I've reviewed the Lightsail load balancer and unlike ACM, you cannot add wildcard SSL's.
For example on ACM, this can done:
example.com
*.example
And then attached to an EC2 Loadbalancer.
But for Lightsail, the wild card is not accepted. When we issue only on the apex domain to the load balancer:
example.com
When we resolve demo.example.com, we get a cert invalid error.
As we don't know ahead of time the sub-domains in use, and the limit of 9 is too few, is there a workaround?
I came up with a solution but I can't say for sure it is the only one.
TL;DR - Use an EC2 Load Balancer and add it's target as your LighSail instance. To this load balancer attach a standard ACM certificate. Don't use the LightSail load balancer at all.
Outline Steps
Launch a load balancer in EC2 and attach your LightSail instance as a target (Remember to use the private IP of your LightSail instance and check your security settings, zone and region prior to set up)
Open ACM and provision your certificate. To protect your entire domain, you will require two entries on this cert i.e. example.com and *.example.com
Validate the certificate (DNS etc) and attach it to the load balancer in EC2.
Related
I have configured the AWS load balancer to secure my website, i.e. to resolve through "https". But when I use(https://www.schoolnskill.com), it gives
503 Service Temporarily Unavailable.
So I have followed the below steps to configure my environment.
I created a domain name in route53 and have been issued with a SSL/TLS certificate through AWS Certificate manager.
For my load balancer I set up listener for https:443 and attached the above certificate with it.
The security group for my ec2 instances allow http and https requests (although I believe the load balancer ec2 target will communicate using http).
I have attached a screenshot with the summary of the configuration.
Then in the ROUTE 53, I edited the 'A' record of 'www.schoolnskill.com'. Below are the changes I made.
Alias:- yes
Alias target:- chosen the application LB
Routing policy:- simple
Then save the settings.
I can see that whenever I type 'http://www.schoolnskill.com', it is redirected as 'https://www.schoolnskill.com'
Health_CHK
Thank you,
The problem was the availability zones. The AZ of my load balancer was different from that of EC2 instance. I matched the AZ of ALB to my EC2, and it worked.
Thank you,
I have a website that I have hosted on an EC2 instance that runs on port 3000. (e.g. 3.27.83.19:3000 - assuming the IP address of the EC2 instance is 3.27.83.19)
I have a domain that I have already bought mydomain.com through AWS that I already see in Hosted Zones.
How can I set-up Route53 so that when someone hits "mydomain.com", it takes them to 3.27.83.19:3000 rather than 3.27.83.19
Thanks!
point domain to instance ip
To point example.com to 3.27.83.19 you simply need to create an A record in route53
point domain to load balancer
To access the website running port 3000 on an EC2 instance through https://example.com, you need a service that accepts traffic on https://example.com and then forward the traffic to the EC2 instance on port 3000. You can easily do it with an AWS application load balancer. I like this approach.
There are many benefits using an application load balancer. The important one is that you can configure the SSL certificate easily. The application load balancer also supports host based routing which allows you to host multiple websites.
If you are looking for less expensive solutions, you can also go for setting up an nginx proxy inside the ec2 instance. I personally don't like this approach because you will need to configure SSL at the application level.
https://aws.amazon.com/premiumsupport/knowledge-center/public-load-balancer-private-ec2/
Hope this helps.
I have installed wordpress site on just 1 EC2 instance which is running on 1AZ (means 1 public subnet). I have bought a domain as well using Route 53. Currently my site is HTTP only which I want to make it HTTPS. I have got SSL certificate from AWS Certificate Manager as well. Using Route 53, currently I have mapped A record IP V4 mapping with my EC2 instance public IP V4 address.
I'm facing issue here in changing my site to HTTPS from current HTTP. Since my site is deployed on just 1 AZ (public subnet), I cannot add Elastic Load Balancer in front of my EC2 instance as it requires minimum 2 public subnets (this is what my understanding is). If my side was deployed on 2 AZs (2 public subnets) then easily I would have configured Application Load Balancer with these 2 subnets and would have used the SSL certificate which is stored in AWS certificate manager but in my case it is just 1 AZ/1subnet.
Question 1) Is it necessary to have 2 public subnets to configure elastic load balancer? Can't I configure load balancer with just 1 subnet like in my case? If yes then please advise how to do it?
