I've just deployed my IdentityServer3 solution out to an AWS instance. I had IdentityServer3 configured to RequireSSL. The problem seems that it's relatively common to have SSL running up to the AWS load balancer, then run non-SSL between the LB and IIS. So, I set RequireSSL to false and tried again. Now the problem seems to be that when IdentityServer tries to redirect to the sign-in page, it does so without https. When this redirect exits and re-enters through the LB, it fails because it must be https coming into the LB. So, it seems that IdentityServer is constructing the redirect to the sign-in page with consideration of the RequireSSL flag. Is there anyway around this? I'm working with my ops guy to just run SSL all the way to IIS, but i'm getting some pushback (of course).
As the docs state here:
https://identityserver.github.io/Documentation/docsv2/advanced/deployment.html
If you want to terminate SSL on the load balancer, there are two relevant settings on the options:
RequireSsl
Set this to false to allow non-SSL connections between the load balancer and IdentityServer.
PublicOrigin
Since your internal farm nodes have different names than the public reachable address, IdentityServer can’t use it for link generation. Set this property to the public name.
Related
I have a site hosted with AWS, but the domain is not ready yet. I want to work on it and begin testing.
The site runs through a load balancer.
When I go to Load Balancers in EC2 I can see the DNS name. If I type this into my browser I get a warning that it is unsafe, then when I choose to load anyway I get an error DNS_PROBE_FINISHED_NXDOMAIN
I used the "dig A " command in terminal to get the IP address. I added this IP address to my hosts file, and I get the same error when trying to access it like that.
I get a warning that it is unsafe
It is unsafe because default ALB url does not use HTTPS. It only works with HTTP which is marked as unsecure by all major browsers.
To fix that you need to have your own domain and setup a valid, pubic SSL certificate using AWS ACM for that domain.
I am attempting to setup MWAA in AWS and the UI web server needs to be inside a private subnet. Based on documentation the way to setup access to the web server VPC endpoints requires using a VPN/Bastion/Load Balancer and I would ideally like to use the load balancer to grant users access.
I am able to see the VPC endpoint created and it is associated to an IP in each subnet (two subnets total) that were chosen during the initial environment setup.
Target groups were setup to these IP addresses with HTTPS:443.
An internal ALB was created with the target groups above.
The UI is presented in the MWAA console as a pop-out link. When accessing that I am sent sent to a page that says The site can't be reached and the URL has a syntax similar to
https://####-vpce.c71.us-east-1.airflow.amazonaws.com/aws_mwaa/aws-console-sso?login=true<MWAA_WEB_TOKEN>
If I replace the beginning of the URL with below I am able to get to the proper MWAA webpage but there are some HTTPS certificate issues which I can figure out later but this seems to be the proper landing page I need to reach.
https://<INTERNAL_ALB_A_RECORD>/aws_mwaa/aws-console-sso?login=true<MWAA_WEB_TOKEN>
If I access just the internal ALB A record in my browser
https://<INTERNAL_ALB_A_RECORD>
I get redirected to a login page for MWAA, click the login button, then I get re-directed to the below which has the This site can't be reached page.
https://####-vpce.c71.us-east-1.airflow.amazonaws.com/aws_mwaa/aws-console-sso?login=true<MWAA_WEB_TOKEN>
I am not sure exactly where the issue is but it seems to be that I am not being re-directed to where I need to go.
Should I try a NLB pointing to the ALB as a target group? Additionally when accessing an internal ALB I read that you need access to the VPC. What does this mean exactly?
Still unsure of what the root cause is for the re-direction not taking place.
Our networking does not need an ALB or NLB in this scenario since we have a DirectConnect setup established which allows us to resolve VPC endpoints if we are on our corporate VPN. I still do end up at a page with an error message regarding This site can't be reached and to get to the proper landing page I just have to hit Enter again in my browser's URL search bar.
If anyone else comes across this make sure that you have the login token appended to the end of your URL entry before hitting enter again.
I have a case open with AWS on this so I will update if they are able to figure out the root cause.
Problem Summary:
Hi i have one wildcard ssl which is installed in IIS on AWS EC2 instance.
This is working fine
Now i need to create another EC2 instance and use same ssl to the new instance IIS.
Current Stage:
I created new instance and installed IIS and working fine. I have http and https inbound access so currently i can access default IIS page from outside with instance public address.
Now i installed same SSL certificate in the IIS. I configured ssl in my new website and done. But this is not working. When i try with https i got 404.
Please help me to identify the issues.
Any restriction to use wildcard in multiple instances' IIS in same account
Any correct method to do this? I don't dont want load balancer now
Update:
I tried to configure in my local machine.
Step 1: I created a sample WebAPI and run in 8090 port with http. It shows like below as expected.
Step 2: I added https bindings with my ssl certificate but not gave any host name.
Step 3: Now I added sample host name (ssltest.mydomain)
I didn't get any idea on this. Please help
Any restriction to use wildcard in multiple instances' IIS in same account
There are no restrictions on how often a certificate can be used
Any correct method to do this?
