how to configure CloudFront with ec2 instance and elastic ip - amazon-web-services

I have a blog(codeoverflow.in) hosted on aws-ec2 instance. I am using cloudfront and acm certificate to provide ssl for my blog. But when I access codeoverflow.in or www.codeoverflow.in, cloudfront redirect me to https version successfully but gives the following error:
The request could not be satisfied. CloudFront wasn't able to connect
to the origin. Generated by cloudfront (CloudFront) Request ID:
TE89T-COJiVFgBGUpBG_2gWd6Iim3c-svHsborUct49O9Owjb3nl6g==
I have type A and type AAAA alias records for both codeoverflow.in and www.codeoverflow.in in route 53, all pointing to cloudfront distribution.custom ssl certificate is also configured for both domains.as of now I have dissociated elastic ip from ec2, but I want to use it as well together with cloudfront and ec2. Please help me to configure all three together.

It looks like you're trying to connect to your origin via HTTPS, but it doesn't sound like you have SSL enabled on your instance.
The easiest thing to do is use a hostname for your origin - i.e. www-origin.codeoverflow.in. Create a load balancer that listens on both 80 & 443, deploy an appropriate cert to that (you may have to create a new one, or create a wildcard) and put your instance behind that listening on port 80. Finally, create an ALIAS record in Rour53 from www-origin to your load balancer.

Related

AWS EC2 instance doesn't response using HTTPS

I have AWS EC2 instance that sends the response using HTTP. The URL link is as below:
http://ec2-18-233-225-132.compute-1.amazonaws.com:3030/api/status
This works fine with the. S3 bucket after the deployment, but, the Cloudfront blocks request that are not comes using HTTPS. How do I make sure that HTTPS also work with this URL:
https://ec2-18-233-225-132.compute-1.amazonaws.com:3030/api/status
Thanks.
ec2-18-233-225-132.compute-1.amazonaws.com domain belongs to AWS, not you. This means that you can't have valid SSL certificate for it. You must have your own domain if you want to enforce https between CF and EC2.
Once you get your domain, you can use https://letsencrypt.org/ to get valid free SSL cert for it. Alternatively, you can front your instance with a load balancer, and get free SSL cert for your domain using AWS ACM. Then you associate the SSL cert with the LB.
For cloudfront https handling:
Create certificate in ACM. Update cloudfront distribution to use that certificate and set ssl/TLS.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-procedures.html#cnames-and-https-updating-cloudfront
for EC2 https handling: You need to open HTTPS port (443). To do that, you go to https://console.aws.amazon.com/ec2/ and click on the Security Groups link on the left, then create a new security group with also HTTPS available. Then, just update the security group of the instance.
After these steps, if it's still not working it is an application problem.
You have to configure the Security Group of that Instance...
At left side ,down below the EC2 dashboard ; you can see Network and Security-- then click on Security Group.Click on it ...Then edit inbound Rules...Add https ,port 443

EC2 running NGINX behind CloudFront with HTTPS?

I have a CloudFront distribution already configured for an S3 bucket using Route53 domain with HTTPS enabled using a public certificate.
I want to use this CloudFront distribution with another origin (which is an EC2 instance running NGINX as a reverse proxy for an application on that same instance), but I also need to enable HTTPS.
The normal way I would enable HTTPS on EC2 with NGINX is to just setup the nginx configuration and point my domain "A record" to the instance then request a certificate with Let's Encrypt. But how should I do it when behind CloudFront? I won't use Let's Encrypt (not necessarily important to just use it) and would like to use an AWS public certificate as I did with my S3.
Could I just configure NGINX to listen on port 80 and add this EC2 instance as an origin on the CloudFront distribution then enable HTTPS and choose my public certificate there or how should this be done to work properly?
This time I am not going to use a Load Balancer, I want a direct connection between the EC2 and CloudFront. But I would also like to know how to set this up when using a Load Balancer (for the future).
Could I just configure NGINX to listen on port 80 and add this EC2 instance as an origin on the CloudFront distribution then enable HTTPS and choose my public certificate there or how should this be done to work properly?
Yes you can do this, but all traffic pattern will be:
Clinet---(HTTPS)--->CF---(HTTP)--->Instance
Which means that half of your connection (CF->Instance) will be in HTTP, which may not be desired.
If you want to have HTTPs on every path, you still need to have public valid SSL cerfiicate on the instance. CF will not work with self-signed certificates.

