When I associate an AWS certificate with my Elastic Beanstalk app and visit the domain using https, I get 'This site can’t be reached, mydomain.com refused to connect.' I can visit the site using http.
I created a security certificate with AWS's ACM. I added my domain name, example.com, along with additional names that were sub domains to the certificate. In my app's environment 'Loading balancing' section I set this up:
I setup the SecurityGroup named awseb-e-abc123-stack-* for my environment as follows:
There is another security group named awseb-e-abc123-stack-AWSEBLoadBalancerSecurityGroup-*, which is as follows. It has the same name tag as the above group, which is the same as my environment name:
It seems, though, that the entries of the "AWSEBLoadBalancerSecurityGroup" security group does nothing, as removing all the entries still allows HTTP traffic to work.
In .elasticbeanstalk\securelistener.config, I have the following
option_settings:
aws:elb:listener:443:
SSLCertificateId: <my certificate's ARN>
ListenerProtocol: HTTPS
InstancePort: 80
It seems, though, if I add a syntax error in this file, the deployment still succeeds.
Here is the output of curl -vL https://<my domain>:
* Rebuilt URL to: https://<my domain>/
* Trying <my elastic IP>...
* connect to <my elastic IP> port 443 failed: Connection refused
* Failed to connect to <my domain> port 443: Connection refused
* Closing connection 0
curl: (7) Failed to connect to <my domain> port 443: Connection refused
I used a separate domain name register to setup my domain name, and set up my domain's DNS A records IP address equal to my Elastic IP.
[edit]
I had mentioned above that changing the rules of the load balancer security group does nothing. This was because my EC2 instances's security group was pointing to the instance's security group, not the security group of the load balancer. When I pointed the EC2's security group to the load balancer's security group, the security group's rules are execercized. I verified this by removing all the rules from the load balancer security group, and seeing that no requests are accepted. However, if I add back the HTTP and HTTPS rules to the load balancer security group but remove all the rules from the instance security group, all HTTP requests are going through. This is NOT expected behavior because the load balancer is supposed to forward traffic to the instance. What seems to be happening is (1) the instance and load balancer security groups are not at all related to the instance and load balancer and (2) no traffic is going to the load balancer.
Is there anything else I'm missing?
[edit 2]
I misread gkrizek's comment. If I use the public DNS of the load balancer, I am able connect using either HTTP or HTTPS. I am able to connect to both versions using telnet. So instead of creating an A record that set testdomain.com to my Elastic IP, I created a sub.testdomain.com CNAME record set to the load balancer. Now I am able to browse to both http://sub.testdomain.com and https://sub.testdoamin.com. Two questions:
Is it OK to use the load balancer's public DNS in the CNAME record? I can't use the *.elasticbeanstalk.com URL because it could change, so I'm wondering if the same situation applies here
How can I secure https://testdomain.com (no sub domain). It seems like with this method, it is impossible to have https://testdomain.com since I cannot create an A record with an domain name.
The issue is that you have to create a CNAME record with your domain and use the load balancer DNS name as the address. If you use the Elastic IP, the requests will not go to the load balancer.
To answer my last questions:
AWS says this is OK
You cannot directly do this because AWS does not allow you to assign an Elastic IP to a load balancer. What you can do is have a URL record that redirects testdomain.com to https://www.testdomain.com
Related
I have springboot application with different ports hosted in ec2 instance
Domain in Route 53
Domain Name : mydomain.com
App A - 8081,
App B - 8085,
App c - 8088
Instance IP : 10.xx.xx.xx
domain :
test1.mydomain.com point to 10.xx.xx.xx:8081/landingpage &
test2.mydomain.com point to 10.xx.xx.xx:8085/landingpage &
test3.mydomain.com point to 10.xx.xx.xx:8088/landingpage
I have some idea in creating Load Balancer and Target Groups in beginner level.
Your views are always welcome.
As stated by Marcin, Route53 can't resolve port, this is a workaround. Assuming you already open two ports on your EC2 instance:
Create 2 target groups. One to port 8085, one to port 8088. Register your instance to those 2 target groups
Create application load balancer (ALB). Create 2 CNAME record with subdomain as your need, route both to your ALB DNS
Optional: Create a certificate for your domain (ACM), it should able SSL on *.example.com, register the certificate to your HTTPS load balancer.
Create listening rule on port 443 of your ALB (80 if you don't use SSL), route depending on your host name, each host name will route to one target group.
Route53 is DNS web service. It only resolves names to IP addresses, not ports nor URL paths. For that you need to either setup a load balancer for your instance, or using nginx on the instance to manage ports and url path redirections.
