I have a very private problem, I have a Java EE application (WildFly 10), running on the infrastructure of Amazon, well.
This application has an SSL certificate acquired of a specific domain ("www.xxx.com"), which has been properly installed on Amazon's Application Load Balancer (ALB), which retains requests and forwards securely to the application server an EC2, so far everything great.
But when we try to instantiate in the pages a "client" "WebSocket" in JavaScript it even presents "MixedContent" errors when used via unsecured WebSocket (WS), so that's fine because it is a browser security requirement:
ws = new WebSocket("ws://<ip-address>:8080/web-socket");
So i use a secure WebSocket (WSS) to make the connection, then under the IP and then presented the error that the IP was not secure because it had not been certified:
ws = new WebSocket("wss://<ip-address>:8443/web-socket");
So I installed the SSL certificate of the domain on the WildFly 10 server, but even then the error was still presented because the SSL certificate was purchased for the domain, not for the IP I'm trying to connect.
If i try to connect Secure WebSocket (WSS) through the secure domain, the same connects, but the Amazon ALB always drops it for inactivity time, and even if the value is too high, the Time to Live (TTL) over time, it shows performance loss over time, I believe by pooling TCP connections.
ws = new WebSocket("wss://www.xxx.com.br:8443/web-socket");
A possible solution would be to buy an SSL certificate that instead of registering a domain, would be registered under the IP of the server, the same would be installed on the server to allow this secure connection between Secure WebSocket and Secure Application, what opinion or experience you?
Related
We have a website hosted on AWS and the requests going to ALB and then ec2 instance.We have configured the ALB with ssl certificate and hence ssl termination happens at ALB.
In the chrome dev console network tab when we load our website, We could see that the below figures
Initial connection 992.35 ms
SSL 669.96 ms
So is this latency purely because of where the client is and the ALB itself as the application which is on the EC2 instance itself is not involved in the connection setup.
I understand that the alb has to make a connection to the application as well.Atleast the ssl part is purely because of ALB ? Can we improve this from our end ?
What else could we do here given ALB is doing the ssl termination ?
First of all, I'm in no way an expert at security or networking, so any advice would be appreciated.
I'm developing an IOS app that communicates with an API hosted on an AWS EC2 linux machine.
The API is deployed using **FastAPI + Docker**.
Currently, I'm able to communicate with my remote API using HTTP requests to my server's public IP address (after opening port 80 for TCP) and transfer data between the client and my server.
One of my app's features requires sending a private cookie from the client to the server.
Since having the cookie allows potential attackers to make requests on behalf of the client, I intend to transfer the cookie securely with HTTPS.
I have several questions:
Will implementing HTTPS for my server solve my security issue? Is that the right approach?
The FastAPI "Deploy with Docker" docs recommend this article for implementing TLS for the server (using Docker Swarm Mode and Traefik).Is that guide relevant for my use-case?
In that article, it says Define a server name using a subdomain of a domain you own. Do I really need to own a domain to implement HTTPS? Can't I just keep using the server's IP address to communicate with it?
Thanks!
Will implementing HTTPS for my server solve my security issue? Is that the right approach?
With HTTP all traffic between your clients and the ec2 is in plain text. With HTTPS the traffic is encrypted, so it is secure.
FastAPI "Deploy with Docker"
Sadly can't comment on the article.
Do I really need to own a domain to implement HTTPS?
Yes. The SSL certificates can only be registered for domains that you own. You can't get the certificate for domain that is not yours.
I am building a C++ application that needs secure connection to an SSL enabled server. I have read that for HTTPs to be fully secure, it requires the client to also use a valid certificate. But for my application, the certificate would be on disk so anyone installing the app would have access to the file. I came to the conclusion that the SSL certificate is not necessary for the application.
Am I right? Does an attacker could, somewhat, intrude into my SSL server?
Thanks a lot!
Secure HTTPs connection
When connecting to a TLS (nowadays)-enabled server, it's the server certificate that is mostly relevant (although some servers request a specific certificate from the client for authentication, but that's rare since a cert isn't as easily managed as a username+password).
That means that you don't need to have a trusted certificate, since one is generated (self signed) at runtime when neeeded as part of the TLS handshake.
The same happens in some TLS-enabled services outside WWW, for example, a SMTP TLS server's certificate is practically never checked against a trusted root.
Now If you are programming a WWW server application, yes you need a trusted cert. Check Let's Encrypt.
I have a website written in AngularJs which send api request to another server application. If I want user to connect website through https, do I have to make server https also? I have already requested a ssl certificate on AWS with my website address, and applied it on the load balancer of website instance (not server instance). Do I have to request another certificate for my api server?
Thanks.
It is recommended that the communication between the client and server happens over https, especially if private data is being transmitted, such as login data.
Regarding certificates, in order to https to work, the common name (CN) that is used in the certificate must match the fully qualified domain of your server's URL. So yes, you need a new certificate created specifically for your back-end server.
I need to add SSL to several Node.js services, each of one is listening on its own port, and that have NGINX to map them to our public "api" domain.
Due to the release of a new security policy now all services must be enforced to only work on SSL connections.
Since I'm not used to work with SSL certificates it's not clear to me what can be the advantage of setting the SSL on NGINX and make NGINX itself to proxy-pass to a http:// connection or have the real node.js endpoint to be a SSL server and (then proxy-pass to https://).
I guess with the NGINX solution, I could re-use the same SSL cert adding it to our "api" domain, while each different SSL node server would need a different cert.
Then it's not clear to me if into a production environment like this I should be using self-signed certificates (since the endpoint is touched through other services) or if it should be a CA trusted certificate exactly like it should be a public domain.
What am I missing in this considerations?
I assume the NGINX is public facing, and the nodejs services are internal (ie. not accessed directly by public web users).
You would only secure the connection between the public web to your NGINX. The transport between the NGINX and the NodeJS services is internal, and doesn't need to be secured. it's a big waste of CPU.
For the NGINX you buy a certificate from a valid certificate authority. For internal services you may use self-signed (ie. your own internal certificate authority generated certificates), but as said above, you shouldn't need to use SSL internally.