I have an application deployed on Elastic Beanstalk which is build using Ruby on Rails, Nginx-Passenger, Multi-container docker configuration. Load-balancer is also configured for the same.
I have also uploaded an SSL certficate(from third-party) to IAM. If I configure ContainerPort as 80 in Dockerrun.aws.json, then the application responds only over http, if Containerport configured as 443, then it responds only over https. Even if both ContainerPorts are specified in Dockerrun.aws.json, then Beanstalk uses only one out of them.
With beanstalk, I am not able to expose more than one port for my container. That is, I can either open it for http or https. Both does not work together. What I'm trying to achieve is if anyone visits the link on http, it should automatically re-direct to https and serve the request. Currently, at a time , only one of both will work due to Dockerrun.aws.json configuration.
I have also configured Load balancer configuration to use HTTPS. Screenshot below for your reference. Please let me know if I'm missing any configuration.
Load_balancer
Related
So, I'm working on a hackathon project right now, and for the demo, I've spun up a NodeJS Express server on an EC2 via Elastic Beanstalk. When testing the server's API with our front-end locally, it worked perfectly fine.
Now we've deployed our front-end to AWS Amplify, setup a domain name in Route53, and hooked everything up. When we go to the domain, our front-end looks great, but when we try using the functionality that would connect to our server's API, we get a net::ERR_SSL_PROTOCOL_ERROR.
Doing some research, it looks like(?) that we have to setup a certificate on the Classic Load Balancer that's in front of the EC2. So I requested a certificate, and created a listener on the Load Balancer as follows:
Load Balancer Protocol
Load Balancer Port
Instance Protocol
Instance Port
HTTPS
443
HTTPS
3000
But now I realize that if setup this way, I still have no idea how to point the React Frontend's API calls to the Load Balancer instead of the EC2, or whether the listener is setup correctly. Would anyone have an idea of what steps we should take here?
For the details of the app, the backend is a pretty straightforward Express App with CORS enabled, and the frontend is a fairly standard React project, nothing special about either of them.
Instance Protocol should be HTTP. So your setup uses HTTPS only between client and CLB:
Client--- (HTTPS) ---> CLB --- (HTTP) ---> EC2
Also for properly setup HTTPS, you need to use your own domain. You can't use default domain provided by EB for your application.
I'm using the Docker ECS integration to deploy an app and a webservice it depends on. Both should be running over HTTPS, at different subdomains.
My problem is, both need to run over HTTPS but since the ECS docker thing only created one load balancer, it looks like I can only configure it to forward https traffic to one target group. Is there a way to get this to work?
Yes, when you add the HTTPS listener to the load balancer, set the default rule to forward to one of the target groups (probably the main web app). But then go back to the list of listeners and click "View/edit rules". You can then add a Host Header rule for each additional service. The host header just equals the domain name, including subdomain, e.g. service-A.example.com. That way one HTTPS listener can handle every subdomain on the same application load balancer. The documentation for this is here.
Note: If HTTP and HTTPS listeners aren't available, you may have accidentally created a network load balancer. This happens when at least one of your services exposes a port other than 80 or 443. To force it to be an application load balancer (which will let you forward HTTP and HTTPS traffic), your docker-compose config needs to look like this:
test:
image: mycompany/webapp
ports:
- target: 8080
x-aws-protocol: http
I am running a Gatsby site in development mode as a dev server on EC2 with a loadbalancer pointing from port 80 to 8000. I have setup a cname on my domain dns to point to the load balancer this works fine. However I need to display this page as an iframe in sanity.io as a web preview and it requires https.
I've read through this https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html and most of it is pretty straight forward for the most part.
What I have done so far is created a listener for 443 https on the loadbalancer and added https 443 to the security group. i have succsufully issued a certificate to the subdomain I am using with aws and attached it to the loadbalancer listener.