You can't do what you want in DNS using Route 53. See Can DNS point to specific port? - Webmasters Stack Exchange There are several ways to implement what you want:
Virtual hosts and reverse proxy
It is very common to run Apache on Nginx on your server on ports 80/443 for HTTP/HTTPS respectively. Both support virtual hosts where you point multiple domain names to the same server and the forward the requests to other ports. See What is a "reverse proxy" in webmastering?
Multiple load balancers
You could create multiple Amazon ELBs that forward requests to different ports. Then Route 53 could point each domain to its own load balancer.
Content delivery network (CDN)
Amazon's CDN is called Cloudfront. It has sit between your site and your visitors and do the mapping that you want.
I'm trying to get HTTPS connection for my ElasticBeanStalk environment, to accomplish this I'm following https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-elb.html, which implicates setting up a load balancer, when I configure the load balancer in the environment settings, the deploy fails with
"Updating load balancer named: awseb-e-w-AWSEBLoa-xxxxx failed Reason: ELB cannot be attached to multiple subnets in the same AZ. (Service: AmazonElasticLoadBalancing; Status Code: 409; Error Code: InvalidConfigurationRequest; Request ID: xxxx-xxxx-xxxx-xxxx-xxxx; Proxy: null)
"
I managed to get around this by unchecking some subnets in ElasticBeanStalk networks config. But when i do so the EC2 instance become unresponsive and can't even SSH to it and the environment get stuck on "No Data". It return responsive if i remove the load balancer.
How can i configure my subnets properly so that everything works? Thanks in advance!
Solved by doing this:
After requesting a certificate in AWS Certificate Manager
-Go to your environment configuration and choose "Load Balancer" (You may have to Change "Capacity" from "Single instance" to "Load Balanced" first )
Next choose "Add listener" and set it up like this
PORT 443
Protocol HTTPS
Choose the SSL Certificate you requested in ACM
SSL Policy is optional
Done.
Now open Route 53 and in "Hosted Zones" write your domain and point it to the Elastic Bean Stalk environment URI, this domain will now have HTTPS
You may need to prepend https:// manually to the URL for the domain using the certificate, sometimes further configuration is needed for auto redirection.
(Note that the elasticbeanstalk.com domain still won't have HTTPS)
I have a frontend React application hosted on Amazon Amplify and a backend SpringBoot application hosted on Amazon EC2.
My domain can only send https request but SpringBoot by default is http. My question is how can my EC2 instance listen to HTTPS request and then redirect to http port in SpringBoot.
I checked other posts and seems like you should not add SSL to your SpringBoot application, but rather to the Load Balancer in front of it. At the end of the today, this is what I want:
POST https: xxx.xxx.xxxx:443/user/signin
---> http: xxx.xxx.xxxx:8080/user/signin
---------------------------------------- update ----------------------------------------
Marcin has provided a top level idea on how to solve this, thank you!
I also attached the step-by-step solution for people like me, please see answers below
Below is the complete steps to take to convert your
http api to https using aws ec2
disclaimer: I only researched for couple hours, some concept might be inaccurate or wrong, but following this guide does gets the job done, correct me for misleading information
(1) springboot:
keep your server port on 8080 and don't change it to https (443)
(2) make sure your EC2 instance has the correct *VPC* and *IPv4 CIDR* set up
go to Instances -> Description -> VPC ID and then click on it
you should now see the list of VPCs, find the one that associated with your instance
In detail -> IPv4 CIDR -> check if it has two or more values in below format:
xxx.xx.0.0/16
xxx.xx.0.0/16
(3) skip this step if you have two IPv4 CIDR set up
select your VPC instance -> click Actions -> EDIT CIDRS -> Add new IPv4 CIDR
make sure two IPv4 CIDR are in different zone
more information on IPv4 CIDR:
https://docs.aws.amazon.com/vpc/latest/userguide/working-with-vpcs.html
(4) now we want to create an application load balancer that listens to https:443 request
select HTTP HTTPS Application Balancer and for each step (as shown in aws)
step 1.
Load Balancer Protocol and Port: https: 443
step 1.
Availability Zones: now is the time to select your VPC and two zones
step 2.
Security Setting choose a certificate from ACM (assume you have one on Route 53)
step 3.
Security Group: make sure to select the same group as your EC2 instance
step 4.
Routing http: 8080, target type: instance
step 5.
Register Targets select your EC2 instance, on port 80, please don't forget!
