I am beginner with AWS and need some help for my first project .Below is the architecture of my environment and the code runs great on Godaddy .I am trying to move it on AWS. Please try to understand things are working but not in a way that I want.
Setup
Two private subnet AWS linux servers(like one in Associate practise lab)
One S3 bucket mapped to /var/www/html sync aws s3 sync cronjob
Route53 domain name registered sample.com
Cloudfront created https://sample.cloufront.net
Application load balancer internet facing --ssl (80,443 listener ports )
ACM -SSL certificate issued *.sample.com ,WWW.sample.com
RDS instance with everything configured for SG etc
Issues
Below are the Issues
As soon as I use http -https redirection from httpd.conf as suggested by Amazon guys I get a bad gateway using this documentation
Images are not getting delivered by Cloudfront. I tried to redirect in .htaccess getting access denied although I created identity and updated bucket policy .
Load Balancer DNS name gets exposed even when route53 mapped to load balancer
httpd.conf "All" has been used for override
S3 Sync with /var/www/html is changing the permission on linux when any new file is uploaded .
Related
I have added https support to my elastic beanstalk Java based application (at https://www.albunack.net) by adding Amazon certificate to the load balancer as described here, registered for the domain names albunack.net and *.albunack.net
The part that is running on elastic beanstalk is working correctly, however if I move to some static html files that are stored on Amazon S3 bucket called reports.albunack.net it just hangs
e.g. https://reports.albunack.net/new_acoustid_report1_1.html
the non https url works fine
e.g. https://reports.albunack.net/new_acoustid_report1_1.html
Do I need to do something on S3 as well ?
Basically, S3 does not serve HTTPS traffic. If you want to access your static contents with in-transit encryption, you need to have a CloudFront distribution in front of it, or we can say that we need a CDN.
Reference: https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-https-requests-s3/
For SSL certificate, you can issue a free one as you did with your Load Balancer, but you need to issue it under North Virginia region to make it work with your CloudFront distribution.
After that, you can update your DNS management with a CNAME to your CloudFront distribution which will be a DNS name.
Reference: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html
After all, you and your app should be access one of your image with HTTPS.
https://<your-domain>/image1.png
Background
I am trying to deploy a dummy application with React frontend and Django backend interacting via REST api. I have done the following:
Use a S3 bucket to host static website and deploy my react code to it
Put Cloudfront for S3 bucket - set up certificate and changed my domain name (from GoDaddy) to link to this address
Kicked off Elastic Beanstalk environment following the python environment tutorial of AWS
Set up Postgres RDS and linked the Django server with it
So now I can do the following
Access my frontend using https via my domain name (https://www.example.com)
Access django admin site using the path of elastic beanstalk and update items
i.e. each component is up and running
Problem
I am having trouble with:
Making a secure REST API call from the static page to Elastic Beanstalk environment. Before I set up certificates I could easily make REST API calls.
The guides I can find usually involve putting a domain name for Elastic Beanstalk, which I imagine does not apply to my case (or does it?)
I tried to follow this faq and updated configuration in load balancer that accepts 443 https and redirects to 80 http. But I am using same certificate as from CloudFront, which does not sound right to me.
Would appreciate help with
how to solve the above ssl connection issue
or is there a better architecture for what I'm trying to achieve here?
According to Request a certificate in ACM for Elastic Beanstalk backend, it sounds like I have to use a subdomain and request a certificate for that subdomain, and use Cloud 53 to direct requests to that subdomain to Elastic Beanstalk environment. Would that be the case?
Thank you in advance!
By default EB url will HTTP only. To use HTTPS you need to deploy SSL certificate on your ALB.
In order to do that you need a custom domain, because you can only associated an SSL certificates with domains that you control. Thus, normally you would get a domain (you seem to already have one from godaday). So in this case you can setup a subdomain (e.g. api.my-domian.com) on godady. Then you can use AWS ACM to register a free public SSL certificate for api.my-domian.com.
Once the certificate is verified, using either DNS (easier) or email technique, you deploy it on your ALB using HTTPs listener. Obviously you will need to point api.my-domian.com to the EB's https url. You can also redirect on your ALB http traffic from port 80 to 443 to always use https.
Then in your front-end application you only use https://api.my-domian.com, not the original EB url.
There can be also CORS issues alongside this, so have to be vary of them as well.
I have created a subdomain demo.mysite.com which is hosted over godaddy.com. I have successfully mapped the subdomain demo.mysite.com to my AWS elastic IP in the go daddy console
On my AWS EC2 instance my website is secured runing over HTTPS and I have deployed the certificates corresponding to demo.mysite.com on my AWS EC2 instance. Now the problem I am facing is
1 - When I access my subdomain it points to my EC2 instance and the URL in my web browser changes to my Elastic IP ie www.demo.mysite.com --->> https://201.12.34.58:8443/myApp , which must not happen and it must remain as https://demo.mysite.com
2 - And since my URL changes so I start getting the certificate error saying
The certificate is only valid for demo.mysite.com.
