I have an instance on AWS with Tomcat that works on 80 port.
My security groups has following configuration:
I did do configuration for Tomcat and keytool. On local machine it works and I can do https://localhost:8443, but how can I open HTTPS for port 8443 on AWS?
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/home/user/keytools/ssl"
keystorePass="123456"/>
you just change Connector port=443 it will work.
Related
I currently have launched an EC2 instance with Fluentd installed, and using in_forward Input plugin to receive logs from the other services. On the other side, the service will be sending logs to the EC2 instance out_forward Buffered Output plugin. For better security,I would like to create a loadbalancer in front of the EC2 instance, how should I change the fluentd.conf?Should I just replace the EC2 instance IP with the loadbalancer's one, or other config is needed?Thanks!
My Current fluentd.conf
Forwarder
# fluentd/conf/fluent.conf
<source>
#type forward
port 24224
bind 0.0.0.0
</source>
<match *.**>
#type forward
transport tls
tls_cert_path /path/to/fluentd.crt
tls_verify hostname false
<server>
host <EC2_instane_IP>
port 24224
</server>
</match>
Receiver
<source>
#type forward
port 24224
bind "0.0.0.0"
<transport tls>
cert_path "/path/to/fluentd.crt"
private_key_path "/path/to/fluentd.key"
</transport>
</source>
<match *.**>
type elasticsearch
host "localhost"
port 9200
index_name "app"
type_name "log"
include_tag_key true
tag_key "#log_name"
logstash_format true
flush_interval 10s
<buffer>
flush_interval 10s
</buffer>
</match>
#jenny your configs shouldn't change much. The forwarders will use <Load_Balancer_DNS_Name> for host. You will need to configure a load balancer in AWS w/ a listener on 24224 that forwards traffic to a target group consisting of your ec2 instance(s).
Currently, I am trying to configure the https for one of my tomcat which is under ELB and for SSL certificate I have used aws certificate manager and pointed to the ELB.
My Elb listeners ports are
ELB port 80 ---> Instance port --> 8080
ELB port 443 --> Instance port --> 8080 with ACM certificate.
Is any configuration that needs to be in tomcat level or any method to run my site with https using ACM?
Your can put NGNIX in each tomcat instance , Nginx is super reliable and has the smallest footprint I ever seen in a serious web server.
Then in NGNIX Config
NGINX will rewrite all requests to the ELB calling the HTTPS port utilizing status 301.
server {
listen 80;
server_name myhost.com;
# add ssl settings
return 301 https://myhost.com$request_uri;
}
Tomcat Config:
Now you need to touch the server.xml configuration of Tomcat (located # $TOMCAT/conf/server.xml) .
<Connector scheme="https" secure="true" proxyPort="443"
port="8080" protocol="HTTP/1.1"
connectionTimeout="25000"
URIEncoding="UTF-8"
redirectPort="8443" />
Amazon Elastic Load Balancer:
You have to configure in the AWS ELB the following listeners.
HTTP 80 -> HTTP 80 (nginx)
HTTPS 443 -> HTTP 8080 (tomcat)
I hope this works for you.
I deployed a docker image running a fluentd instance on Elastic Beanstalk
I want to send messages to fluentd from another Elastic Beanstalk application, but I receive java.net.ConnectException: Connection refused.
in fluend.conf I set
<source>
type forward
bind 0.0.0.0
port 24224
</source>
In Dockerfile i set
EXPOSE 24224
In Dockerrun.aws.json
"Ports": [
{
"ContainerPort": "24224"
}
]
The fluentd node can be pinged from the client node, but it seems that the port 24224 is not exposed correctly to the rest of the environment.
Running the fluentD docker container locally, it works.
Where can I look to solve my problem?
I've created a free tier EC2 instance on AWS. I've opened inbound connections to this instance through security group. On EC2 instance, I'm able to access wildfly server and see it running/listening on port 127.0.0.1:8080. When I run netstat -ab command on EC2 instance I can see services listening on above IP address/port number combination. Could you please help me connect to this instance from my own machine? Please let me know if I should provide any additional info that would help troubleshoot the problem. Thanks in advance.
