I'm very new to AWS, so if any of the info I give you is not correct, I would appreciate a correction.
I have a single EC2 instance, running Windows, and using Internet Information Services (IIS). That instance has an elastic IP address set, so anytime I want to access my web, I do it through "http://xx.xxx.xxx.xxx/myWeb/controller/view.
I have a mobile app that opens a webview through an address like the one before, to register a credit card, and the API i'm using for that is requesting to make the connection secure. Doing research, I found about AWS Certificate Manager. It's of my uderstanding that you can only deploy a Certificate generated from the certificate manager to an ELB or CloudFront, but I don't have any of those.
All the documentation I read is fairly advanced for my understanding at this point or is focused on Linux servers, so I would like to know, how would you guys solve this? should I put ELB in front of my EC2 to be able to use Certificate Manager? or is there a better way to enable a HTTPS connection?
I also read about having to enable port 443 (HTTPS), is this an extra step I have to take, besides getting the SSL certificate?
Sorry if I'm all over the place. Any help would be greatly appreciated :)
There are 2 options, host the SSL within the Instance, or use ELB/ALB to terminate SSL (and change port) and forward the connection to the Instance. In either case you would need a domain name registered (the trust relationship is against the domain name, not the IP address).
If you choose the AWS route:
(Optional) Register the domain in Route 53, or transfer it in
Register the certificate in ACM, or upload your own
Create an ELB / ALB. Set it to use the custom domain and enable SSL.
Create a 'listener' on the ELB / ALB listening on port 443 (IIRC the SSL is actually attached to this listener). Set the listener to forward all incoming connections to the Instance on a port of your choosing (e.g. 80 now that it is HTTP).
If you are using websockets you would need to use an ALB (not ELB)
Beware there is a monetary cost for using ELB / ALB.
Related
I think I misunderstand the concept of adding ssl protection to my aws ec2 instance with a load balancer!
I have an Ionic app web, ios and android. I want to switch all http requests to https.
What I did:
Purchasing a url with route53
getting certificate with acm
setting up a load balancer like this...
https:443 -> ec2 instance (Here a applied the certificate)
http:80 -> https:443
http:8080 -> https:443
In Hosted Zones I added an A type record that points from my url to the Load balancer.
In my Ionic code I changed the endpoint addresses to https://my-backend-api-url.com/ (Yes I changed the my-backend-url.com in the real url :)
in the web deployment this set up lets me call the backend. But in the ios and android deployments it doesnt work and returns a 0 unknown error.
In the load balancer i can see that the requests from mobile deployments produce client tls negotiation errors.
My Attempt to fix this:
If I understand it right ( and there is a big if) I need a ssl/tls certificate that is in my app build in a certificate folder and i need the same certificate on my load balancer. Since aws ACm certificates only work for other aws services I think I can not use the certificate I created and applied via ACM.
So I think I need an ssl certificate from an ca and tried to get one with:
sudo certbot certonly --apache
When i enter my url it says:
"Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80"
Maybe also helpful to know is that I can access my backend api with the browser but it shows me that its unsecure and certificate is not valid:
Am I on the right track with my approach or did I completely misunderstand something? If my approch is correct what do I have to do that certbot can access port 80.
Any hint, link to a good tutorial, or help in any way is highly appreciated.
I think there is no need to get an ssl certificate from an external provider. You are accessing without ssl your load balancer. Your load balancer is doing the decryption for you. So, just check that your load balancer is in a security group with an open 443-port.
I have created a nodejs app and hosted it on aws ec2.
Enabled HTTPS, HTTP in the security. I purchased a domain from an external domain provider and connected nameservers using route53.
Now, when I am opening the domain it showing not secure. How Can I make it secure. I tried listen port in 443 but then domain was not opening.
Can Someone please help how to make it secure or provide some good documentation for begineers.
If you don't want use a load balancer to front your instance, then you have to get and install a third party SSL certificate on your instance for your domain.
A popular choice are certificates from https://letsencrypt.org/ (StackOverflow uses them as well). They also provide https://certbot.eff.org/ tool for easy installation and setup of the SSL certs on a variety of operating systems and servers.