Error code: SSL_ERROR_BAD_CERT_DOMAIN
Can someone help in solving these two issues, I feel that if first issues gets solved the second issue will automatically get solved. I am not sure though
Guys I need your help
I suggest to manage your domain DNS with CloudFlare. Add a CNAME record for your subdomain demo which points to that IP. On CloudFlare Console go to Crypto > Origin Certificates. Create a new one with RSA, then import it to AWS Certificate Manager at us-east-1. For the certificate chain use this. Be sure that Always use HTTPS in Crypto tab is on. After some minutes you should be using your domain pointing to AWS with HTTPS working fine.
That's what I did to make a subdomain to work with an AWS API endpoint with SSL.
What is my indication that I am using AWS Certificate Manager correctly and that any remaining problems getting my site to load at https are due to a mistake I am making in my Apache configuration?
In AWS Certificate Manager, I see "Success! Your certificate was issued successfully." Does that mean there are no further steps for me to complete in the AWS console, and I need only get my Apache configuration correct to finish?
Currently, when I try to visit a URL at my site with the http protocol, it loads fine, but when I visit at https, the browser tries to load the page but it never loads.
I have followed the instructions for creating an HTTPS listener, but still do not know if I am done with all necessary steps in AWS console. How would I know?
Edit: To clarify, I am using an Elastic Load Balancer (ELB), since the documentation indicated I need to use ELB with AWS Certificate Manager (ACM). However, I do not know how to determine if I have configured everything correctly in AWS console that I need to in order to access the site at HTTPS.
Edit 2: This might come close to answering my question, possibly, but I don't know how to do this: "You can use curl, telnet etc from your local machine to verify 443 port status on ELB" -- #vivekyad4v.
ACM(AWS Certificate Manager) supports the AWS resources like ELB, Cloudfront, API Gateway etc. You can add SSL certificates to these
resources via AWS console.
Currently, it doesn't support EC2. You cannot use ACM with EC2 instances, you will need a Load Balancer in front of it. Once you have a load balancer, SSL termination happens on the load balancer & not on the EC2 instance.
Once it is setup, you can change your apache server config to redirect all HTTP requests to HTTPS.
Add certificate to ELB - "https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-update-ssl-cert.html"
Update apache config - "https://aws.amazon.com/premiumsupport/knowledge-center/redirect-http-https-elb/"
No EC2 support - "https://aws.amazon.com/certificate-manager/faqs/"
I have create a AWS elastic search domain in Virginia and got a Endpoint url.
Now I wanted to configure the Route53 behavior around it, so that a caller can use the same url, even though there is some change in elastic search or in case of a disaster recovery.
So,
Virginia Route 53 -- 1 Points to -- Virgina Elastic Search Domain URL
Oregon Route 53 -- 2 Points to -- Oregon Elastic Search Domain URL
Main Route 53 -- 3 Points to -- Route 53 1 or 2
I have already create these and also created and uploaded SSL certificate with correct SAN entries. But when I execute,
curl https://mainroute53/health
curl https://virginiaroute53/health
curl https://oregonroute53/health
I am getting this error,
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.
But when I am calling the Elastic Search URL directly its working. So I understand this is a issue with the way I am using the certificate. Any help appreciated.
Your Elastic Search endpoint will always return the Elastic Search SSL certificate.
So when you create a Route 53 "alias" for it, you may be connecting to it via your custom DNS entry, but Elastic Search will still use the Elastic Search SSL certificate.
Since the DNS endpoint you're using does not match the SSL certificate, you get that error.
You could use the --insecure curl flag to have it not check the SSL certificate, however, there are risks of doing that.
You can probably work around this by setting up a proxy server in front of the Elasticsearch domain, although it's kind of silly since there appears to also be an ELB inside the Elasticsearch domain. Ah well.
The domain Amazon ES creates for you includes the nodes in the Elasticsearch cluster and resources from several AWS services. When Amazon ES creates your domain, it launches instances into a service-controlled VPC. Those instances are fronted by Elastic Load Balancing (ELB), and the endpoint for the load balancer is published through Route 53. Requests to the domain pass through the ELB load balancer, which routes them to the domain’s EC2 instances.
https://aws.amazon.com/blogs/database/set-access-control-for-amazon-elasticsearch-service/
One way you can access Elasticsearch using your custom domain name is to use an API Gateway as an HTPP proxy. But then you have to deal with the authentication part since the Cognito cookies for ES will be pointing to the original domain (*.es.amazonaws.com).
In my experience this is doable and you should be able to use API Gateway (plus Custom Domain Names and Route 53) to achieve what you want (having a custom domain name over ES). It's just that it requires some Cognito knowledge and most likely, some coding (to handle the cookie problem).
You can use the http endpoint instead of the https one
i.e
curl **http**://mainroute53/health
This works around the fact that AWS does not allow providing custom domain certificate in its managed Elastic service
We had the same issue, wanted to be redirected to Kibana with a more friendlier DNS name and we used the solution with S3 bucket and the redirection as described here.
The steps:
Create a S3 bucket with any name.
In the bucket properties, enable “Static Website hosting”.
In the Static WebSite hosting properties, select the option to “Redirect Requests”.
In the target domain set the Kibana URL that is given from your elasticsearch domain: i.e. https://vpc-es-randomstring.us-east-1.es.amazonaws.com/_plugin/kibana/
Set Protocol to https
Then follow the steps from Step 5 on the guide above