AWS CPANEL WHM - IP Address and DNS Settings on new accounts - amazon-web-services

I've (hopefully) successfully set up Cpanel on AWS with clustering following the instructions: https://blog.cpanel.com/part-1-how-i-built-a-cpanel-hosting-environment-on-amazon-aws/
I've been using CPanel/WHM on a dedicated server for a few years before I set up this new Cpanel installation on AWS. My issues comes from how new accounts are set up differently on a dedicated server vs the AWS way.
My first issue:
When I created a new account on my dedicated WHM, I was provided IP Addresses from the server farm that I assigned to newly created accounts. Once assigned, I can access the site with either the IP or the domain name. Now with this new AWS way, there's no info in the tutorials about how I obtain new IP Addresses. I tried adding a new local IP like 10.0.0.30 (because it says it's in NAT mode and use local IP) and assigning this as a dedicated IP to the newly created accounts but I don't understand how anybody can access the site through that IP since its a local IP. So how do I access the domain through custom IP and domain like I did before? I must be missing something fundamental.
My second issue:
On my dedicated WHM after I created a new account, I would typically go to DNS Functions -> Edit DNS Zone and edit the zone to customize my nameserver as so:
mynewdomain.com
ns1.mynewdomain.com
ns2.mynewdomain.com
anothersite.com
ns1.anothersite.com
ns2.anothersite.com
thirdsite.com
ns1.thirdsite.com
ns2.thirdsite.com
and then in my register I would add these custom nameservers into the register and point them to the dedicated IPs of each domain. But with the AWS way, the only way I was able to set this up was to use the new cluster nameservers as the nameserver for ALL accounts in this new WHM installation.
Like this:
mynewdomain.com
ns1.awsnameserver.com
ns2.awsnameserver.com
anothersite.com
ns1.awsnameserver.com
ns2.awsnameserver.com
thirdsite.com
ns1.awsnameserver.com
ns2.awsnameserver.com
Is this the correct / the only way I can set up accounts now through this set up?
Is there a way to have custom nameservers names like I did in dedicated WHM?

In my case, I have a DNS server outside of Amazon so I'm not sure it would answer your question but it might lead you somewhere.
First to figure out what your public IP is you can:
Go to the AWS console and look at the instance detail of your server.
Look for the "endpoint". This points to your public address so you can do a PING or NSLOOKUP to find out what your IP is.
However, AWS does not recommend you hard-coding the public address as it could change. So what I did instead was to create a CNAME in my DNS that points to that "endpoint".
I hope that helps.

Related

Managing a subdomain on AWS with R53 and EC2

I followed all the steps given on the tutorial page of AWS to create a subdomain(https://aws.amazon.com/es/premiumsupport/knowledge-center/create-subdomain-route-53/) and I'm pretty sure I got everything right because the tutorial is pretty straight forward. For context, before this I setup a LAMP stack on the server linked with my main domain (example.com).
My question is how to upload and manage files on my subdomain (subdomain.example.com). I thought that all I needed to do was to create a new EC2 instance and link it with the "hosted zone" of my subdomain, and after that I could just upload files and it would work (like I did on my original instance of the main domain). But after many tries clearly I'm doing something wrong, because the page of my subdomain (subdomain.example.com) keeps appearing blank with just the text "This site can't be reached."
You say that you installed a LAMP stack on the instance, so presumably there is a web server listening on port 80.
To test this, first login to the instance via SSH, then try curl localhost to test the web server. If that fails, then there is a problem with your web server.
If it works, the you should check the Security Group associated with the Amazon EC2 instance. It should be allowing incoming traffic on port 80 from 0.0.0.0/0.
Next, obtain the Public IP address of the instance. In a browser on your own computer, try accessing the IP address, eg http://1.2.3.4. That should work if the Security Group has been correctly configured.
By the way, you should be using an Elastic IP address (EIP) for the EC2 instance, which is a 'static' IP address that does not change. You can create an EIP in the EC2 management console, then associate it with the instance. This prevents the Public IP address from changing if the instance is stopped.
Next, try accessing the instance via the domain name. If this does not work, then test the name resolution by using ping with your domain name. The Ping itself won't work, but it should display the IP address that is linked to that domain name. Make sure that the IP address matches the Public IP address you used in the previous step.
If no IP address is provided, then you are missing an A-Record in the hosted zone. You should create the A-Record in the hosted zone and provide it with the Public IP address of the instance.

