I am running a Gatsby site in development mode as a dev server on EC2 with a loadbalancer pointing from port 80 to 8000. I have setup a cname on my domain dns to point to the load balancer this works fine. However I need to display this page as an iframe in sanity.io as a web preview and it requires https.
I've read through this https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html and most of it is pretty straight forward for the most part.
What I have done so far is created a listener for 443 https on the loadbalancer and added https 443 to the security group. i have succsufully issued a certificate to the subdomain I am using with aws and attached it to the loadbalancer listener.
Gatsby has a article about custom certs for development mode here https://www.gatsbyjs.org/docs/local-https/#custom-key-and-certificate-files What I am looking for is the cert file, the authority file and the key file in order to pass this command below
Where in the aws certificate manager do I find these files. I think that is the last piece I need to get https working, correct me if I am wrong.
thanks ahead of time.
gatsby develop --https --key-file ../relative/path/to/key.key --cert-file ../relative/path/to/cert.crt --ca-file ../relative/path/to/ca.crt
This is the process I used to request my certficate and it says it's issued
https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html
But how do I use it with the custom https command with gatsby?
There is a export option but it says only for private keys. Do I need to create a private key and then I can export these files I need?
Do I even need to run https on gatsby's side. I watched a video using apache and no change was made to the apache server to get https working with the loadbalancer.
Here is a screenshot of my loadbalancer listenr
Here is a image of my security groups
If I run the --https for gatsby develop it breaks my site I can no longer visit it via the loadbalancer or port 8000. So not sure what to do here.
I would suggest not to encrypt the connection between your ELB and the EC2 instances. If your EC2 instances are not publicly reachable, but only through the load balancer instead, it is best practice to terminate the SSL connection on the load balancer. No need to encrypt HTTP requests inside an AWS VPC (i.e. between ELB and target instances).
You can create a load balancer that listens on both the HTTP (80) and HTTPS (443) ports. If you specify that the HTTPS listener sends requests to the instances on port 80, the load balancer terminates the requests and communication from the load balancer to the instances is not encrypted. [1]
There is some discussion (e.g. on the blog of Kevin Burke) whether it is necessary to encrypt traffic inside a VPC. [2] However, most people are probably not doing it.
What it means for you: Use the same instance protocol for your targets as before: HTTP via port 8000 for both listeners. Do not set up SSL for your Gatsby service. Use a plain HTTP server config instead. No changes are necessary to ELB targets when using SSL termination on the load balancer.
References
[1] https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html
[2] https://acloud.guru/forums/aws-certified-security-specialty/discussion/-Ld2pfsORD6ns5dDK5Y7/tlsssl-termination?answer=-LecNy4QX6fviP_ryd7x
Related
I have an application running on an AWS EC2 instance, port 8501. I cannot change the port for multiple reasons. I set up a reverse proxy with nginx using this YT tutorial to redirect http://[domain].com to port 8501.
That works fine.
I obtained an SSL certificate from AWS Certificate Manager and have since learned that AWS certificates only work with certain AWS services, here, here, and here. However, none of those StackOverflow links--or the AWS instruction pages linked therein--actually described how to connect the https request to the Application Load Balancer to the EC2 instance as set forth by my nginx reverse proxy above.
That is, I've more or less followed this YT tutorial to set up a load balancer and attach the SSL certificate obtained from AWS Certificate Manager, but when I type https://[domain].com, I receive a "site can't be reached" error. http://[domain].com still works.
I've tried both HTTP:80 and HTTPS:443 for the Protocol:Port in my Target Group required by AWS Load Balancer. What more do I need to do?
EDIT: added images with ALB settings, etc:
load balancer listeners
target group overview
nginx config settings
So I have a flask web application. I need to have this be HTTPS only. So I'm pretty lost here:
Application Load Balancer -> Target Group -> EC2 Instance (:443) -> ??? -> Flask
So originally I had the following in my http stack:
nginx -> gunicorn -> Flask
That worked for http. And it makes sense how to set up a target group to point to the exposed port of nginx in http. You just provide the port. easy.
However where I am completely lost is when you add HTTPS into the equation. You have AWS provide you with the certificate itself through ACM (Aws certificate manager). However, very specifically AWS Certificate Manager does not allow the created certificates to be exported. So you cannot provide nginx with the certificate, but to use https (443) on nginx you have to provide the ssl_certificate.crt on the server block itself...
So from reading it seems like you don't need nginx... do I need gunicorn? Do I just run flask? If so how does it 'expose' port :443?
