I'm trying to setup IAP with a HTTPS load balancer as per instructions here: https://cloud.google.com/iap/docs/load-balancer-howto
My backend is gke cluster that has a ingress on port 80 to access http web server.
Frontend is https with a valid certificate.
The traffic is routed without any issues from LB to web server through HTTPS FE, but when I want to enable IAP using command as below:
gcloud beta compute backend-services update k8s-be-30324--34c500f0e91c741a --iap=enabled --global
It returns the following output:
WARNING: IAP only protects requests that go through the Cloud Load Balancer. See the IAP documentation for important security best practices: https://cloud.google.com/iap/
WARNING: IAP has been enabled for a backend service that does not use HTTPS. Data sent from the Load Balancer to your VM will not be encrypted.
ERROR: (gcloud.beta.compute.backend-services.update) There was a problem modifying the resource:
- Invalid value for field 'resource.iap': ''. Backend service with IAP enabled requires at least one HTTPS proxy.
Any advice is appreciated! Thanks
So I figured out a workaround is to use the same LB that is created with ingress for kubernetes cluster instead using a custom one. Of course to avoid leaking unauthorized access FE for http must be removed from the LB.
Related
I have an application running on an AWS EC2 instance, port 8501. I cannot change the port for multiple reasons. I set up a reverse proxy with nginx using this YT tutorial to redirect http://[domain].com to port 8501.
That works fine.
I obtained an SSL certificate from AWS Certificate Manager and have since learned that AWS certificates only work with certain AWS services, here, here, and here. However, none of those StackOverflow links--or the AWS instruction pages linked therein--actually described how to connect the https request to the Application Load Balancer to the EC2 instance as set forth by my nginx reverse proxy above.
That is, I've more or less followed this YT tutorial to set up a load balancer and attach the SSL certificate obtained from AWS Certificate Manager, but when I type https://[domain].com, I receive a "site can't be reached" error. http://[domain].com still works.
I've tried both HTTP:80 and HTTPS:443 for the Protocol:Port in my Target Group required by AWS Load Balancer. What more do I need to do?
EDIT: added images with ALB settings, etc:
load balancer listeners
target group overview
nginx config settings
I have a nodejs API hosted on an EC2 instance (ubuntu server) which is running on PORT 5000.
Using http:// i can access this API over public-api:5000 but I can not access it over https.
I have opened all ports in the security group and allowed access from anywhere but still it is not possible.
What do I have to do, in order to access my API via https instead of only http?
For HTTPS to work you need TLS/SSL Certificates. Just enabling the port (default is 443 for https) will not work. You can get free TLS certs on AWS using AWS ACM service. You should have access to Domain and should be able to update the domain records for ACM to verify your cert.
You can terminate TLS on Load Balancer or on your application. You have to handle https traffic. Reference here
I have an AWS Cognito User Pool configured to talk to a SAML IDP and thats working fine, the SAML Assertion from the IDP to
https://XXXX.auth.eu-west-1.amazoncognito.com/saml2/idpresponse
works fine.
A request is then made to target group such as
https://xxxxxx:443/oauth2/idpresponse?code=2f6aab53-ad64....&state=.....
which is based on the settings in Cognito's App Client Settings (via the call back URL), and I am getting an internal server error.
HTTP/2.0 500 Internal Server Error
server: awselb/2.0
I have traced the logs and extracted the salient elements:
ELB Status Code: 500
Actions Executed: Authenticate
Lambda Reason Error AuthTokenEpRequestTimeout
I am guessing that the Cognito ALB authenticate process uses Lambda as part of its internal process maybe to build the X-AMZN-OIDC* headers before forwarding to the Target Group.
Our application is not using Lambda, and the Cogito Client App has no triggers enabled (i.e., where you can customize the workflow) we have no customization on the workflow process.
So there seems some internal error during the authentication process, I can't see where this timeout AuthTokenEpRequestTimeout could be fixed.
Anyone have ideas why this issue might happen or pointers to help resolve?
I just want to clarify a little about the AWS:
Load Balancer is internet facing.