I was using an EC2 instance of AWS and deploy my app on root through HTTP.
Now I migrated to HTTPs but the app does not load correctly. But I cant see any errors on chrome developers tools. The only thing I noticed different is that there is a lot of connections (350) made to the root that is where I deployed the app. I suspect is because the change of https. To made my app HTTPs I am using a load balancer of AWS and the aws certificate manager. Sorry for my english.
Image 1
when you add SSL certificates to the Application Load Balancer, the encryption and decryption of the request is taken care of by the ALB. Read more about this here. This means that your app can operate normally and should not be concerned with the request policy.
You can create a target group and point both HTTP (port 80) and HTTPS (port 443) traffic to the same target group.
Coming to your question. It seems like you are having difficulty in connecting to the ALB on port 443 (HTTPS). If your application is working as expected on port 80 (HTTP) follow this checklist to zero down on your problem:
Make sure that the security group of the ALB allows port 443 to your users or to the world
Check if the ALB has a listener configured on port 443. Read more about this in the docs here
Check if this listener points to the application target group.
As a last step, if you are using a domain name, make sure that it is pointing to the ALB and not the origin servers (EC2 in this case)
If you would like to get better understanding of how the request flows from the users instance to your application server, I've answered a simmilar question here.
Greeting
I have created the Certificate through Certificate Manager in AWS, the free one. And successfully verified as well as put it in the Elastic Load Balancer (ELB). The status of the certificate shows it's issued and Is Used? shows Yes in the Certificate Manager.
Overall, I have completed these two steps without any problem, but the SSL does not work with my domain name. When I type "mydomain.com" with or without prefix http://, it works, but when I type "mydomain.com" with https:// prefix, it does not work
I have researched to find the solution and a way to install SSL into Microsoft Windows IIS on AWS, but no document describes about that.
Can anyone share this experience? I really appreciate
Looking forward for the reply and thanks
You do not need to setup SSL on your web server when you use a load balancer. Assign the SSL certificate to the load balancer (as you did). Then in your HTTPS listener in the load balancer listen on HTTPS, but connect to your web server over HTTP.
In the Amazon Console for your load balancer under the "Listeners" tab, the "Load Balancer Protocol" will be HTTPS and the "Instance Protocol" will be HTTP.
This has the benefit of offloading SSL to the load balancer which decreases CPU load on your web server.
If you do want to setup SSL on your web server, then you cannot use the Amazon SSL certificate. You will need to use the standard methods and purchase a certificate from someone else.
I'm using Amazon ELB and have https setup with a certificate, however I need to support many domains (several thousand). Is there a way to have an ELB forward port 443 to the resolving EC2 instance(s) and let them handle https? or would there be an alternative way to support this? From what I've seen it looks like you can only one listener to 443 with a single certificate associated.
It is possible to do this now.
You need AWS ACM certificates. Assuming you already have one:
Select your load balancer and Under "Listeners", check the https listener and open the certificate selector on "View/edit certificates".
Then in the selection menu use the '+' or '-' buttons to add or remove ACM certificates from said balancer:
The short answer to your question is no, an ELB can only have 1 associated certificate. Assuming you aren't in a situation where a wildcard cert would work (e.g. *.example.com) you won't be able to use ELB the way that the GUI makes it seem like it should work. This is because ELB does not support SNI which is what makes something like apache able to bind multiple SSL domains to a single host.
That said, there is a workaround. You can forward 443 through your ELB directly to the assigned server. This is done by setting up port 443 in TCP pass-through mode rather than in HTTPS mode. To do that:
Go to the AWS console and select the ELB you want to edit.
Choose "Listeners" tab.
Select "Edit"
Change the "Load Balancer and Instance Protocols to "TCP" (see screenshot)
Set the Load Balancer and Instance Ports to 443
Alternatively, if you don't yet have an HTTPS listener, choose "Add" in step 3.
Note, setting it up this way will force your EC2 Instances to encrypt/decrypt traffic which will be an additional load on your EC2 CPU.