(5) now load balancer set up, double check security group of your EC2 instance
go to instances -> Description -> Security Group and click on it
for inbound rule, keep port 443, 22, 80, 8080 don't remove 8080
443 is for https, 22 for ssh client, 80 for tomcat
(6) now find the ips to use for the https request
this is not the public ip address of your EC2 instance
your application is behind a load balancer, the ip address should be the network interface IP. each network interface IP associates with a subnet ID that your VPC uses.
so go to Network Interfaces in your EC2 console. select any of your network interface IDs with a subnetId under your EC2's VPC.
click Details -> and scroll down to find the public IP you need
(7) before start next step, make sure you have the following:
a domain hosted in Route 53 (I have one for my frontend UI)
SSL certificated got from aws Certificate Manager
you should have put this SSL to your load balancer in step 3
if don't know what to do, check this stackOverFlow post for answers:
Adding SSL to domain hosted on route 53 AWS
(8) before next step, make sure you understand the following:
If you directly test your https request in postman, you will likely succeed.
However you will fail if using in production, like this:
axios.get("https:xxx.xxx.xxx:443/user/signin");
(failed)net:ERR_CERT_COMMON_NAME_INVALID
This is because whatever static IP you are using, does not match the AName for your SSL certificate. For example, if your domain name is helloworld.com, your backend API request should be https://helloworld.com/user/signin
(9) create a subdomain and config it in Route 53
I'm getting lazy, please see the link below:
https://aws.amazon.com/premiumsupport/knowledge-center/create-subdomain-route-53/
(10) final step!!!!!!
Now you have a working subdomain, let's use it for your network interface IP
For test, you can pick any IP from the list of network interface IPs. Go to Route 53 -> Hosted Zones -> select your subdomain, example: api.helloworld.com -> create record
Record Format
name: api.helloworld.com
type: A
Routing: Simple
Value: <your_network_interface_ip_address_multiple>
(11) sorry not yet ready
please wait for couple of days for DNS record to be updated, if DNS can interpret your subdomain, let's say api.helloworld.com into your network interface IP and since you can already test the correctness of your IP in postman, you should be ready to go!
--------------------------- end of useful information ---------------------------
If you want to keep using only the instance (no load balancer or cloudfront), then you need to get your own domain for it. Then you have to register a valid, public SSL certificate for that using, e.g. letsencyrpt. Once you have that, you can setup nginx on the instance to accept the https connections, and forward to your spring boot as http.
The easier route is to use application load balancer. You still need your own domain, but once you have it, you can easly get free SSL cert from AWS ACM and then deploy it on the balancer. No need to change your instance. So it would be:
Client ---(HTTPS)---> ALB ---(HTTP)---> EC2
I have a jfrog factory(port 8081) and jfrog docker( port 8082) running on an EC2 instance
with route53 I defined the url of the domain xxx.io and also two subdomains jrog.xxx.io and docker.xxx.io
with certificate manager I applied for a SSL certificate for the domain xxx.io who normaly is available as well for the subdomain if i dont make any mistakes .
What tools do I need to set up so that when a user enters the url jfrog.xxx.io it is redirected to the jfrog instance (port 8081) but the port of this instance must be mapped to 443 ?
You can use an application load balancer to achieve it.
The load balancer works with target groups and you will need 2 target groups for your load balancer. First target group will map the https (443) to your jfrog docker and the second target group will map https (443) to your jfrog factory.
The target group for jfrog factory will look like:
The target group for jfrog docker will look like below.
P.S: My instance is unhealthy because it has nothing in it, just a dummy instance.
Important things in the target group is the port mapping of your application and the target type. Then register your EC2 instance with the target groups.
Now in your load balancer, choose the tab Listeners and View/Edit rules for the listener of type HTTPS (443).
Then add new rules using a condition host header which will then redirect traffic to your target groups based on your subdomains (host header), it should look something like below. P.S I do not have SSL certificates, so I have used http itself, https should not be any different.
The finally you must make a DNS entry of type CNAME to map your domain (xxx.io) to the load balancer's DNS name.
This is where you will get the load balancer's DNS name:
I want to setup https for my domain name. My files are on AWS Beanstalk(php website)
I have my namecheap ssl for the domain registered.
On EC2 Console:
The ELB was configured by default. I added my SSL to I AM and attached with the ELB that was created with the project. I want to terminate the HTTPS requests from the web at my ELB and send http requests to my instance.
Security groups:
ELB: the default elb (http, https and ssh ports configured) and default vpc is attached to ELB(http and https configured. source is 0.0.0.0 for all)
Instance: default vpc security group is attached.
When I try to do https://the_aws_elb_link :
chrome error: NET::ERR_CERT_COMMON_NAME_INVALID
safari error: host name mismatch
I checked md5 for all the ssl uploads made. They check out.
When I try to enter my domain name with https: This site can’t be reached
What I want: https://www .mydomain .com and authentication at my ELB
elb listners configured
CNAME settings
You need to set up the ELB listeners this way then it will work.
Your Domain is pointing to the EC2 IP address it should point to the AWS ELB C-Name then it will serve the SSL Certificate.
ping www.lbacs.org
PING www.lbacs.org (98.124.199.6): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1