How to connect an ELB HTTPS to an EC2 HTTPS Tomcat
Setup:
Classic ELB:
SSL CA Signed Certificate
EC2 Tomcat:
Keystore - Self Signed
Trust Store - Imported a certificate from
Salesforce
Client Auth = True
Additional Notes:
It is working if clientAuth='false'
Infrastructure Overview:
Salesforce -> SSL ELB -> SSL EC2
As SSL Certificate is deployed on ELB, it will terminate the connection on ELB with client, decrypt the requests and then send them to the backend instances. Thats why, the request works with clientAuth = false.
If you just need an authentication per Salesforce certificate(depends on your security policies), set security groups such that traffic is allowed on ELB only on port 443 and clientAuth = false as ELB has already made sure that the connection is encrypted with client.
In case, you need additional security, you can follow the instructions here to setup authentication with back-end instances as well.
Hope it helps.
I got this working by using TCP in both the Health check and the listener.
Related
I have a nodejs API hosted on an EC2 instance (ubuntu server) which is running on PORT 5000.
Using http:// i can access this API over public-api:5000 but I can not access it over https.
I have opened all ports in the security group and allowed access from anywhere but still it is not possible.
What do I have to do, in order to access my API via https instead of only http?
For HTTPS to work you need TLS/SSL Certificates. Just enabling the port (default is 443 for https) will not work. You can get free TLS certs on AWS using AWS ACM service. You should have access to Domain and should be able to update the domain records for ACM to verify your cert.
You can terminate TLS on Load Balancer or on your application. You have to handle https traffic. Reference here
I am trying to use an amazon SSL certificate for my app. Currently, I have dockerized application hosting on the AWS server with envoy front-proxy. I am using lets-encrypt SSL certificates for a trusted domain certificate. Now I want to switch it with amazon's SSL certificates.
I am exploring this but I didn't get any clear idea. This blog show how to enable traffic encryption between services in AWS App Mesh using AWS Certificate Manager. but they have not mentioned how to do it with enovy proxy.
For envoy, we have to provide cert and key files. But as per this question, we are not able to download these files from amazon. Is it possible to use the Amazon certificate with envoy front-proxy? If yes then can you please give me the idea/example of how to do it?
Thanks in advance..
Only AWS Services can use AWS SSL Certificates. If you want to use an AWS SSL Certificate for TLS/HTTP traffic you would use an Application Load Balancer to handle the certificate and send it to your Envoy proxy hosted on an EC2 box. Ideally you would keep the network traffic encrypted which would require you to use a LetsEncrypt certificate between the Application Load Balancer and EC2.
AWS Network Load Balancers support TLS termination. This means a certificate can be created in AWS Certificate Manager and installed onto a NLB and then TCP connections using TLS encryption will be decrypted at the NLB and then either re-encrypted or passed through to a non-encrypted listener. Details are here: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html.
The benefits of using AWS Certificate Manager are that the certificate will be managed and rotated automatically by AWS. No need to put public-facing certificates on private instances.
I'd like to route TCP connections to the NLB based on the SNI, i.e. connections to the same port and IP can be routed to different targets based on the server name that was requested by the client. Whilst I can see that multiple TLS certificates for a given listener are supported using SNI to determine which certificate to serve up, I don't see how to configure listeners based on SNI.
I have therefore put HAProxy behind a NLB and want to route to different backends using SNI. I terminate TLS with the client at the NLB, reencrypt the traffic between NLB and HAProxy using a self-signed certificate on HAProxy, then route to the backends using unencyrpted TCP.
(client) --TLS/TCP--> (NLB on port 443) --TLS/TCP--> (AWS target group on port 5000, running HAProxy) --TCP--> backends on different IPs/ports
Does AWS NLB pass through the SNI details to the target groups?
If I connect directly to HAProxy (not via NLB) then I can route to the backend of choice by using SNI, but I can't get the SNI routing to work if I connect via the NLB.
According to this SO answer and to the istio docs, if you terminate TLS on the load balancer it won't carry SNI to the target group. I had the exact same issue and I ended up solving it by setting the host as '*' on the ingress Gateway and then specifying the hosts on the different VirtualServices (as recommended here).
I think that this solution could also work but didn't tried it. You would have to set the certificate on istio Gateway secret and do a TLS pass through on the NLB, but then you can't use the AWS ACM SSL certificates as pointed out on the previous link.
Question
Is it possible to have a load balancer in AWS handle TLS termination for a real certificate, while also having it use a self-signed certificate on the back-end? If so, how?
Conext
This way, I could pay for the certificate once for one server (the LB) and then still have TLS between the LB and the large number of back-end servers. The front-end user would be happy as they would get a real cert and no warnings, and the back-end app would be secure via the self-signed cert.
Thats possible, You can use trusted cert on ELB and self signed cert on backend. once you configure listener (for frontend on port 443 and valid cert) and Target group on port 443 for backend, the entire traffic should be encrypted. Client would see cert used on ELB/ALB and you can also restrict backend to allow connects only from ELB/ALB.
You can use ACM cert on ELB/ALB which is free.
I have an app running on aws ec2 (all is fine) but I want to use https do I need a certificate? And do the input traffics ports have to be set to a speciffic number - the app is supported by node and express
For HTTPS, yes you need a certificate. You can use AWS Certificate Manager to obtain a certificate.
Since you are using a NodeJS application, you can use a Nginx proxy to terminate the HTTPS.
For HTTPS default port is 443.
You can refer this documentation to configure HTTPS termination.