OpenVPN and VPC peering - How to resolve .compute.internal domains in two different accounts with BIND9

At our company we have three AWS accounts, the main one, used as "root" account for IAM and hosting an OpenVPN Access Server. The other two accounts are pro and stg. Each one has its own VPC, with different IP ranges, and we have a VPC peering between the root and pro accounts, and other one between root and stg. IP routing is already setup and everything is under control from this side.
(I'm sorry I can't upload images yet, so here you have the link)
VPN+VPC-Peering
The problem comes with DNS resolution. The setup is this one:
I've installed BIND9 in the OpenVPN server, to allow DNS forwarding for private hosted domains, using a configuration like this one in named.conf.local
zone "stg-my-internal-domain.com" IN {
type forward;
forward only;
forwarders { 10.229.1.100;10.229.2.100; };
};
zone "pro-my-internal-domain.com" IN {
type forward;
forward only;
forwarders { 10.228.1.100;10.228.2.100; };
};
And also two Route53 inbound resolvers (a simple BIND server running on each VPC also works) running in 10.229.1.100 and 10.229.2.100 for stg and 10.228.1.100 10.228.2.100 for pro account
VPN clients have OpenVPN profiles that use the Access Server as DNS resolver.
From my client, I can resolve both my-service-1.pro-my-internal-domain.com and my-service-2.stg-my-internal-domain.com perfectly, but the problem comes when I want to resolve internal domain names like the ones that AWS generates inside each VPC with my-service-2.eu-west-1.compute.internal
I know that this is an anti-pattern and I should always use the private domain as much as I can, but for some cases like EMR clusters, YARN and Hadoop managers use links that reference to the internal AWS names, making the resolution impossible.
So my question is: Is there any way to configure DNS to delegate resolution to a secondary address if primary fails?
I could set up a forwarder for the eu-west-1.compute.internal zone using all the accounts resolvers, but
DNS specification says that the secondary nameserver will only be used if the first one is unreachable, so as far as it answers an empty or "unknown" response, it's still a valid response and the second one will not be queried.
Any help is really appreciated!
Why not just change the internal host name to a public dns name? Those services are using the hostname assigned to them of course. You can change it.
See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-hostname.html
You may (or may not) need to assign fixed private ips to each. In any case publish this private IP in a public DNS zone. You should then be able to resolve these names properly. Note you can also have a script run on each instance on startup, to update the hostname and dns record.
For a good discussion on private ip addresses in public DNS, see https://serverfault.com/questions/4458/private-ip-address-in-public-dns
For reference, here is the best answer there:
Some people will say no public DNS records should ever disclose private IP addresses....with the thinking being that you are giving potential attackers a leg up on some information that might be required to exploit private systems. Personally, I think that obfuscation is a poor form of security, especially when we are talking about IP addresses because in general they are easy to guess anyway, so I don't see this as a realistic security compromise. The bigger consideration here is making sure your public users don't pickup this DNS record as part of the normal public services of your hosted application. ie: External DNS lookups somehow start resolving to an address they can't get to. Aside from that, I see no fundamental reason why putting private address A records into the public space is a problem....especially when you have no alternate DNS server to host them on. If you do decide to put this record into the public DNS space, you might consider creating a separate zone on the same server to hold all the "private" records. This will make it clearer that they are intended to be private....however for just one A record, I probably wouldn't bother.
AWS only supports DNS resolution of these internal ipv4 DNS hostnames if your VPN is in the same region as your EMR cluster (or any other compute resource). I have reached out to their Support and they have confirmed this.
For example, I have an AWS Client VPN endpoint setup in Frankfurt and an EMR cluster in Ireland. I am pushing to my host the private DNS server of the VPC (and all other related config is enabled in both VPCs) so that I can resolve private Route53 DNS zone records.
While I am connected to the VPN,
I can't resolve this:
$ dig +short ip-10-11-x-x.eu-west-1.compute.internal
$
But I can resolve the following, which is an instance that's in the same region as the VPN endpoint:
$ dig +short ip-10-10-x-y.eu-central-1.compute.internal
10.10.x.y
How to solve this:
Either move your EMR clusters in the same region as your VPN is, or the other way around.
But the simplest solution might be to just use a Chrome plugin (here's an example) that automatically redirects ip-x-y-z... URLS to x.y.z IPs.

Why do you need to change the Hostname of your EC2 instance?