Question 2) Is load balancer really necessary between Route 53 and EC2 instance to make the site HTTPS? Can I configure Route 53 and SSL certificate to listen to EC2 instance directly and make the site HTTPS?
Please assist here to make my site HTTPS. Thanks
1) Yes, an ELB requires two subnets - but you dont have to have a server running in both subnets (but obviously you dont get the benefit/cost of dual servers). Within AWS goto the VPC section and create a new subnet inside the correct VPC - you should then be able to create an ELB (it may complain about the 2nd subnet - but if there are no instances inside that subnet it doesnt really matter).
2) No, but if you want to use the free ACM certificate it must be installed at the Load Balencer or CloudFront distribution level. There's nothing stopping you installing your own certificate on your EC2, configuring apache to use it and then renewing it as required. Take a look at LetsEncrypt for free certificates, or buy a cert online.
Few things to bare in mind:
"Best Practise" for TLS/HTTPS is constantly changing. AWS take the headache out of this by providing policies so updating to the latest standard is very simple and requires no changes to your ec2 (as its talking to the ELB via port 80)
If you decide to manage your own certificate, take a look at the SSL Labs certificate tester (https://www.ssllabs.com/ssltest/) to help you ensure your configuration is correct.
Let me answer the questions inline.
Question 1) Is it necessary to have 2 public subnets to configure
elastic load balancer? Can't I configure load balancer with just 1
subnet like in my case? If yes then please advise how to do it?
Yes. You must specify subnets from at least two Availability Zones to increase the availability of your load balancer. This is why you need at least two subnets (Minimum one subnet in each Availability Zone). When you run the EC2 instances, it is also recommended to run them in both Availability Zones (Given to the Load Balancer) with Auto Scaling for high availability and fault tolerance.
Question 2) Is load balancer really necessary between Route 53 and EC2
instance to make the site HTTPS? Can I configure Route 53 and SSL
certificate to listen to EC2 instance directly and make the site
HTTPS?
It is necessory if you are using Amazon Certificate Manager (ACM) Issued SSL certificates. Otherwise, if you use an externally purchased SSL certificate, you can configure the SSL certificate at your EC2 instance web server level.
Note: An alternative approach is to use AWS CloudFront as a proxy (Also for SSL termination using ACM certificate) and proxy the requests to the EC2 instance (If you don't want to pay for the Load Balancer where CloudFront costs are based on the number of requests unlike an hourly charge for Load Balancer).
I have a webserver running on a AWS EC2 instance (has an elastic IP) that can be accessed over my own domain (www.xy.ch) via http. Now, I need to access the webserver via https and so I created a certificate for my domain (www.xy.ch), uploaded it to AWS Certificate Manager and added the certificate to a Load Balancer connected with my EC2 instance.
This seems to work so far. When I target the DNS name of my Load Balancer (xyz.eu-central-1.elb.amazonaws.com) with a https in front, I can access my webserver. But the certificate is flagged invalid, because its common subject name (my domain name: www.xy.ch) does not match the input (DNS name of Load Balancer: xyz.eu-central-1.elb.amazonaws.com).
But now, I have no idea how to proceed so that I can access my webserver with https over my own domain (www.xy.ch). It does not work at the moment, so I obviously miss a configuration step, but I really don't understand what.
How can I connect my own domain with the Load Balancer's DNS?
I did some research and tried to understand the answers of similar cases (e.g. Assigning Static IP Address to AWS Load Balancer), but could not find a solution for my case.
The solution was indeed to delete all DNS entries pointing to the IP of the webserver and redirecting everything DNS wise over the Load Balancer. Credits to Mark B!
I'm trying to setup my website (on AWS). I have a t2.micro instance running on the us-east-1 region, and a Load Balancer (availability zones are us-east-1d and us-east-1c). I bought my domain using route 53, and also used the certificate manager to generate my SSL certificate (which I have attached to the load balancer).
My problem is that the load balancer seems to always send me to the root domain and it completely ignores the 2 subdomains I have setup on the EC2 instance. They were working perfectly until I created the ELB. So how can I get the subdomains working with the ELB? Or is this not the proper way of doing it? Can anyone point me to the right direction?
Thanks
You need to look at the application load balancer's rules. You can direct traffic based on the requested host name, or path. For example you can send app.example.com to one target group or blog.example.com to another group. Or you can route paths to individual target groups; for example example.com goes to your site, but example.com/cart goes to a microservice running your shopping cart.