My plan is to add HTTPS and SSL to EC2. What I have a problem is that I have my own domain, websites and SSL certificate all on different hosting like Lunarpages. Is there a possible for me to allow my domain like this https://www.example.com/apps/project3/api to connect to EC2 from Lunarpages even though I have already SSL certificate installed on Lunarpages hosting. So I don't need to create SSL certificate on EC2. I don't want to move my websites with www.example.com to EC2, it should remain with Lunarpages hosting.
Is there an option I can connect from my https://www.example.com/apps/project3/api (not subdomain) and SSL certificate from other hosting to EC2?
TL;DR
Use Lunarpages as a reverse proxy.
About DNS
DNS can not manage "subfolders" (URI). When the user is typing your URL in your website (or when you make a request to your API), the web browser will do a DNS resolution of the domain. Therefore, it will connect to www.example.com and then search for /apps/project3/api. It means it is not possible to have www.example.com/a on one server and www.example.com/b on an other one by using a DNS mechanism.
Reverse proxy
To solve this problem, one solution is the reverse proxy. If Lunarpages allows it, you can use their hosting as a proxy to your EC2. Every request of www.example.com will be processed on Lunarpages. Only the requests of /apps/project3/api/* will be proxied to EC2. Lunarpages will do the SSL termination and then proxy the request to EC2.
Drawbacks
As you can imagine, having the request going to Lunarpages then to the EC2 and finally going back to the client throught Lunarpages can have a big impact on performance and response time.
The security is also important because the communication between Lunarpages and the EC2 should be encrypted. It means another SSL certificate (self signed) should be present on the EC2.
Other solutions
I strongly recommand to use the same hosting provider for the same domain name even if there is multiple servers to process the requests. Tree solutions comes to mind:
Host everything on Lunarpages
Host everything on AWS (reconsider this option)
Use a different subdomain for the API (api.example.com) that will point to the EC2 and manage the SSL certificate of api.example.com on this EC2.
Related
I have a EC2 server that serves the backend using HTTP to the S3 bucket Frontend and that works fine when I use the S3 address to run the app. However, after I deploy to the Cloudfront, I get the following error:
Mixed Content: The page at 'https://d3qxpzawaycmw5.cloudfront.net/#/employees' was loaded over HTTPS, but requested an
insecure resource 'http://ec2-3-86-60-146.compute-1.amazonaws.com:3030/api/Employees?'. This request has been blocked;
the content must be served over HTTPS.
This informs that the BE must be served using the HTTPS. If I can't change anything for the BE, is there any solution to use the Cloudfront?
Thanks.
You don't need to change anything in the instance if you don't want. The easiest way to get HTTPS for your instance, is to front it with Load Balancer as explained in:
How can I associate an ACM SSL/TLS certificate with a Classic, Application, or Network Load Balancer?
But for this, and any other method, you need your own domain, as you need a valid public SSL certificate for it. If you use load balancer, you can easily get free SSL cert from AWS ACM.
But if ALB is to much for you, then you need to deploy SSL on the instance. This still requires your own domain, but you can't use ACM. Instead you can get free SSL certificate from https://letsencrypt.org/.
Put http:// at the front of cloudfront domain name
This happens when you try to open the application with https but trying to connect the backend with http.
Installing/configuring SSL certificate for backend solves this problem.
If you want to use without SSL in cloudfront use HTTP and HTTPS like this
I have created a nodejs app and hosted it on aws ec2.
Enabled HTTPS, HTTP in the security. I purchased a domain from an external domain provider and connected nameservers using route53.
Now, when I am opening the domain it showing not secure. How Can I make it secure. I tried listen port in 443 but then domain was not opening.
Can Someone please help how to make it secure or provide some good documentation for begineers.
If you don't want use a load balancer to front your instance, then you have to get and install a third party SSL certificate on your instance for your domain.
A popular choice are certificates from https://letsencrypt.org/ (StackOverflow uses them as well). They also provide https://certbot.eff.org/ tool for easy installation and setup of the SSL certs on a variety of operating systems and servers.
I have a VueJS front-end application running on S3 being served as a static website.
I have a NodeJS (behind an nginx reverse proxy, plus a few other services) backend application running on an EC2 instance that the VueJS app talks to (over http currently).
I have a domain successfully pointed at the VueJS app (S3 bucket) with the configured SSL certificates using Route53 / CloudFront / ACM.
