I made a AWS Load Balancer for a simple ECS fargate server (with flask). Because the server will be used as my main server's api, and because the main server use 'https', I have to use https on my Load Balancer's url.
But when I want to make SSL certificate using ACM, I can't verify the URL of Load Balancer is mine because the load balancer has any information (I think).
If I add my email info on the url(or Load Balancer), I can do this, but I have no idea..
Until now, I thought using AWS Route 53 can help me, but I don't know what I have to do.
What Can I do for this problem?
To use ACM you need to have control of the domain you're attempting to validate, as the load balancer URL is owned by Amazon (not yourself), only an Amazon employee with domain control is capable of performing the actions to validate the domain.
Instead you would need to generate an ACM certificate for your own domain which you can validate, you would then need to add a DNS record resolving the domain to the CNAME of the load balancer. When you access in the browser you would need to access from that domain and not the load balancers.
Related
I have setup a GCP load balancer following the steps as displayed on https://cloud.google.com/load-balancing/docs/https/ext-http-lb-tf-module-examples#with_a_backend . I have create an A record at my dns provider and I am succesfully able to reach my service through the domain name. I have also created a http to https redirecting load balancer, which only redirects when visiting the domain name.
However my problem is that I can also still directly access my load balancers ip adress over http, which in turn redirects to my backend service thus allowing insecure access to my service. I am not sure what steps there are to debug my configurations or if anyone has experienced something similar.
The simplest method is to redirect HTTP to HTTPS at your backend. That method provides you with more options and control.
Tip: if the client arrives at an IP address, you most likely want to discard that traffic. That traffic is typically hackers, trolls, etc.
You can also set up a redirect in the load balancer:
Set up an HTTP-to-HTTPS redirect for global external HTTP(S) load balancer
I want to have a subdomain (api.mysite.com) which makes calls to an EC2 classic load balancer (load-balancer-123456789.us-east-2.elb.amazonaws.com). Everything is hosted on AWS, to (theoretically) make it as straightforward as possible.
I created a domain and subdomain in AWS Route 53, as per the instructions here, and created an "A" record in the subdomain that links to my load balancer as an alias. That works fine, I can make calls to the load balancer through api.mysite.com, as long as I use HTTP.
But when I try to use HTTPS, I get ERR_SSL_PROTOCOL_ERROR. If I try to open the API in a browser, the security icon says that it's "not secure". I think the problem might be that the certificate is connected to the main domain (mysite.com) instead of the subdomain (api.mysite.com), but I can't figure out how to get it to resolve properly.
This SSL checking site shows the EC2 server itself (the one that the load balancer points to) and reports "Certificate not valid for domain name". It's an Ubuntu server, though I'm not sure if that should matter.
The SSL certificate needs to specify the subdomain as well as the main domain. The easiest way to do this is through AWS's Certificate Manager, by requesting a new certificate.
Make sure to specify each relevant domain and subdomain in the certificate (in this case, both mysite.com and api.mysite.com.)
After creating the certificate, go to the Load Balancer, open up the Listeners tab, and select the HTTPS port. Then, change the SSL certificate for that port to the certificate that includes the relevant subdomain. If you use AWS Certificate Manager, it can be selected from the dropdown menu.
I have a backend service i'm running in Fargate. I need this service to have an SSL cert on its load balancer so that it can talk to other HTTPS services. I've created the load balancer and it gives me an AWS domain (my-cool-app.us-east-1.elb.amazonaws.com).
Now, when I try to request a certificate through acm, it fails and says "Additional verification required". So i'm not sure if it's possible to add an SSL cert to this load balancer without registering a custom domain?
Also, this is a Django app and I haven't done anything other than keep it as runserver which I know isn't good for production but I just need to start by making it work as a dev environment. Do I need to change the way Django runs in order for SSL to work? Or is the load balancer sufficient?
To use an SSL for a domain you need to have control over that domain. For the AWS managed certificate service (ACM) you can verify through either DNS validation or email validation both of which you must essentially have domain control to validate.
As you're trying to use ACM for a AWS owned domain, someone from AWS would need to approve the SSL (which they won't).
Regarding your second point what you're describing is SSL offloading, in which the load balancer will serve HTTPS and then terminate encryption in transit. It will then forward the request to the Fargate container using the protocol and port defined in the target group.
The only thing you want to consider is how you display to the user, for example ensure that all CSS, JS ans links on your site are HTTPS. You can detect whether the incoming request used HTTPS at the load balancer by inspecting the X-Forwarded-Proto header in your application.
I am trying to setup HTTPS for my EC2 instance created from Elastic Beanstalk using a certificate from AWS's ACM.
According to this article https://colintoh.com/blog/configure-ssl-for-aws-elastic-beanstalk, I need to go to EC2 panel/load balancer and add a new listener rule.
My problem is that for the HTTPS load balancer protocol, when I try to add SSL Certificate, and click "Choose a certificate from ACM (recommended)", there's no ACM certificate available for me.
I know that I will have to request for a new Certificate for this load balancer address, but WHICH VERIFICATION METHOD SHOULD I USE?
As far as I know, there are 2 ways to verify your domain ownership(Email or DNS). I guess email is not an option here because you cannot send an email to a "elb.amazonaws.com" address. But I'm not sure how to verify certificate request by DNS.
And also, I tried to past the load balancer address xxx.xxx.elb.amazonaws.com into ACM to request a certificate for this address, but it says "invalid domain name"
And also, if I were to add custom domain name for my load balancer (for example, create a alias of api.example.com for the load balancer), how can I set up https for that custom domain of api.example.com?
Thanks a lot!
Problem solved. Need to request certificate in the same region as load balancer.
And then point the custom domain(the one used to request for certificate) to load balancer using route 53
I am attempting to add HTTPS to my AWS Elastic Load Balancer.
I obtained a certificate through AWS Certificate Manager:
I have enabled HTTPS on the load balancer:
I made sure the security group for the load balancer accepts 0.0.0.0/0 on 443:
When going to my domain on HTTP, it works.
However, when trying to load my domain with HTTPS, it does not work ("ERR_CONNECTION_TIMED_OUT")
EDIT and UPDATE:
It is the API that I am attempting to get HTTPS working for, not necessarily the domain. The domain serve's a static file (angular web app) from S3, and it is angular that is calling the load balancer (to transfer the request to an EC2 instance) for DB data.
When angular calls the api directly via the load balancer domain name over HTTP, the request responds as expected.
When angular makes the same api call over HTTPS, I get the following error:
You enabled HTTPS for your domain name, not the ELB domain which Amazon owns. You can only create SSL certificates for domains that you own. You can't enable SSL for "mydomain.com" and then excpect that to somehow work on a completely different domain. You need to change your AngularJS code to reference the API by your custom domain name which you have created an SSL certificate for. You need to point the domain to the ELB and install the SSL certificate for the domain on the ELB.
Mark B provided the almost full solution.
As my javascript code is calling the elastic load balancer (ELB) via it's DNS name provided by AWS, I can't obtain an SSL certificate for the domain I don't own.
As Mark B pointed out, I need to point my javascript code to the domain I do own, and have an SSL cert for.
So I can create a sub domain (e.g. api.mydomain.com) of the domain I own that then points to the ELB.
An A Record (e.g domain pointing to an IP) looks like it could fit the need.
However, an A Record can't point to the ELB because it's IP could change.
The missing step was to use AWS Route 53 to point the A Record to an alias (Route 53 allows you to do this) that represented my AWS Elastic Load Balancer.