I am working with an AWS EC2 instance (amazon Linux, elastic IP) trying to set up SSL through ACM. The certificate is verified and the load balancer is passing the health checks listening on prot 443, forwarding to port 80. Initially, when testing https I received a connection refused. This confused me because I thought the load balancer would catch and forward this to port 80. I enabled port 443 via nginx on the EC2 instance, so now it is listening on 443 (tested via telnet), which got rid of the connection refused error, but now I get a ERR_SSL_PROTOCOL_ERROR. This makes sense if it is missing the load-balancer and hitting the EC2 instance directly.
Is this the problem (missing the load-balancer)? If so, how do I fix this. I don't see a way to assign an an IP address to a load-balancer. Is a CNAME record required for this kind of setup? If so, how do I configure this?
Thanks.
Your load balancer will be the spot where SSL terminates, and then carries on to your insecure servers running on port 80. You should change your EC2 instance back to port 80.
Yes, you should point a CNAME at your load balancer from the domain the certificate was created for. You do not get an IP for ELB's, as there may actually be many load balancers behind the scenes, which you don't see, all hiding behind the AWS CNAME.
Summary:
Change your EC2 to serve traffic on port 80 again
Make ELB accept connections on port 443, and send to 80 on the instance
Assign a valid domain to your ELB that the certificate is valid for
Profit.
Cheers
Related
I am trying to point CloudFront for my ec2 machine.
under origin, I am giving the public DNS name of the ec2 :(e.g. ec2-52-64-xxx-xxx.ap-southeast-2.compute.amazonaws.com)"
But I am getting this error:
I have opened 443 port also open on my ec2.
How can I solve this error?
Based on the chat discussion.
The application on the instance works over HTTP and port 80. It does not server HTTPS traffic in itself. So if you want to use the current setup with CF, you need to allow port 80 (not 443) and in CF using HTTP for origin protocol (not HTTPS). The way this works is that HTTPS and SSL will be only between client and CF, not between CF and your instance:
client----(HTTPS:443)--->CF----(HTTP:80)---->EC2 instance
As you can see above, there is a security issue. All traffic between CF and your instance will be in pain text over the internet. To rectify this, you need to add HTTPS to your instance. There are two ways for that:
Add load balancer in-front of your instance, and deploy custom domain on it with SSL from ACM and HTTPS listener. So the traffic will be:
client----(HTTPS:443)--->CF----(HTTPS:443)---->ALB---(private HTTP:80)--->EC2 instance
Setup SSL on your instance directly. For this you can't use ACM (except when your instance is enclave). Instead, you have to use third-party SSL provider. Common choice is https://letsencrypt.org/. Then you setup your Apache with the SSL certificate to serve HTTPS traffic. Subsequently, you will have:
client----(HTTPS:443)--->CF----(HTTPS:443)---->EC2 instance
I currently have a docker container hosted on ec2 and running a web server. The IP Address resolves perfectly when running it with just the IP address not using https but, when I put in the DNS it does not work. I am currently have the node port mapped to port 80 in the initial dockerfile. Then I mapped port 80 to port 443 in hopes on creating a Load Balancer using a certificate from ACM. This is not a docker issue and I was hoping someone had some insight on how to configure a Load Balancer to use SSL to talk back to my web server that has port 80 exposed. When putting domain.io:443 I get the nginx screen.
configure a Load Balancer to use SSL to talk back to my web server that has port 80 exposed.
For that you require to setup HTTPS in your target group, not HTTP. Also it requires self-signed certificate SSL on the container to server the HTTPS traffic.
I deployed my application in AWS ec2 instance and it is working well with instances's IP address. Instead of using IP address I bought a domain from godaddy and connected to my ec2 instance with load balancer and target group. And also generated a SSL certificate for https. Now my domain http://example.com is working fine but while I changed http to https it is working with port number like https://example.com:5005
How can I remove that port number in url? Do I need to add anything in target group or load balancer?? Can someone help me to resolve this.
thanks in advance!
If you don't provide the port number in the URL , the standard port for the protocol is used, which in your case will be 443 for https.
You need to create a standard HTTPS listener on your load balancer, which can forward the traffic recevied on 443 to your instance(s) port 5005 as part of the target group.
I have a EC2 instance running a Node.Js server on Ubuntu.
My goals are:
Connect my hosted zone to the EC2 instance
Route all incoming traffic from port 80 to port 3000 (because my server runs on port 3000)
and most importantly Use an Application Load Balancer to forward all requests to HTTPS (I already created a SSL Certificate in the Certificate Manager).
Currently, I am only able to open the website with the EC2 intances' Public Ip on port 3000 (http://prntscr.com/livali). Https requests or Http to port 80 don't work (http://prntscr.com/livau2). Altought a made an A record on my hosted zone with the instances' Public Ip, it's not possible to open the instance via the hosted zone (http://prntscr.com/liv9no).
I am really confused, as I am somehow not able to get this up and running. I would really appreciate a step by step guide on how to set this whole thing up.
If you already have a SSL certificate it is secure to use only port 443 instead of port 80.
Create an internet facing Application Load Balancer that listens on port 443 and routes traffic to your EC2 instance on port 3000.
Redirect users to HTTPS when accessing your domain on HTTP
See Docs > Load Balancer Listeners > Redirect Actions
Add an A record to point your domain name to the Load Balancer's public DNS.
These are web server concerns rather than DNS concerns. You'll need to set up something like NGINX or Apache to proxy port 80 to port 3000. See Apache redirect to another port for information.
You can also force HTTPS with a rewrite rule in Apache: https://wiki.apache.org/httpd/RewriteHTTPToHTTPS
Another option for forcing HTTPS is to create a CloudFront distribution and use that. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html
I'm new to SSL so sorry if this is obvious.
I have an EC2 instance running a flask Python application. This application listens to port 443. I am trying to add SSL to it by going through Route 53 and ACM. I've created a certificate, but it doesn't allow me to assign it to my EC2 instance, so I've added an elastic load balancer in front, and assigned the SSL certificate to that. The balancer listens to HTTPS port 443 and forwards everything to a target group. The target group listens to port 443, which then forwards it to my Flask application. The problem is that my application receives an encrypted response, and I don't know how I'm supposed to decrypt it. I know how to retreive the certificate, but I think I still need a key file to actually decrypt it as well.
The target group forwards the requests from the Load Balancer to the ec2 instances behind it. Your flask app should listen on port 80 and serve unencrypted traffic.
So, the target group should point to port 80(where your webserver should listen).