I can code but I don't understand anything about servers or DNS settings.
I found I could easily use beanstalk to launch applications that I'm working on but I do not understand fully how to properly create DNS entries and enable HTTPS.
In Route 53 I was able to successfully create a "Hosted Zone", point my domain to amazons four name servers, and create two A records. I created an A record for "domain.tld" and "www.domain.tld" and for each I selected "yes" for alias and "yes" for evaluate target health. For each A record for the alias I entered the long "environment.key.region2.elastickbeanstalk.com" URL they gave me for the application I created in Beanstalk.
To my surprise everything worked and visiting domain.tld or www.domain.tld goes to the root index.php file. Is there a better way to do this? I'm not sure if what I did is the correct way to do this.
Also, part two of my question: How do I setup HTTPS? - I watched a YouTube video where the guy goes to Services > Certificate Manager enters in "*.domain.tld" which I did, selected DNS validation, created a CNAME record as it requested me to do, the status updates successfully to "issued", I went to back to beanstalk > configuration > load balancer and under "secure elb listener" selected HTTPS for protocol and selected "*.domain.tld" for my certificate.
So now when I go to www.domain.tld or domain.tld nothing happens. If I go to https://www.domain.tld it shows the certificate but if I go to https://domain.tld it'll say "connection not private NET::ERR_CERT_COMMON_NAME_INVALID" click to continue type message.
Generally speaking I'd like everything to automatically go to https://domain.tld without someone entering in https://
I had to change my environment type to "load balanced" to see the "https/certificate" settings but I want to be able to use https on a "single instance" as well.
Also, when making changes to Route 53 "the DNS stuff" do I need to restart my application?
1) Your Route53 -> EB setup sounds fine.
2) The certificate problem you're seeing when trying to browse to https://domain.tld is because your cert only covers *.domain.tld, which does not include domain.tld. You can reissue the certificate to cover both.
3) If you want to redirect http://domain.tld to https://domain.tld, you'll need logic in your web server (apache, nginx, etc) to do that, as DNS does not operate at the protocol level.
4) If you want to use a certificate directly on an EB instance rather than on a load balancer, then you'll have to install the certificate and configure your web server appropriately. If you can afford the expense of keeping the load balancer, that'd be a much easier solution.
5) You shouldn't need to restart your app after making DNS changes.
Related
I want to have a subdomain (api.mysite.com) which makes calls to an EC2 classic load balancer (load-balancer-123456789.us-east-2.elb.amazonaws.com). Everything is hosted on AWS, to (theoretically) make it as straightforward as possible.
I created a domain and subdomain in AWS Route 53, as per the instructions here, and created an "A" record in the subdomain that links to my load balancer as an alias. That works fine, I can make calls to the load balancer through api.mysite.com, as long as I use HTTP.
But when I try to use HTTPS, I get ERR_SSL_PROTOCOL_ERROR. If I try to open the API in a browser, the security icon says that it's "not secure". I think the problem might be that the certificate is connected to the main domain (mysite.com) instead of the subdomain (api.mysite.com), but I can't figure out how to get it to resolve properly.
This SSL checking site shows the EC2 server itself (the one that the load balancer points to) and reports "Certificate not valid for domain name". It's an Ubuntu server, though I'm not sure if that should matter.
The SSL certificate needs to specify the subdomain as well as the main domain. The easiest way to do this is through AWS's Certificate Manager, by requesting a new certificate.
Make sure to specify each relevant domain and subdomain in the certificate (in this case, both mysite.com and api.mysite.com.)
After creating the certificate, go to the Load Balancer, open up the Listeners tab, and select the HTTPS port. Then, change the SSL certificate for that port to the certificate that includes the relevant subdomain. If you use AWS Certificate Manager, it can be selected from the dropdown menu.
I'm about to lose my mind trying to set this up. I have lost the whole day and can't seem to get near what I want to do.
I have a node js rest api uploaded trough elastic beanstalk, and I'm trying to setup a webpage to present the api, but for the live example to work the api needs to be accessed trough https. I've read the instructions for setting up the https for elastic beanstalk (and like everything on the AWS documentation it is a ridiculous maze). It has sent me trough several different AWS services.
What I basically got from it so far is that I need to set up a Load Balancer that will receive the connection trough https and forward the user to my instance. But I can't get it to work. I have a domain from freenom: bibliaparahumanos.tk, it is setup with an A alias to my EC2 IP, and it works with http, but if I try to access it trough https, I get "connection refused". If I use my normal Elastic Beanstalk url (http://apibibliahumana-env.eba-3nbmrphf.us-east-2.elasticbeanstalk.com/) with https it works, but I get a warning that the connection is not secure due to the domain on the certificate being different from the domain I'm accessing (which I understand, since the domain in the certificate is for my freenom domain).