How to enable HTTPS for Elastic Beanstalk url

I have enabled HTTPS for my custom domain name (haydenclay.page), but I also need the Beanstalk url (app-name.elasticbeanstalk.com) to run through HTTPS as well.
HTTPS does not work currently, because the cert name matches my custom domain name, yielding: ERR_CERT_COMMON_NAME_INVALID
I need HTTPS because I make API requests, and going from HTTPS to HTTP throws a mixed content error. How can I enabled HTTPS on the beanstalk url?
I have already tried making an alias
Sadly you can't enable https directly for app-name.elasticbeanstalk.com domain. This is because this domain is controlled by AWS. You can only register SSL certificates for domains that you control.
If you want to server your content from EB over ssl, you have generally three options.
Front your instance with load balancer. This is the easiest* way as you can associated ACM SSL certificate with the balancer for your domain.
Front your EB instance with CloudFront (CF). You can setup alternative name for your cloudfront domain with your CF distro and your SSL cert. You can also use ACM for that. Also easy setup, but it should be noted that traffic between CF and your EB instance will be http only, unless you also setup your own SSL cert (not from ACM) on the instances (point 3).
Install your own SSL certificate (not from ACM) directly on the EB instance, using nginx. This requires manual setup and a valid public certificate. Popular choice is LetsEncrypt, to get the SSL cert from.
If you use CloudFlare, go to DNS -> Records
Type: CNAME
name: api
Content: "YOUR_URL.eu-west-1.elasticbeanstalk.com"
Proxy status: Proxied
And call your new url: api.your_domain.com

Cannot make HTTPS work between CloudFront and Elastic BeanStalk

I am trying to setup HTTPS across my app which consists in a frontend (S3 bucket distributed with CloudFront), and a backend (node.js app inside Elastic Beanstalk).
For the CloudFront part, I created an SSL certificate in N. Virginia (apparently I don't have a choice here) and I made the binding in the CloudFront distribution. It works and my app is served over HTTPS.
For the Elastic Beanstalk part, I created an SSL certificate in Ireland (where my EBS app is hosted) and I bound this certificate to the EBS load balancer using the port 443. It works and I can reach my server with HTTPS using Postman.
However, when my frontend tries to make an API call to the backend I get this error :
I guess I made a mistake while creating the certificates, but I cannot find it. I gave both certificates the same set of CNAMES, I am not sure if I am supposed to do that.
EDIT :
I get the exact same error after updating the frontend so that it points the DName of the load balancer (also mapped to subdomain with Route 53).
CloudFront is attempting to load an HTTPS URL from your load balancer. I assume you have an SSL certification assigned to the load balancer. The domain name of the SSL certificate on the load balancer needs to match the domain name that CloudFront is requesting.
For example if the load balancer's SSL certificate is something like beanstalk.mydomain.com then CloudFront would need to be making requests for https://beanstalk.mydomain.com. The error CloudFront is giving you says that the domain name of the SSL certificate served by the load balancer does not match the domain name djumbo-back-debug.eu-west-1.elasticbeanstalk.co.
You need to setup something like the following:
DNS Name www.mydomain.com points to CloudFront Distribution
Configured to serve www.mydomain.com
Configured with an SSL certificate for the domain www.mydomain.com
Configure to pull from the origin beanstalk.mydomain.com
DNS Name beanstalk.mydomain.com points to Elastic Beanstalk application
With a Load Balancer, with an SSL certificate for beanstalk.mydomain.com

How to enable HTTPS on AWS Elastic Load Balancer?

I am attempting to add HTTPS to my AWS Elastic Load Balancer.
I obtained a certificate through AWS Certificate Manager:
I have enabled HTTPS on the load balancer:
I made sure the security group for the load balancer accepts 0.0.0.0/0 on 443:
When going to my domain on HTTP, it works.
However, when trying to load my domain with HTTPS, it does not work ("ERR_CONNECTION_TIMED_OUT")
EDIT and UPDATE:
It is the API that I am attempting to get HTTPS working for, not necessarily the domain. The domain serve's a static file (angular web app) from S3, and it is angular that is calling the load balancer (to transfer the request to an EC2 instance) for DB data.
When angular calls the api directly via the load balancer domain name over HTTP, the request responds as expected.
When angular makes the same api call over HTTPS, I get the following error:
You enabled HTTPS for your domain name, not the ELB domain which Amazon owns. You can only create SSL certificates for domains that you own. You can't enable SSL for "mydomain.com" and then excpect that to somehow work on a completely different domain. You need to change your AngularJS code to reference the API by your custom domain name which you have created an SSL certificate for. You need to point the domain to the ELB and install the SSL certificate for the domain on the ELB.
Mark B provided the almost full solution.
As my javascript code is calling the elastic load balancer (ELB) via it's DNS name provided by AWS, I can't obtain an SSL certificate for the domain I don't own.
As Mark B pointed out, I need to point my javascript code to the domain I do own, and have an SSL cert for.
So I can create a sub domain (e.g. api.mydomain.com) of the domain I own that then points to the ELB.
An A Record (e.g domain pointing to an IP) looks like it could fit the need.
However, an A Record can't point to the ELB because it's IP could change.
The missing step was to use AWS Route 53 to point the A Record to an alias (Route 53 allows you to do this) that represented my AWS Elastic Load Balancer.