There is a topic in EC2 documentation Changing the System Hostname. Why does one need to change it? Just for fun? Just to have some nice shell prompt?
// change this
ubuntu#ip-123-12-1-231 ~ $
// to this?
ubuntu#my-beautiful-hostname ~ $
I'm learning how AWS DNS work, where my EC2's DNS lives that resolves a default Public DNS name to Public IP address of my instance
Public DNS: ec2-xx-xx-xxx-xx.ap-southeast-2.compute.amazonaws.com
Public IP: xx-xx-xxx-xx
And how can I host multiple apps with real domain names (example1.com, example2.com, so on) in one EC2 instance, how to modify and manage DNS. And actually I don't know what to read about it in docs, and read everything related to hostnames and DNS, and found this topic Changing the System Hostname and don't understand why would one want to change a hostname and if it can be valuable info for me.
UPD:
And now a real a practical question for those specimens who like closing questions quietly.
Where does a DNS live in EC2 instance? How is Public DNS mapped to Public IP? Where is that record in my EC2 Ubuntu instance? Is Route53 involved in it?
Where does a DNS live in EC2 instance?
It doesn't, DNS resolution use by the server is set in /etc/resolv.conf and /etc/nsswitch.conf. The hostname domain name for that server is set (Redhat derived systems) in /etc/sysconfig/network
How is Public DNS mapped to Public IP?
With a DNS record
Where is that record in my EC2 Ubuntu instance?
In the DNS for the domain that you have attached it to
Is Route53 involved in it?
Only if you are using Route53 for DNS
EC2 DNS location (source):
In EC2-Classic, the Amazon DNS server is located at 172.16.0.23.
In EC2-VPC, the Amazon DNS server is located at the base of your VPC network range plus two.
For more information, see Amazon DNS Server in the Amazon VPC User Guide
Well i had the same issue as you did and someone replied me this
It isn't a huge deal if you are just running a single server, mostly
to help you identify a server with local networking. Some things like
mail servers will use your hostname unless you specify otherwise.
This is an example of somewhere I saw that done
My original query
why do some people set hostname and some dont? whats the use?
hostnamectl set-hostname

Redirect own domain to Amazon EC2 Windows Server 2012 Instance

We just created an AWS Windows Server 2012 Instance and now want to Redirect our Domain (bought and managed by 3rd Party) to this server.
we followed the two steps at the 1st ranked answer here: How redirect a domain to Amazon EC2 Machine?
While we managed to create and associate the elastic IP, the problem seems to be step 2 now: actually we have setup a A record at our current domain manager but still doesnt work. If we enter our domain at browser it seems to load for something and then stops after some seconds
We are very beginners and wondering where we need to put the lets say "index.html" or so like we did at our previous Webspace hoster. In other words, if the user access our server through the elastic ip, which direction the browser is firstly trying to enter?
The standard pattern is
... in aws route53 create a Hosted Zone
... by default it auto gives you Type NS and SOA copy the set of 4 values under your Type NS (similar to)
ns-125.awsdns-15.com.
ns-642.awsdns-16.net.
ns-1653.awsdns-14.co.uk.
ns-1473.awsdns-56.org.
... now get into your Domain Registrar and edit Nameservers by using above list
... upon deploying your aws cluster it will give you a loadbalancer value similar to
af327bdd34eca101010100a02debd892-11516969089.us-east-1.elb.amazonaws.com
... get into your aws route53 hosted zone console pick your domain
... hit Create Record Set on the right pick Type A
... IMPORTANT pick Alias YES see doc
... click in box Alias Target empty out field ... then choose above mentioned loadbalancer
I think you have security and firewall issues,
Check following items step by step:
Enter your EC2 IP address in your browser; you should see your app home page.
If you can't reach your server response by direct IP address, check your security group, inbound tab, you must open port 80 to source 0.0.0.0/0
Each time you see your home page by direct IP address in the browser you can go to next steps for domain and route53.
I tried to telnet 52.59.50.150 80 to your instance and it timed out so that means your HTTP port 80 is not open. Add below security rule to your security group. And then check your domain it will work.
We are actually wondering how the whole Setup should actually work.
We have dropped the Index.html on c:
Lets say we are trying to request the Microsoft Server EC2 through the elastic IP. How it is even trchnically possible that the server is finding and responding with exactly this Index.html?
Thats completely a blackbox for us besides the question if the security groups/rules/ports are established correctly...
I have solved my problem. Just for people that have the same problem:
Besides the points mentioned above you have to setup IIS (Microsoft Internet Information Service) on your server in order to redirect your domain to specific "folders" / index.htmls

AWS RDS IP static or dynamic?

I have an RDS instance with a URL that was provided by Amazon. (This URL has an IP that's associated with (of course)).
To make connecting to the DB easier I made a redirect from my domain like this: "db.myDomain.com" to the IP of the DB Instance.
For a week it all worked fine, but then, suddenly, it stopped working. After searching for a few hours, I have realized that the IP I was redirecting to was not the same as the IP of the instance.
This made me think that maybe the IPs on RDS are dynamic and the only way to access the DB is with the URL provided by Amazon.
Is this correct? If so, is there away to redirect from one URL to another?
Yes, your observation about the dynamic nature of the IPs for RDS is correct and it is the anticipated behaviour of the Service. Always use the URL provided for RDS instance to access it RDS instance(s).
For most of the use cases, you don't to do a redirect to access; as the DNS name would go inside a config file / connection string. If you still need a friendly name - you may use the Route53 to create an alias. Here is a documentation link from AWS to accomplish that [ https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-rds-db.html ] - it is easier & convenient.
For RDS instance, the DNS name is not changed, but IP address will be changed in some case, especially when you enable Multi-AZ (multiple available zone), the RDS instance will be switched to other available zone with different IP address when AWS found any fails in it.
So in your application, you can't fix the IP address for your database accessing, always set DNS (domain name) to access your database.