I am truly at a loss at how to connect Flask to the target group. Can any one point me to the correct directon? I've exhausted all googling options.
Your confusion is in thinking you need SSL between the load balancer and the Flask application. You can terminate SSL at the load balancer. This will provide SSL between any clients like web browsers and your AWS infrastructure, and you will only have non-SSL traffic inside your virtual private network, between the load balancer and the EC2 instance.
Create the SSL certificate in AWS ACM, and attach it to a listener on the Application Load Balancer. Have both listeners in your load balancer (the port 80 listener without SSL, and the port 443 listener with SSL) forward to the target group. Have the target group connect to your EC2 instance over port 80, or 8080 or 5000 or whatever port you have Flask running on. I think Flask defaults to port 5000?
If you are under some sort of requirements for end-to-end encryption that requires you to setup SSL between the load balancer and the EC2 instance, like some regulatory requirements, then you would need to go back to using Nginx and either purchase an SSL certificate somewhere, or setup a free Let's Encrypt certificate, that you could use with Nginx.
I was using an EC2 instance of AWS and deploy my app on root through HTTP.
Now I migrated to HTTPs but the app does not load correctly. But I cant see any errors on chrome developers tools. The only thing I noticed different is that there is a lot of connections (350) made to the root that is where I deployed the app. I suspect is because the change of https. To made my app HTTPs I am using a load balancer of AWS and the aws certificate manager. Sorry for my english.
Image 1
when you add SSL certificates to the Application Load Balancer, the encryption and decryption of the request is taken care of by the ALB. Read more about this here. This means that your app can operate normally and should not be concerned with the request policy.
You can create a target group and point both HTTP (port 80) and HTTPS (port 443) traffic to the same target group.
Coming to your question. It seems like you are having difficulty in connecting to the ALB on port 443 (HTTPS). If your application is working as expected on port 80 (HTTP) follow this checklist to zero down on your problem:
Make sure that the security group of the ALB allows port 443 to your users or to the world
Check if the ALB has a listener configured on port 443. Read more about this in the docs here
Check if this listener points to the application target group.
As a last step, if you are using a domain name, make sure that it is pointing to the ALB and not the origin servers (EC2 in this case)
If you would like to get better understanding of how the request flows from the users instance to your application server, I've answered a simmilar question here.
I've created a public SSL certificate through AWS Certificate Manager and installed it on my EB Classic Load Balancer. The certificate was selectable from the load balancer's menu and the Certificate Manager now says it's "in use". So, I assume everything is set up correctly, but when I visit my site using https:// the page won't load. It just says waiting for ... until it ultimately gives up. Is there a time delay for this to enact or is there something more I need to do?
EDIT:
I appreciate the comments thus far, though I'm not sure how to redirect the traffic (kinda new to this). Here is a screenshot of my configuration.
Looks like you need to redirect traffic from 443 (AWS ELB) to your backend service.
The same listener that you have configured for http (port 80) > backend service.
443(https) > port
80(http) > port
Edit:
If you are using security groups, you will have to allow incoming traffic on port 443.
I have a EC2 instance running a Node.Js server on Ubuntu.
My goals are:
Connect my hosted zone to the EC2 instance
Route all incoming traffic from port 80 to port 3000 (because my server runs on port 3000)
and most importantly Use an Application Load Balancer to forward all requests to HTTPS (I already created a SSL Certificate in the Certificate Manager).
Currently, I am only able to open the website with the EC2 intances' Public Ip on port 3000 (http://prntscr.com/livali). Https requests or Http to port 80 don't work (http://prntscr.com/livau2). Altought a made an A record on my hosted zone with the instances' Public Ip, it's not possible to open the instance via the hosted zone (http://prntscr.com/liv9no).
I am really confused, as I am somehow not able to get this up and running. I would really appreciate a step by step guide on how to set this whole thing up.
If you already have a SSL certificate it is secure to use only port 443 instead of port 80.
Create an internet facing Application Load Balancer that listens on port 443 and routes traffic to your EC2 instance on port 3000.
Redirect users to HTTPS when accessing your domain on HTTP
See Docs > Load Balancer Listeners > Redirect Actions
Add an A record to point your domain name to the Load Balancer's public DNS.
These are web server concerns rather than DNS concerns. You'll need to set up something like NGINX or Apache to proxy port 80 to port 3000. See Apache redirect to another port for information.
You can also force HTTPS with a rewrite rule in Apache: https://wiki.apache.org/httpd/RewriteHTTPToHTTPS
Another option for forcing HTTPS is to create a CloudFront distribution and use that. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html