When Sticky Sessions are enabled on an AWS ELB it seems that the ELB will terminate SSL (AWS forum discussing this). I need information from the user's certificate to verify some things, so I need the ELB to forward this information to the EC2 instances.
How can I get the ELB to give me the user's certificate information? Is there a way to create custom headers? All I was able to find were these three headers: Amazon docs on x-forwarded-headers.
As discussed in the first link I posted another option is persistent sessions. Is this my only option?
ELB won't give you information regarding the certificate. And you cannot customize/add forwarded headers.
If you need the client certificate, you'll need to use TCP forwarding rather than HTTP/HTTPS.
This way, the ELB will simply forward the connection as-is on to the EC2 instance. It won't terminate the SSL connection, and you won't get sticky sessions.
Related
My app is divided into a web app and an API server. Both are hosted on separate AWS instances. The API server is enabled for autoscaling.
This question is with regard to my API server. What's the way to configure a free SSL certificate with auto-renewals (e.g. the one from Let's Encrypt) over its autoscaling group?
Configuring it on one machine is trivial, however I can't wrap my head around doing it for an entire autoscaling group. I haven't been able to find docs that refer to this scenario either. Can you point out everything step by step?
Thanks in advance
You can put your ASG in an ALB & add port 443 (HTTPS) as the listener for it. Refer this doc.
You can get free SSL from AWS itself in ACM. Issue it for you domain name & assign it to ALB.
Also, ACM keeps renewing automatically after expiration for free & without any inputs from user.
If I have a domain. www.mydomain.com And it's running on AWS Elastic Beanstalk using Elastic Load Balancer which points it to multiple EC2 servers to use. And I request information from a 3rd party server.
What information will they see?
Will they see that it came from www.mydomain.com or will they just see the EC2 ip address? Would they be able to see any information on the Elastic Load Balancer?
I'm guessing no since the domain points to ELB which then delegates the request to an EC2. So I'm assuming the EC2 doesn't send any information relating to the domain or ELB. But am unsure. Could anybody provide some more info on this possibly?
Edit: Would a VPC affect anything here?
AWS documentation talk about request header which are automatically added by load balancer.
though they did not mention anything about response header, but whatever i got from.
There should be no need to worry about the ELB leaking the origin information.
However, the webserver and AP server on EC2 may put their own information back into cookies, custom headers, and so on.
Use Browser developer tools or You can use the curl command to check HTTP headers.
The request will come from the ELB and if you check the details of the request, like from where did the information come it will show the domain name that is www.mydomain.com and it will show the ELB's remote address. The EC2 is never exposed as it is behind the load balance.
I'm very new to AWS, so if any of the info I give you is not correct, I would appreciate a correction.
I have a single EC2 instance, running Windows, and using Internet Information Services (IIS). That instance has an elastic IP address set, so anytime I want to access my web, I do it through "http://xx.xxx.xxx.xxx/myWeb/controller/view.
I have a mobile app that opens a webview through an address like the one before, to register a credit card, and the API i'm using for that is requesting to make the connection secure. Doing research, I found about AWS Certificate Manager. It's of my uderstanding that you can only deploy a Certificate generated from the certificate manager to an ELB or CloudFront, but I don't have any of those.
All the documentation I read is fairly advanced for my understanding at this point or is focused on Linux servers, so I would like to know, how would you guys solve this? should I put ELB in front of my EC2 to be able to use Certificate Manager? or is there a better way to enable a HTTPS connection?
I also read about having to enable port 443 (HTTPS), is this an extra step I have to take, besides getting the SSL certificate?
Sorry if I'm all over the place. Any help would be greatly appreciated :)
There are 2 options, host the SSL within the Instance, or use ELB/ALB to terminate SSL (and change port) and forward the connection to the Instance. In either case you would need a domain name registered (the trust relationship is against the domain name, not the IP address).
If you choose the AWS route:
(Optional) Register the domain in Route 53, or transfer it in
Register the certificate in ACM, or upload your own
Create an ELB / ALB. Set it to use the custom domain and enable SSL.
Create a 'listener' on the ELB / ALB listening on port 443 (IIRC the SSL is actually attached to this listener). Set the listener to forward all incoming connections to the Instance on a port of your choosing (e.g. 80 now that it is HTTP).
If you are using websockets you would need to use an ALB (not ELB)
Beware there is a monetary cost for using ELB / ALB.
I am running a Qualys scan on a Windows EC2 instance and it reports some vulnerabilities. One of them is "SSL Certificate - Subject Common Name Does Not Match Server FQDN".