However, now the VueJS app will not communicate with the EC2 instance backend as it is still using HTTP which is now not allowed.
So what is the best way to configure this? I can't run certbot on the ec2 instance and generate an SSL certificate for my domain as there are certificates already being used for the S3 bucket.
Should I just create a self-signed certificate?
Can I create another certificate for a subdomain perhaps (api.example.com say) and set up DNS record for that to point to my EC2 instance IP address?
How is this usually done, what is best practice?
So a self-sign cert wont work, it wont pass validation as there is no known CA behind it ( Certificate authority) I mean you can install it but the browser is going to complain..
Im not sure I understand why you cant use certbot.. s3 / ec2 are two seperate services so I'm a bit confused here?
You can use letencrypt to generate a cert for the server and have it installed as well but if you have clusters you may be better served by installing it on the actual ALB, however this does not ensure end-to-end if the cert is not installed on all backend systems, (that would require installing the cert on all systems in the cluster) You requirements will dictate this really.
If you are unable to generate a cert with letsencrypt you can get an SSL from ssls.com and just installed the PEM or CRT on the server / load balancer too though.
Usually you create some subdomain like you said for your api and create a certificate for that subdomain. On AWS in particular, you can use an elastic load balancer and use ACM /Route53 with that for ease of certificate management, but that does carry costs of the load balancer.
Alternative is to just put an API gateway in front of your EC2 instance as a reverse proxy, which will carry some costs, but maybe not as much depending on traffic volume.
I have a node.js server I would like to deploy to AWS. My main site is example.com while the node server is on api.example.com
I am only using one EC2 instance (no load balancing) because I am only building an MVP and don't want to make things complicated.
I used Amazon Certificate Manager to register my domain name and I need to register api.example.com to also use https.
I right now have to put a CloudFront in front of my EC2 instance just so that I can use the ACM. This seems a little overkill since I don't need any of the caching benefits.
Is there any other way to do this?
You have 3 options:
Use CloudFront with SSL certificate from Amazon which doesn't bring any benefits for API that won't benefit from caching
Use Elastic Load Balancer with SSL certificate from Amazon. Load balancer will mantain HTTPS connection with client and communicate via HTTP with your EC2 server. You can follow this tutorial https://hackernoon.com/getting-a-free-ssl-certificate-on-aws-a-how-to-guide-6ef29e576d22
Or you can set up your certificate at EC2 instance directly. Here is how to do this with Nginx for example https://www.digicert.com/csr-ssl-installation/nginx-openssl.htm
EDIT: I have just realized that you could probably also use AWS API Gateway to point to your EC2 server API GateWay to server in ec2
I am not into SSL at all, so bear with me please. I have no idea how to start to actually solve my problem.
Current situation:
1x Webserver with Webspace for a Website and it includes a Domain Administration, also to order SSL Certificates etc.
1x Different Webserver at Amazon Web Services with a PHP-based Software on it with Login etc.
A Subdomain that I created in the Domain Administration is pointing via DNS to the IP of the AWS.
What I need:
I want an https Connection (SSL) for the Subdomain that is pointing to the AWS so that the connection/login is secure.
My question is what I have to do on the side where I have the Domain Administration and after that what I have to do on the side of the AWS.
Thank you so much!
You have several options in hand,
If you already have a SSL certificate purchased, you can include it inside the webserver (e.g; configure apache for SSL).
If you plan to use free SSL certificates from Amazon, you can use one of the following options after creating a SSL certificate in AWS Certificate Manager.
Create a AWS CloudFront Distribution and attach the SSL certificate there while configuring an origin to forward traffic to the specific web server. However, you need to create the SSL certificate in North Virginia region and there won't be any upfront costs for CloudFront). CloudFront acts as a proxy and you can explicitly instruct to cache the static content reducing the load for web server and improving the performance.
The other option is to create a Application Load Balancer (ALB) and attach the SSL certificate there ( Create the SSL certificate in the same region) while forwarding traffic to the web server. However, this will add a monthly reoccurring costs for the ALB.
All you need to do is, on AWS ACM (AWS Certificate Manager) procure a certificate for your subdomain and use AWS ELB to use the certificate and point to the AWS webserver.
After this use the ELB IP in the DNS settings.
There are other options too like procuring the subdomain certificate and installing it on the webserver on AWS.