There is nothing special about it, i.e. there is no difference between installing two different certificates on two hosts or the same certificate on two hosts. You likely did something wrong but it is unclear what exactly.
Note that a HTTP response code 404 actually means that the certificate itself is working since otherwise you would get a certificate error which comes before the HTTP response. So there is likely some misconfiguration which is not related to the certificate.
I have an EC2 instance which hosts a web site running in IIS. I have also set up a AWS Application Load Balancer with a HTTPS listener into which I have added my web site's SSL certificate (held in AWS Certificate Manager). The HTTPS listener redirects traffic to my target group which in turn points to my EC2 instance. The EC2 instance uses a security group to only allow traffic from the Load Balancer.
Firstly, am I correct in thinking that the Application Load Balancer decrypts the SSL traffic and as a result, this is forwarded to my target group using HTTP (in other words, my EC2 instance's security group only needs to accept HTTP traffic from the Load Balancer and I can remove my SSL certificate from IIS)?
Secondly, the main problem that I am experiencing at the moment is that the site has relative paths to some of the resources (CSS, JavaScript, etc). As a result I am getting mixed content errors in my FireFox console when I browse the site. I set up a HTTP listener in my Load Balancer to redirect traffic to HTTPS but this doesn't seem to be working for relative paths.
I don't particularly want to edit the site to change relative paths to fully qualified HTTPS URLs as it is a very complex content management system. Also, before using the Load Balancer the site was serving content perfectly (the DNS entry pointed to my EC2 instance's public IP address and there was a rewrite rule in IIS to handle non HTTPS traffic).
Any advice would be greatly appreciated.
For your first query, I think Yes. You can remove my SSL certificate from IIS and point EC2 instance's security group to accept HTTP traffic from the Load Balancer.
For your concern on relative path's problem, please go through this link: After introducing ALB, Mixed Content Error happened
I think it will be helpful.
Open your browser and click on the Network tab and check these call should be going somewhere else which is using HTTP, these are an outgoing call from your application and redirect will not fix these issue. see the screenshot
Seems like same error in your case, you serving images from some other side, not from the EC2, It's mean those request which EC2 server is supposed to answer will work fine, but those which your code try to pull JS file or other resources these are outgoing call and this is nothing to do with LB redirect rule.
Better to update your application and all the URLs to https.
When a user visits a page served over HTTPS, their connection with the
web server is encrypted with TLS and is therefore safeguarded from
most sniffers and man-in-the-middle attacks. An HTTPS page that
includes content fetched using cleartext HTTP is called a mixed
content page. Pages like this are only partially encrypted, leaving
the unencrypted content accessible to sniffers and man-in-the-middle
attackers. That leaves the pages unsafe.
Thanks for the replies. I managed to get to the bottom of the second issue. The site's web.config had a rewrite rule which was forcing URLs to lowercase (something to do with SEO). This was causing the problems when serving the CSS and JS files. I've made the necessary updates to this rule and it now appears to work (see IIS URL rewrite module url's to lowercase).
For the first issue, the SSL certificates do not need to be installed on the IIS web server - they are only required in AWS Certificate Manager and then to be assigned to the Load Balancer which in turn has 2 listeners - one to direct HTTPS traffic to my Target Group and one to redirect HTTP traffic to HTTPS.
My IIS site now only has HTTP bindings and only accepts HTTP traffic from the Load Balancer.
All seems to work!
What is my indication that I am using AWS Certificate Manager correctly and that any remaining problems getting my site to load at https are due to a mistake I am making in my Apache configuration?
In AWS Certificate Manager, I see "Success! Your certificate was issued successfully." Does that mean there are no further steps for me to complete in the AWS console, and I need only get my Apache configuration correct to finish?
Currently, when I try to visit a URL at my site with the http protocol, it loads fine, but when I visit at https, the browser tries to load the page but it never loads.
I have followed the instructions for creating an HTTPS listener, but still do not know if I am done with all necessary steps in AWS console. How would I know?
Edit: To clarify, I am using an Elastic Load Balancer (ELB), since the documentation indicated I need to use ELB with AWS Certificate Manager (ACM). However, I do not know how to determine if I have configured everything correctly in AWS console that I need to in order to access the site at HTTPS.
Edit 2: This might come close to answering my question, possibly, but I don't know how to do this: "You can use curl, telnet etc from your local machine to verify 443 port status on ELB" -- #vivekyad4v.
ACM(AWS Certificate Manager) supports the AWS resources like ELB, Cloudfront, API Gateway etc. You can add SSL certificates to these
resources via AWS console.
Currently, it doesn't support EC2. You cannot use ACM with EC2 instances, you will need a Load Balancer in front of it. Once you have a load balancer, SSL termination happens on the load balancer & not on the EC2 instance.
Once it is setup, you can change your apache server config to redirect all HTTP requests to HTTPS.
Add certificate to ELB - "https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-update-ssl-cert.html"
Update apache config - "https://aws.amazon.com/premiumsupport/knowledge-center/redirect-http-https-elb/"
No EC2 support - "https://aws.amazon.com/certificate-manager/faqs/"