I have the Load Balancer Listener set up with:
Protocol: https
Port: 443
Default action: forward to target group
(I have tried the target group with both http and https and the problem remains).
My certificate is from AWS Certificate Manager.
I have also seem this other tutorial but it confused me more. It adds some steps for configuring stuff on the app bundle, but I don't understand if it's required or an alternate way. I have tried setting that up, but it asks me to add the certificate's public key, which I can't figure out how to find.
I would suggest adding a CNAME record to your DNS towards apibibliahumana-env.eba-3nbmrphf.us-east-2.elasticbeanstalk.com.
A big advantage of using elastic beanstalk is that you can do blue/green deployments; as you will instead add the app URL to your DNS you can build an entire new environment in elastic beanstalk, test/wait until its stable and swap the app urls; which results in deployments without any downtime.
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.CNAMESwap.html
I bought a domain named studileih.de, then I deployed my Angular frontend on firebase: https://studileih-ceb70.web.app/ and redirected from my domain studileih.de to the firebase URL.
Then I deployed my Spring Boot backend to AWS Elastic Beanstalk on: http://studileih1.eu-central-1.elasticbeanstalk.com/
-> Problem: Since the frontend on firebase used https and the backend on AWS used http I got a Mixed content error. The frontend wasn't able to load any of the backend data.
So I tried to solve this by creating a SSL certificate for my backend in the AWS Certificate Manager (ACM) and adding this to my Elasting Beanstalk Load Balancer. This worked and I could now at least make a connection from my frontend to my backend.
But now I get this error whenever a request to my backend gets sent:
When I click on "Accept the Risk and Continue" once, it works fine and all my backend data gets loaded. But I can't ask my users to do that.
(You can try this out by following: https://studileih1.eu-central-1.elasticbeanstalk.com/products and clicking "Advanced" -> "Accept the Risk and Continue" (if you dare ^^)
after you've done that, click on studileih.de and it will now load with the backend data.)
I know the problem exists because when creating the SSL certificate, I entered studileih.de as the domain that the certificate is for. I think I have to create a SSL certificate for studileih1.eu-central-1.elasticbeanstalk.com instead.
But when I try to create a SSL certificate for studileih1.eu-central-1.elasticbeanstalk.com:
I get this error from ACM:
How do I create a SSL Certificate for the Elastic Beanstalk URL?
p.s. I also tried to issue a certificate for my firebase URL https://studileih-ceb70.web.app/ but this one already uses Https by default. Also I couldnt find out how to DNS/Email validate the ACM request in the firebase console. But I think I need a certificate for the Elastic Beanstalk backend at studileih1.eu-central-1.elasticbeanstalk.com, not for the firebase frontend, right?
p.p.s. I don't really need to use https, so a solution would be to make firebase use http instead of https, but I couldn't find anything on how to do that.
UPDATE:
I added a subdomain called api.studileih.de (the immediate access is blocked by spring security, as you're not logged in to my site, but you can test it with api.studileih.de/products, because this API is accessibly without login). Then I redirected that subdomain to my AWS Load Balancer as suggested by Mark B by adding a CNAME to the subdomain:
(it's not possible to change to english there, sorry)
this is my Load Balancer:
I tried to put the DNS-Name as A-Record into my subdomain, but it was only possible to enter a IP4 adress there, so I entered it as CNAME instead. I also tried to find out the IP Adress of the Load Balancer, but Load Balancer don't have a static IP Adress.
This approach with the subdomain and the CNAME unfortunately didn't work, so I'm still looking for a solution...
(Here's the menu for setting a A-Record. You can only enter IP Adresses there:)
I know the problem exists because when creating the SSL certificate, I
entered studileih.de as the domain that the certificate is for. I
think I have to create a SSL certificate for
studileih1.eu-central-1.elasticbeanstalk.com instead.
You can only create an SSL certificate for a domain you own. You need to point a subdoomain of studileih.de, like api.studileih.de, at the Elastic Beanstalk load balancer, and then attach an SSL certificate to that load balancer that matches that subdomain.
Sorry in advance if this doesn't make much sense. I'm fairly new to this, so bear with me please.
I'm trying to specify a domain to a specific folder depending on the domain name the user use (example.com or test123.com), through Amazon Elastic Load Balancer (Application load balancer to be specific).
My current setup is that all traffic from the internet goes to a Load Balancer (ELB), from there it round robin between 2 EC2 instances. Both instances are connected to an Amazon Network File System (EFS), as well as a Relational Database (RDS).