Solution for this, as recommended by Qualys, is to "Please install a server certificate whose Subject commonName or subjectAltName matches the server FQDN."
Now the problem is the self-signed certificates which are not verified by a third party.
How do i get a valid certificate for this scenario such that Qualys does not report the error.
I looked into ACM, but i guess it does not provide certificates for EC2.
Can anyone provide an insight on how to go about this?
Where do i get a valid certificate and how to add it to the instance.
I am using Cloudformation template to create the instacne using a Custom AMI created using packer. I mention this because it would be helpful to know if the steps to add certificate need to be added to the AMI creation stage.
Unfortunately You can not use Certificate issued by AWS Certificate Manager directly on EC2 Directly.
You can use it On Load Balancer and Cloudfront and API Gateways , Refer this.
But a Workaround is that if you have single EC2 Put it behind Classic LB And terminate ssl to LB so that when you try to access your content on ec2 it is via HTTPS.
Thanks
The easiest way to pass a scan like this is restrict access to your instance so your only exposing public services (like HTTP or HTTPS), and then "harden" the configuration of each required public service. All none public services/ports should be limited to just your IP address(/es). That will probably fix a number of your issues reported by the scan.
RDP and numerous other services (MSSQL, MSDeploy, POSH Remoting to name a few) are for administrators only and should not be visible to a Qualys scan (or hackers and bots that roam the internet...).
As Kush suggests above, adding a load balancer would allow you to use ACM certificates for web traffic, but it also adds an additional layer of security between the internet and your instance. This means you can further limit access to your instance to just your VPC - as public web traffic would go via the load balencer in your VPC, not directly to your instance anymore.
If your hosting a website over HTTPS without a load balancer you will also need to edit the SChannel settings (component responsible for SSL/TLS in Windows) to pass the scan as well as installing a valid certificate for the website.
You can edit SChannel by hand in the registry here:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\
(Reboot required - take a snapshot before you start ;)
WARNING - misconfiguring SChannel can break RPD or limit which web browsers can access your site etc. Test carefully!
FYI I find it easier to use a tool called IIS Crypto to configure SChannel (https://www.nartac.com/Products/IISCrypto) - it has a GUI and a CLI interface for scripting changes to SChannel. (You can still break your server with this tool though!)
If you want to look at using ACM and a loadbalencer with CloudFormation i would suggest registering & approving the certificate via the aws console and make a note of the ARN of the certificate. This ARN can be used when creating a loadbalencer in a CloudFormation template.
NOTE: The above will resolve the issue on your scan, but not actually fix it. It is possible to use your own certificate for RDP (never tried), but not an ACM cert sadly. You could also look at a service like LetsEncrypt to get a free/basic certificate. Another option to avoid this error is you could export the self-signed cert from the instance and import it into your computer ( or domain?)'s certificate store.
What is my indication that I am using AWS Certificate Manager correctly and that any remaining problems getting my site to load at https are due to a mistake I am making in my Apache configuration?
In AWS Certificate Manager, I see "Success! Your certificate was issued successfully." Does that mean there are no further steps for me to complete in the AWS console, and I need only get my Apache configuration correct to finish?
Currently, when I try to visit a URL at my site with the http protocol, it loads fine, but when I visit at https, the browser tries to load the page but it never loads.
I have followed the instructions for creating an HTTPS listener, but still do not know if I am done with all necessary steps in AWS console. How would I know?
Edit: To clarify, I am using an Elastic Load Balancer (ELB), since the documentation indicated I need to use ELB with AWS Certificate Manager (ACM). However, I do not know how to determine if I have configured everything correctly in AWS console that I need to in order to access the site at HTTPS.
Edit 2: This might come close to answering my question, possibly, but I don't know how to do this: "You can use curl, telnet etc from your local machine to verify 443 port status on ELB" -- #vivekyad4v.
ACM(AWS Certificate Manager) supports the AWS resources like ELB, Cloudfront, API Gateway etc. You can add SSL certificates to these
resources via AWS console.
Currently, it doesn't support EC2. You cannot use ACM with EC2 instances, you will need a Load Balancer in front of it. Once you have a load balancer, SSL termination happens on the load balancer & not on the EC2 instance.
Once it is setup, you can change your apache server config to redirect all HTTP requests to HTTPS.
Add certificate to ELB - "https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-update-ssl-cert.html"
Update apache config - "https://aws.amazon.com/premiumsupport/knowledge-center/redirect-http-https-elb/"
No EC2 support - "https://aws.amazon.com/certificate-manager/faqs/"