I've opened below inbound ports-
80 tcp 0.0.0.0/0
8080 tcp 0.0.0.0/0
22 tcp 0.0.0.0/0
23 tcp 0.0.0.0/0
3389 tcp 0.0.0.0/0
443 tcp 0.0.0.0/0
-1 icmp 0.0.0.0/0
Your service listens 127.0.0.1 which is not your network interface. Configure to listen to your instances private ip (10.x..) or 0.0.0.0 (all) instead
Solved it with the help of this post: JBoss WildFly: Starts but can't connect?
I was almost there but had to change standalone.xml to listen to all ports as #Michel suggested. Below is my standalone.xml . Thank you all again for all the help.
Earlier standalone entry:
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:0.0.0.0}"/>
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:0.0.0.0}"/>
</interface>
<interface name="unsecure">
<inet-address value="${jboss.bind.address.unsecure:0.0.0.1}"/>
</interface>
</interfaces>
Changed above to this:
<interfaces>
<interface name="management">
<!-- Use the IPv4 wildcard address -->
<any-address/>
</interface>
<interface name="public">
<!-- Use the IPv4 wildcard address -->
<any-address/>
</interface>
<interface name="unsecure">
<!-- Use the IPv4 wildcard address -->
<any-address/>
</interface>
</interfaces>
I have a WSO2IS 5.0.0 instance running on a VM behind a load balancer. The load balancer listens for HTTPS on port 443, handles all SSL and forwards plain HTTP to the VM on port 80.
I have configured the WSO2IS instance to have only one HTTP connector on port 80 in catalina-server.xml, and configured all the URLs I can find in the config to point to the load balancer using HTTPS.
I can visit the carbon webapp via the load balancer on 443 fine. However when I successfully log in, the webapp returns a redirect to HTTP on port 80, NOT to HTTPS on port 443 as it should. This makes it impossible to use the carbon webapp.
If I change proxyPort in the HTTP connector in catalina-server.xml, it does then return a redirect to port 443 - but the URL is plain HTTP, not HTTPS, so it still fails.
How can I tell carbon to send a redirect to HTTPS even though tomcat itself is listening via HTTP?
Thanks in advance!
You can use proxy port in this scenario.
You can configure in tomcat/catalina-server.xml as below with 2 connectors. http url will anyway redirect to https url. Do you mean management console as webapp?
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="9763"
proxyPort="80"
bindOnInit="false"
maxHttpHeaderSize="8192"
acceptorThreadCount="2"
maxThreads="250"
minSpareThreads="50"
disableUploadTimeout="false"
connectionUploadTimeout="120000"
maxKeepAliveRequests="200"
acceptCount="200"
server="WSO2 Carbon Server"
compression="on"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/javascript,application/x-javascript,application/javascript,application/xml,text/css,application/xslt+xml,text/xsl,image/gif,image/jpg,image/jpeg"
URIEncoding="UTF-8"/>
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="9443"
proxyPort="443"
bindOnInit="false"
sslProtocol="TLS"
maxHttpHeaderSize="8192"
acceptorThreadCount="2"
maxThreads="250"
minSpareThreads="50"
disableUploadTimeout="false"
enableLookups="false"
connectionUploadTimeout="120000"
maxKeepAliveRequests="200"
acceptCount="200"
server="WSO2 Carbon Server"
clientAuth="false"
compression="on"
scheme="https"
secure="true"
SSLEnabled="true"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/javascript,application/x-javascript,application/javascript,application/xml,text/css,application/xslt+xml,text/xsl,image/gif,image/jpg,image/jpeg"
URIEncoding="UTF-8"/>
You should have the mapping to your load balancer in your etc/hosts file as :
is.50.com
In Your Load balancer you should have as below. E.g., apache2
<Virtualhost *:443>
ServerName is.50.com
ServerAlias is.50.com
ProxyPreserveHost On
SSLEngine On
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
stickysession=JSESSIONID
ProxyPass / https://<carbonIP>:<port>/
ProxyPassReverse / https://<carbonIP>:<port>/
</Virtualhost>
Then your access URL will be, as below.
https://is.50.com/carbon
or
http://is.50.com/carbon which will redirect to https.