I can access the website(s) fine through the DNS of the load balancer (http://web-load-balancer-efs-16512354.us-east-1.elb.amazonaws.com/example/)
What I want to do now set it up so that if someone put example.com as their url it will point to the Load Balancer and from there the server will use the correct folder as root (www.example.com document root would be http://web-load-balancer-efs-16512354.us-east-1.elb.amazonaws.com/example/, but the URL will still be www.example.com).
I created a hosted zone on Route 53 to point the domain name to my load balancer, but currently my load balancer which leads to one of the ec2 instances. Currently the ec2 document root is /var/www/html/efs-mount/.
Is there a way for me to have multiple document root depending on the domain name?
I stumble on something about putting multiple TLS/SSL certificate on your listener and through SNI protocol it'll be able to find right place? http://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#https-listener-certificates. I'm not sure if this is what I need, or I'm completely off track.
If someone can point me to the right direction on how to do this that would be great.
Thanks
You are indeed off track.
While ALB with multiple SSL certificates may be a part of your strategy, since it allows you to attach multiple ACM certificates to a single instance or group of instances, ALB does not re-write the paths of the incoming requests or determine how the instance resolves web paths into filesystem paths.
This is something configured in your web server itself. Start by searching for something like "name based virtual hosting." Each domain name will specify it's own "document root" in the web server configuration files.
My iOS software platform runs on AWS Elastic Beanstalk and has a URL we'll call "something.elasticbeanstalk.com". I have a website we'll call "website.com" I purchased and operate the DNS records for through Namecheap. I need to make the URL my iOS client apps use to connect to the server HTTPS since Apple is requiring this soon due to App Transport Security.
WHAT I THINK I'M SUPPOSED TO DO
What I think I'm supposed to do is, create an SSL certificate for "website.com" and apply that SSL certificate to the AWS EB load balancer. Then I need to create a subdomain for "website.com" that redirects traffic to "something.elasticbeanstalk.com". Client apps connect to the subdomain of "website.com" which is now HTTPS and redirects to "something.elsastic.beanstalk.com". Is that correct?
WHAT I'VE DONE SO FAR
So far, I created a SSL certificate for "website.com" using AWS Certificate Manager. For this I had to verify my email address associated with "website.com". I then applied that SSL certificate to my environment's load balancer int the AWS Management Console. After that, I went into Namecheap and followed this guide in the 'Domain Name & AWS 53 Management' section to do it.
I read in this article that I needed to create an alias and/or set up Nameservers in AWS Route53. I tried doing that but don't know what I'm doing and it seems to conflict with the Medium article I linked above that I followed telling me to change the CNAME record for the URL and the Redirect URL record for "website.com".
QUESTION
What do I do from here?
SITUATION
-I have a Parse Server on Elastic Beanstalk with URL “something.elasticbeanstalk.com”
-I have a domain with Namecheap called “website.com”
WHAT I NEEDED
I needed to make my client app connect to an HTTPS address since Apple is requiring it shortly with App Transport Security. Since I couldn’t get an SSL certificate using AWS certificate manager for “something.elasticbeanstalk.com”, I created one for “website.com”. I then needed to have my client app connect to the HTTPS “website.com” which would forward it over to “something.elasticbeanstalk.com”. This satisfied the HTTPS requirements of Apple.
HOW TO DO IT
Make an SSL certificate for “website.com” using AWS Certificate Manager. You will need to confirm the domain via a confirmation email to the administrator for it.
Apple the SSL certificate for “website.com” to the AWS EB Load Balancer. Go to your AWS EB Console, click "configuration", click "Load Balancing" under the "Network Tier" category. Now under the first category which is "Load Balancer", select the SSL record you made and apply it in the "SSL certificate ID" section.
Set a CNAME record for “website.com” with a host of whatever subdomain of “website.com” you want. I chose “data” as my host value and subdomain (so my subdomain is “data.website.com”). Set the value of the CNAME record to “something.elasticbeanstalk.com”. Wait for it to propagate. It’s usually pretty fast but not always.
(I’m unsure if this particular step is proper but it worked for me) Set the serverURL of Parse-Server to “https://something.elasticbeanstalk.com” and the publicServerURL to “https://data.something.com”
In the Parse “initializeWithConfiguration” method in your client app that enables the app to connect to the server, change the server URL to “https://data.something.com/parse”. NOTE: include the “/parse” which is the MOUNT PATH of the parse-server. This value MAY BE DIFFERENT for you depending on how you set it but I set it to “/parse” since that’s what I saw in the Parse-Server docs.
NOTES
-I deleted all Route53 records since they are irrelevant here since “something.com” DNS services are controlled by Namecheap.
-A Redirect URL record in Namecheap is unnecessary