internet. To rectify this, you need to add HTTPS to your instance. There are two ways for that:
Add load balancer in-front of your instance, and deploy custom domain on it with SSL from ACM and HTTPS listener. So the traffic will be:
client----(HTTPS:443)--->CF----(HTTPS:443)---->ALB---(private HTTP:80)--->EC2 instance
Setup SSL on your instance directly. For this you can't use ACM (except when your instance is enclave). Instead, you have to use third-party SSL provider. Common choice is https://letsencrypt.org/. Then you setup your Apache with the SSL certificate to serve HTTPS traffic. Subsequently, you will have:
client----(HTTPS:443)--->CF----(HTTPS:443)---->EC2 instance
Recently, I purchases a domain from google domains namely, neurocognition.app. I initialized an EC2 instance from AWS (Free tier), got an elastic IP. added the A record, with the same elastic IP at the google website. Its been over 2 weeks but the site still won't work
What could be the possible reason? Do I have to setup my instance in a separate manner for HSTS domains. ???
So, looking at the dns: https://www.whatsmydns.net/#A/neurocognition.app your domain points to 65.0.156.79 which responds on http, but not https.
http://neurocognition.app redirects to https://neurocognition.app
this could mean one of the following:
your security group does not have port 443 open
your web server does not accept connections on port 443
Network Access Control Layer have been modified to block port 443
I would focus on the first two, which are most likely the issue here.
Check your security group, whether it has https port added in route.
I am running a Gatsby site in development mode as a dev server on EC2 with a loadbalancer pointing from port 80 to 8000. I have setup a cname on my domain dns to point to the load balancer this works fine. However I need to display this page as an iframe in sanity.io as a web preview and it requires https.
I've read through this https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html and most of it is pretty straight forward for the most part.
What I have done so far is created a listener for 443 https on the loadbalancer and added https 443 to the security group. i have succsufully issued a certificate to the subdomain I am using with aws and attached it to the loadbalancer listener.
Gatsby has a article about custom certs for development mode here https://www.gatsbyjs.org/docs/local-https/#custom-key-and-certificate-files What I am looking for is the cert file, the authority file and the key file in order to pass this command below
Where in the aws certificate manager do I find these files. I think that is the last piece I need to get https working, correct me if I am wrong.
thanks ahead of time.
gatsby develop --https --key-file ../relative/path/to/key.key --cert-file ../relative/path/to/cert.crt --ca-file ../relative/path/to/ca.crt
This is the process I used to request my certficate and it says it's issued
https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html
But how do I use it with the custom https command with gatsby?
There is a export option but it says only for private keys. Do I need to create a private key and then I can export these files I need?
Do I even need to run https on gatsby's side. I watched a video using apache and no change was made to the apache server to get https working with the loadbalancer.
Here is a screenshot of my loadbalancer listenr
Here is a image of my security groups
If I run the --https for gatsby develop it breaks my site I can no longer visit it via the loadbalancer or port 8000. So not sure what to do here.
I would suggest not to encrypt the connection between your ELB and the EC2 instances. If your EC2 instances are not publicly reachable, but only through the load balancer instead, it is best practice to terminate the SSL connection on the load balancer. No need to encrypt HTTP requests inside an AWS VPC (i.e. between ELB and target instances).
You can create a load balancer that listens on both the HTTP (80) and HTTPS (443) ports. If you specify that the HTTPS listener sends requests to the instances on port 80, the load balancer terminates the requests and communication from the load balancer to the instances is not encrypted. [1]
There is some discussion (e.g. on the blog of Kevin Burke) whether it is necessary to encrypt traffic inside a VPC. [2] However, most people are probably not doing it.
What it means for you: Use the same instance protocol for your targets as before: HTTP via port 8000 for both listeners. Do not set up SSL for your Gatsby service. Use a plain HTTP server config instead. No changes are necessary to ELB targets when using SSL termination on the load balancer.
References
[1] https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html
[2] https://acloud.guru/forums/aws-certified-security-specialty/discussion/-Ld2pfsORD6ns5dDK5Y7/tlsssl-termination?answer=-LecNy4QX6fviP_ryd7x
I've created a public SSL certificate through AWS Certificate Manager and installed it on my EB Classic Load Balancer. The certificate was selectable from the load balancer's menu and the Certificate Manager now says it's "in use". So, I assume everything is set up correctly, but when I visit my site using https:// the page won't load. It just says waiting for ... until it ultimately gives up. Is there a time delay for this to enact or is there something more I need to do?
EDIT:
I appreciate the comments thus far, though I'm not sure how to redirect the traffic (kinda new to this). Here is a screenshot of my configuration.
Looks like you need to redirect traffic from 443 (AWS ELB) to your backend service.
The same listener that you have configured for http (port 80) > backend service.
443(https) > port
80(http) > port
Edit:
If you are using security groups, you will have to allow incoming traffic on port 443.