Gatsby has a article about custom certs for development mode here https://www.gatsbyjs.org/docs/local-https/#custom-key-and-certificate-files What I am looking for is the cert file, the authority file and the key file in order to pass this command below
Where in the aws certificate manager do I find these files. I think that is the last piece I need to get https working, correct me if I am wrong.
thanks ahead of time.
gatsby develop --https --key-file ../relative/path/to/key.key --cert-file ../relative/path/to/cert.crt --ca-file ../relative/path/to/ca.crt
This is the process I used to request my certficate and it says it's issued
https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html
But how do I use it with the custom https command with gatsby?
There is a export option but it says only for private keys. Do I need to create a private key and then I can export these files I need?
Do I even need to run https on gatsby's side. I watched a video using apache and no change was made to the apache server to get https working with the loadbalancer.
Here is a screenshot of my loadbalancer listenr
Here is a image of my security groups
If I run the --https for gatsby develop it breaks my site I can no longer visit it via the loadbalancer or port 8000. So not sure what to do here.
I would suggest not to encrypt the connection between your ELB and the EC2 instances. If your EC2 instances are not publicly reachable, but only through the load balancer instead, it is best practice to terminate the SSL connection on the load balancer. No need to encrypt HTTP requests inside an AWS VPC (i.e. between ELB and target instances).
You can create a load balancer that listens on both the HTTP (80) and HTTPS (443) ports. If you specify that the HTTPS listener sends requests to the instances on port 80, the load balancer terminates the requests and communication from the load balancer to the instances is not encrypted. [1]
There is some discussion (e.g. on the blog of Kevin Burke) whether it is necessary to encrypt traffic inside a VPC. [2] However, most people are probably not doing it.
What it means for you: Use the same instance protocol for your targets as before: HTTP via port 8000 for both listeners. Do not set up SSL for your Gatsby service. Use a plain HTTP server config instead. No changes are necessary to ELB targets when using SSL termination on the load balancer.
References
[1] https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html
[2] https://acloud.guru/forums/aws-certified-security-specialty/discussion/-Ld2pfsORD6ns5dDK5Y7/tlsssl-termination?answer=-LecNy4QX6fviP_ryd7x
I have nginix+django server on google cloud virtual machine which is running at a specific port(8080). I am able to access the service by http://external_ip:8080. But I'm not able to access it over "https". I dont have a domain name. For our application it is not necessary as it is just a rest api to perform some tasks. I am relatively new to these terms like ssl certificate, domain name, nginix ... etc. It would be great if someone can help me out. Thanks in advance.
Two paths:
Configure Nginx to serve on 443 with TLS. Configure GCP firewall to allow for https with tags.
With tags, configure FW rules for the instance to only serve 8080 to GCP Load Balancers and have HTTP(S) Load Balancing serve the content via TLS to the public.
In any case you'll have annoying TLS issues without a DNS name - so you should get one. You should alternatively look into serving Django from App Engine Standard.
I am really struggling to get my basic website (literally just a template without any changes, just running ASP.NET) to work with HTTPS. I am using an Elastic Beanstalk environment to host the site, and the site EC2 virtual machine is behind a load balancer (classic).
I have followed the guide here
And believe I have everything configured correctly, however when I browse to https://www.playground.cloudy-skies.org/ or even the http:// version, I get a HTTP ERROR 503.
I have created an SSL certificate using AWS certificate manager:
I have the load balancer in AWS configured like so:
As per the website documentation, my domain name is pointing to the elastic beanstalk instance, not the load balancer. I've checked the AWS official doco and it says to do pretty much this. Where am I going wrong? if I browse the site with Fiddler active I get:
Please help? I'm a software developer more than I am a network guy, so I'm doing my best here but I'm struggling and have yet to successfully create a site that uses HTTPS.
First thing if you are using Beanstalk your Route 53 will be pointing to your Beanstalk Url only. You can change even force it your Loadblancer also but it doesn't make any change.
As your HTTPS (Port 443) is not working, just check the Security Group of EC2 instance and ELB (Elastic Load Balancer). Sometimes it happens Security Group block your Port.
So in Your Inbound Rules, (for both ELB and EC2) 443 port should be included