Ok, so I have a working Flask application on elastic beanstalk, and I need to have HTTPS running on it. I have it connected to a VPC which has an Elastic IP so my DNS can route to it.
I have successfully uploaded my HTTPS cert to IAM and added it to the load balancer for my app using the config section in the elastic beanstalk panel, but the problem is I have no idea how to apply it to the VPC.
Here's my current setup so you can understand why I'm having difficulties
domain on namecheap
|
|
Name server records are pointing to digital ocean
|
|
DNS A records on digital ocean ---> Various subdomains hosted on digital ocean
|
|
Subdomain pointing to elastic IP on VPC (want to add HTTPS here)
|
|
elastic IP pointing to elastic beanstalk env
|
|
load balancer which has cert (connecting directly here gives the cert)
|
| (this connection is HTTP)
|
app
I don't really need end to end encryption, and I have a feeling that the cert should somehow be attached to the VPC and not to the load balancer. I have no idea how to do that though.
Things I've tried
Connecting directly to the given auto generated domain for the env works but the cert is for my subdomain so I get a security error
On the security groups section in VPC I have checked that port 443 is open for inbound and out bound traffic for the load balancer and the VPC security group
The problem is the domain name is pointing to an Elastic IP. This is not the correct way to use Elastic Beanstalk and won't work with the load balancer at all. The DNS record should be a CNAME pointing to the Elastic Load Balancer domain name. If you need it to be the root domain like "example.com" instead of a subdomain like "www.example.dom" then you will have to transfer the DNS from Digital Ocean to AWS Route53
Related
I have a Classic load balancer configured on my AWS webservices at xxx-xxx.amazonaws.com
and have also added route 53 to configure. But it seems there is no traffic moving from my domain to load balancer DNS. Need Help.
On my EC2 Server, I have added a MERN Stack application and used nginx to route the traffic from :80 to :8080. Next, a Elastic IP address is added to ec2 server.
A certificate is created using AWS's ACM and attached to the classic load balancer.
The domain records are handled by AWS's route 53. Domain name is aamchymumbai.com.
Thank you!
I did get a fix using CLoudfare.
Another follow up question, I have now. How to can I redirect domain.com to ec2-server.com:8080 and sub-domain.com to ec2-server.com:5000 using nginx + cloudfare?
Your Elastic Beanstalk environment's Domain name says:
To route users to your environment, Elastic Beanstalk registers a
CNAME record that points to your environment's load balancer. You can
see URL of your environment's application with the current value of
the CNAME in the environment overview page of the Elastic Beanstalk
console.
My simple questions are:
where is this CNAME record located in AWS?
is it possible to make this subdomain SSL (redirect http to https)?
Why would I want to do this?
My application works fine, but Elastic Beanstalk says my health is "Severe" (red exclamation) when the only thing wrong is that I intentionally made my real domain (the non-Elastic Beanstalk subdomain) I have in Route 53 redirect to https (443) by modifying the load balancer. Now this Elastic Beanstalk subdomain also routes to https when it's not setup, which is what causes the health error.
where is this CNAME record located in AWS?
It is AWS-owned domain, so AWS holds it in its systems.
is it possible to make this subdomain SSL (redirect http to https)?
No, its not, because it belongs to AWS, not you. For proper HTTPS, you need your own domain that you can control. If you have such a domain, you can free SSL certificate for it from AWS ACM.
I've reviewed the Lightsail load balancer and unlike ACM, you cannot add wildcard SSL's.
For example on ACM, this can done:
example.com
*.example
And then attached to an EC2 Loadbalancer.
But for Lightsail, the wild card is not accepted. When we issue only on the apex domain to the load balancer:
example.com
When we resolve demo.example.com, we get a cert invalid error.
As we don't know ahead of time the sub-domains in use, and the limit of 9 is too few, is there a workaround?
I came up with a solution but I can't say for sure it is the only one.
TL;DR - Use an EC2 Load Balancer and add it's target as your LighSail instance. To this load balancer attach a standard ACM certificate. Don't use the LightSail load balancer at all.
Outline Steps
Launch a load balancer in EC2 and attach your LightSail instance as a target (Remember to use the private IP of your LightSail instance and check your security settings, zone and region prior to set up)
Open ACM and provision your certificate. To protect your entire domain, you will require two entries on this cert i.e. example.com and *.example.com
Validate the certificate (DNS etc) and attach it to the load balancer in EC2.
I have an Amazon AWS account on with i would like to host my full-stack website, and i also have a domain name, let's assume it is example.com.
I wold like to have a structure like this
MyVPC
|-MySubnetPUBLIC
| |-ec2 instance with frontend
| |-elastic beanstalk with backend
|
|-mySubnetPRIVATE
|-Database
So i have configured my vpc, a router table for mySubnetPUBLIC and an internet gateway and security groups that allow traffic for frontend on port A and for backend on port B. I would like to set route 53 to redirect traffic for example.com to the subnet and let security groups manage the redirection for the different services based on the request port.
I am new to aws, is this something that can be done? How?
If you are using a HTTP/HTTPS protocols to connect to your frontend then you can make it accessible by following one of the below 2 options:
1. Elastic IP
- Associate the Elastic IP to the EC2 instance
- Using Route53 create a A Record with Elastic IP as value
2. Load Balancer
- Create a Load balancer and associate the EC2 instance to it
- Using Route53 create a CNAME Record with DNS name of the ELB as value
In either cases, make sure that HTTP and HTTPS traffic is allowed in Inbound and Outbound both at the security groups.
I have a webserver running on a AWS EC2 instance (has an elastic IP) that can be accessed over my own domain (www.xy.ch) via http. Now, I need to access the webserver via https and so I created a certificate for my domain (www.xy.ch), uploaded it to AWS Certificate Manager and added the certificate to a Load Balancer connected with my EC2 instance.
This seems to work so far. When I target the DNS name of my Load Balancer (xyz.eu-central-1.elb.amazonaws.com) with a https in front, I can access my webserver. But the certificate is flagged invalid, because its common subject name (my domain name: www.xy.ch) does not match the input (DNS name of Load Balancer: xyz.eu-central-1.elb.amazonaws.com).
But now, I have no idea how to proceed so that I can access my webserver with https over my own domain (www.xy.ch). It does not work at the moment, so I obviously miss a configuration step, but I really don't understand what.
How can I connect my own domain with the Load Balancer's DNS?
I did some research and tried to understand the answers of similar cases (e.g. Assigning Static IP Address to AWS Load Balancer), but could not find a solution for my case.
The solution was indeed to delete all DNS entries pointing to the IP of the webserver and redirecting everything DNS wise over the Load Balancer. Credits to Mark B!