I have a node.js server I would like to deploy to AWS. My main site is example.com while the node server is on api.example.com
I am only using one EC2 instance (no load balancing) because I am only building an MVP and don't want to make things complicated.
I used Amazon Certificate Manager to register my domain name and I need to register api.example.com to also use https.
I right now have to put a CloudFront in front of my EC2 instance just so that I can use the ACM. This seems a little overkill since I don't need any of the caching benefits.
Is there any other way to do this?
You have 3 options:
Use CloudFront with SSL certificate from Amazon which doesn't bring any benefits for API that won't benefit from caching
Use Elastic Load Balancer with SSL certificate from Amazon. Load balancer will mantain HTTPS connection with client and communicate via HTTP with your EC2 server. You can follow this tutorial https://hackernoon.com/getting-a-free-ssl-certificate-on-aws-a-how-to-guide-6ef29e576d22
Or you can set up your certificate at EC2 instance directly. Here is how to do this with Nginx for example https://www.digicert.com/csr-ssl-installation/nginx-openssl.htm
EDIT: I have just realized that you could probably also use AWS API Gateway to point to your EC2 server API GateWay to server in ec2
Related
So, I'm working on a hackathon project right now, and for the demo, I've spun up a NodeJS Express server on an EC2 via Elastic Beanstalk. When testing the server's API with our front-end locally, it worked perfectly fine.
Now we've deployed our front-end to AWS Amplify, setup a domain name in Route53, and hooked everything up. When we go to the domain, our front-end looks great, but when we try using the functionality that would connect to our server's API, we get a net::ERR_SSL_PROTOCOL_ERROR.
Doing some research, it looks like(?) that we have to setup a certificate on the Classic Load Balancer that's in front of the EC2. So I requested a certificate, and created a listener on the Load Balancer as follows:
Load Balancer Protocol
Load Balancer Port
Instance Protocol
Instance Port
HTTPS
443
HTTPS
3000
But now I realize that if setup this way, I still have no idea how to point the React Frontend's API calls to the Load Balancer instead of the EC2, or whether the listener is setup correctly. Would anyone have an idea of what steps we should take here?
For the details of the app, the backend is a pretty straightforward Express App with CORS enabled, and the frontend is a fairly standard React project, nothing special about either of them.
Instance Protocol should be HTTP. So your setup uses HTTPS only between client and CLB:
Client--- (HTTPS) ---> CLB --- (HTTP) ---> EC2
Also for properly setup HTTPS, you need to use your own domain. You can't use default domain provided by EB for your application.
Context: Right now I have an Angular static site setup on S3, a domain registered through Route53, and SSL through Cloudfront. I have an express backend on Elastic Beanstalk that I want to interface with using https. The EB app has a load balancer and nginx proxy by default.
Possible Solutions:
Assign my load balancer a SSL certificate but it seems I can only do this with a custom domain at least through the AWS certificate manager. It does give me the option to use the certificate I generated from the frontend but I'm not sure if that is a good idea.
Add an origin on my cloudfront that points to my EB express app. I'm not sure if this is secure or even possible. The idea is that I could make API calls from www.myapp.org (s3 hosted) to www.myapp.org/api (EB hosted).
Get a new custom domain and give that an ssl certificate and point it to my EB app?
If there are any other options, I would be happy to hear about them.
I have a VueJS front-end application running on S3 being served as a static website.
I have a NodeJS (behind an nginx reverse proxy, plus a few other services) backend application running on an EC2 instance that the VueJS app talks to (over http currently).
I have a domain successfully pointed at the VueJS app (S3 bucket) with the configured SSL certificates using Route53 / CloudFront / ACM.
However, now the VueJS app will not communicate with the EC2 instance backend as it is still using HTTP which is now not allowed.
So what is the best way to configure this? I can't run certbot on the ec2 instance and generate an SSL certificate for my domain as there are certificates already being used for the S3 bucket.
Should I just create a self-signed certificate?
Can I create another certificate for a subdomain perhaps (api.example.com say) and set up DNS record for that to point to my EC2 instance IP address?
How is this usually done, what is best practice?
So a self-sign cert wont work, it wont pass validation as there is no known CA behind it ( Certificate authority) I mean you can install it but the browser is going to complain..
Im not sure I understand why you cant use certbot.. s3 / ec2 are two seperate services so I'm a bit confused here?
You can use letencrypt to generate a cert for the server and have it installed as well but if you have clusters you may be better served by installing it on the actual ALB, however this does not ensure end-to-end if the cert is not installed on all backend systems, (that would require installing the cert on all systems in the cluster) You requirements will dictate this really.
If you are unable to generate a cert with letsencrypt you can get an SSL from ssls.com and just installed the PEM or CRT on the server / load balancer too though.
Usually you create some subdomain like you said for your api and create a certificate for that subdomain. On AWS in particular, you can use an elastic load balancer and use ACM /Route53 with that for ease of certificate management, but that does carry costs of the load balancer.
Alternative is to just put an API gateway in front of your EC2 instance as a reverse proxy, which will carry some costs, but maybe not as much depending on traffic volume.
We have an internal facing application load balancer in AWS VPC. This is being accessed by a web app running in a public subnet. The web app is behind a custom domain url and it uses SSL certificate for security.Since, the API load balancer is not applied with SSL, communication from web app to API LB is failing.
Is it possible to get a SSL certificate for an internal facing load balancer in AWS?
Yes this is entirely possible using the AWS ACM service, there are two options, you can use Amazon's public service to generate certs but I assume that is not what you want to do here. So you can alternatively create a Private CA through this service and distribute your certificates from there which can then be placed on Loadbalancers etc. You will most likely want to look at these pages:
https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html
https://aws.amazon.com/certificate-manager/
Have a read first before diving right in but it's a pretty nifty feature for this sort of thing, once the CA is setup then creating certs is so fast and instantly attachable to resources.
How to restrict access to Elastic Beanstalk that it can process requests only from API Gateway?
From API Gateway's point of view it is quite simple:
Generate simple Client Certificate (via API Gateway dashboard),
Backend validates Certificate on every request.
(A) But how should I validate this Client-Side Cert. on my Elastic Beanstalk (EB) in multidocker configuration with NGINX?
I've read that Elastic Load Balancer (ELB) (the component of EB) cannot validate it. I have to validate it using NGINX running as Docker container on EC2 behind ELB.
(B) What should I set up on Elastic Load Balancers of EB (ports configuration: HTTP(S) / TCP)? Have I buy a verified SSL certificate that my Elastic Beanstalk could to use 443 port?
(C) What should I set up on my EC2 instance? (Besides NGINX - I believe that I know how to setup nginx.conf)
(D) Are there some downsides of using TCP instead of HTTP in ELB?
I've read some articles and other SO posts about this problem, but currently I feel confused about this topic. Any clarification will be very helpful!
You are correct in that you will need to validate the certificate on your server hosts. The specific configuration will vary depending on your setup, but should be pretty straightforward - I suggest you consult NGINX documentation for that.
In order to validate the certificate on your hosts, you will need to configure your ELB to use TCP load balancing. Pleases see the ELB docs on the differences between HTTP and TCP load balancing.