We allow internet traffic on port 443 and port 80.
We have not outbound restrictions.
We can see that the SAML assertion is working fine.
In my case the issue related to the outbound rules on the Application Load Balancer. I had to ensure that port 443 was allowed in outbound mode.
Verify that the security groups for your load balancer and the network ACLs for your VPC allow outbound access to these endpoints. Verify that your VPC has internet access. If you have an internal-facing load balancer, use a NAT gateway to enable internet access.
I have setted up an API Gateway in GCP and now I'm trying to configure GCP's Load Balancing in front of the gateway. In order to do this, what I've done is:
Setted up a internet NEG with port 443 as default and the domain name to the gateway's url (provided by api gateway)
Created a Load Balancer with a backend service associated with the NEG and a global frontend with HTTPS protocol, a static IP address and a managed certificate
Created an A record and in Cloudflare pointed it to the Load Balancer's IP
After setting it up, I try to access the load balancer from within the frontend IP address but I'm getting a 404
Did I miss any step in the configuration of the service?
Under the hood, API Gateway is hosted on Cloud Run like platform. The same characteristics are enforced, included the routing mode.
I wrote an unrelated article on Internet NEG with Cloud Run, but I'm sure that the solution to add a "custom header" in your internet NEG backend can solve your issue.
Have a try and let me know.
I am running a Gatsby site in development mode as a dev server on EC2 with a loadbalancer pointing from port 80 to 8000. I have setup a cname on my domain dns to point to the load balancer this works fine. However I need to display this page as an iframe in sanity.io as a web preview and it requires https.
I've read through this https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html and most of it is pretty straight forward for the most part.
What I have done so far is created a listener for 443 https on the loadbalancer and added https 443 to the security group. i have succsufully issued a certificate to the subdomain I am using with aws and attached it to the loadbalancer listener.
Gatsby has a article about custom certs for development mode here https://www.gatsbyjs.org/docs/local-https/#custom-key-and-certificate-files What I am looking for is the cert file, the authority file and the key file in order to pass this command below
Where in the aws certificate manager do I find these files. I think that is the last piece I need to get https working, correct me if I am wrong.
thanks ahead of time.
gatsby develop --https --key-file ../relative/path/to/key.key --cert-file ../relative/path/to/cert.crt --ca-file ../relative/path/to/ca.crt
This is the process I used to request my certficate and it says it's issued
https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html
But how do I use it with the custom https command with gatsby?
There is a export option but it says only for private keys. Do I need to create a private key and then I can export these files I need?
Do I even need to run https on gatsby's side. I watched a video using apache and no change was made to the apache server to get https working with the loadbalancer.
Here is a screenshot of my loadbalancer listenr
Here is a image of my security groups
If I run the --https for gatsby develop it breaks my site I can no longer visit it via the loadbalancer or port 8000. So not sure what to do here.
I would suggest not to encrypt the connection between your ELB and the EC2 instances. If your EC2 instances are not publicly reachable, but only through the load balancer instead, it is best practice to terminate the SSL connection on the load balancer. No need to encrypt HTTP requests inside an AWS VPC (i.e. between ELB and target instances).
You can create a load balancer that listens on both the HTTP (80) and HTTPS (443) ports. If you specify that the HTTPS listener sends requests to the instances on port 80, the load balancer terminates the requests and communication from the load balancer to the instances is not encrypted. [1]
There is some discussion (e.g. on the blog of Kevin Burke) whether it is necessary to encrypt traffic inside a VPC. [2] However, most people are probably not doing it.
What it means for you: Use the same instance protocol for your targets as before: HTTP via port 8000 for both listeners. Do not set up SSL for your Gatsby service. Use a plain HTTP server config instead. No changes are necessary to ELB targets when using SSL termination on the load balancer.
References
[1] https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html
[2] https://acloud.guru/forums/aws-certified-security-specialty/discussion/-Ld2pfsORD6ns5dDK5Y7/tlsssl-termination?answer=-LecNy4QX6fviP_ryd7x