I have an Elastic Beanstalk environment with an SSL certificate that works if I visit the *.elasticbeanstalk.com URL (with a warning from by browser). For testing purposes I've mapped the IP of the instance to the domain in my hosts file before I change nameservers over. However when I try the actual URL with https:// I got ERR_CONNECTION_REFUSED from Chrome - http:// works fine though. I've flushed the DNS cache and I know DNS shouldn't care about application layer protocols - so I'm pretty stumped here. Any ideas?
HTTPS is disabled by default on new elastic beanstalk environments.
If it's a single server environment, you'd need to setup SSL yourself (documentation here).
If it's a load balanced one, simply enable the HTTPS protocol in the ElasticBeanstalk web console (Configuration => Network Tier => Load Balancing => Load Balancer)
Related
This is my first time playing around with web development. I'm trying to deploy a simple dockerized Flask application to my domain (example.com).
First, I've deployed the Flask application listening on port 80 of my EC2 instance. All it does is render a frontend on the index path ('/').
I've connected the Cloudfront to https://example.com with a certificate created through ACM.
Next, I created an application load balancer (ALB) on top of the EC2 instance, by adding a listener on port 443 and forwarding traffic to a target group on the EC2 instance instance and port 80.
Within the Cloudfront settings, I have set my the origin as my load balancer through the AWS Cloudfront "add custom origin" settings.
However, once I navigate to either the Cloudfront URL or https://www.example.com, I run into a 502 error.
I've tried several steps to debug including checking the security group of the application load balancer and invalidating Cloudfront cache. I'm also able to view the http:// version of my EC2 instance just fine so I think it is something with the connection between cloudfront and the load balancer. After Googling around, my thought was that this particular 502 error might be an issue with the certificate of the load balancer, since I'm using that same certificate for the cloudfront.
I tried to follow steps to add my load balancer URL (ending in .com) to ACM but got that my certificate status was failed. I was wondering: is this what is going on and how can I issue a free valid certificate for my application load balancer using ACM? There are many sources that say this is possible, but I haven't been able to figure it out. Thanks!
So, I'm working on a hackathon project right now, and for the demo, I've spun up a NodeJS Express server on an EC2 via Elastic Beanstalk. When testing the server's API with our front-end locally, it worked perfectly fine.
Now we've deployed our front-end to AWS Amplify, setup a domain name in Route53, and hooked everything up. When we go to the domain, our front-end looks great, but when we try using the functionality that would connect to our server's API, we get a net::ERR_SSL_PROTOCOL_ERROR.
Doing some research, it looks like(?) that we have to setup a certificate on the Classic Load Balancer that's in front of the EC2. So I requested a certificate, and created a listener on the Load Balancer as follows:
Load Balancer Protocol
Load Balancer Port
Instance Protocol
Instance Port
HTTPS
443
HTTPS
3000
But now I realize that if setup this way, I still have no idea how to point the React Frontend's API calls to the Load Balancer instead of the EC2, or whether the listener is setup correctly. Would anyone have an idea of what steps we should take here?
For the details of the app, the backend is a pretty straightforward Express App with CORS enabled, and the frontend is a fairly standard React project, nothing special about either of them.
Instance Protocol should be HTTP. So your setup uses HTTPS only between client and CLB:
Client--- (HTTPS) ---> CLB --- (HTTP) ---> EC2
Also for properly setup HTTPS, you need to use your own domain. You can't use default domain provided by EB for your application.
I am really struggling to get my basic website (literally just a template without any changes, just running ASP.NET) to work with HTTPS. I am using an Elastic Beanstalk environment to host the site, and the site EC2 virtual machine is behind a load balancer (classic).
I have followed the guide here
And believe I have everything configured correctly, however when I browse to https://www.playground.cloudy-skies.org/ or even the http:// version, I get a HTTP ERROR 503.
I have created an SSL certificate using AWS certificate manager:
I have the load balancer in AWS configured like so:
As per the website documentation, my domain name is pointing to the elastic beanstalk instance, not the load balancer. I've checked the AWS official doco and it says to do pretty much this. Where am I going wrong? if I browse the site with Fiddler active I get:
Please help? I'm a software developer more than I am a network guy, so I'm doing my best here but I'm struggling and have yet to successfully create a site that uses HTTPS.
First thing if you are using Beanstalk your Route 53 will be pointing to your Beanstalk Url only. You can change even force it your Loadblancer also but it doesn't make any change.
As your HTTPS (Port 443) is not working, just check the Security Group of EC2 instance and ELB (Elastic Load Balancer). Sometimes it happens Security Group block your Port.
So in Your Inbound Rules, (for both ELB and EC2) 443 port should be included
Greeting
I have created the Certificate through Certificate Manager in AWS, the free one. And successfully verified as well as put it in the Elastic Load Balancer (ELB). The status of the certificate shows it's issued and Is Used? shows Yes in the Certificate Manager.
Overall, I have completed these two steps without any problem, but the SSL does not work with my domain name. When I type "mydomain.com" with or without prefix http://, it works, but when I type "mydomain.com" with https:// prefix, it does not work
I have researched to find the solution and a way to install SSL into Microsoft Windows IIS on AWS, but no document describes about that.
Can anyone share this experience? I really appreciate
Looking forward for the reply and thanks
You do not need to setup SSL on your web server when you use a load balancer. Assign the SSL certificate to the load balancer (as you did). Then in your HTTPS listener in the load balancer listen on HTTPS, but connect to your web server over HTTP.
In the Amazon Console for your load balancer under the "Listeners" tab, the "Load Balancer Protocol" will be HTTPS and the "Instance Protocol" will be HTTP.
This has the benefit of offloading SSL to the load balancer which decreases CPU load on your web server.
If you do want to setup SSL on your web server, then you cannot use the Amazon SSL certificate. You will need to use the standard methods and purchase a certificate from someone else.
I am setting up AWS Elastic Beanstalk application and I want the traffic to it to be HTTPS.
I created a DNS CNAME record matching the beanstalk url and created and approved a certificate for that DNS name in AWS Certificate Manager.
Now I went to Elastic Beanstalk environment --> Configuration --> Network Tier / Load Balancer (Image below) in order to set the "Secure listener port" from OFF to 443 and choose my certificate.
But my certificate is not there to choose from !
So My question is how to get my certificate or a certificate into that selection list, or is that a bug in AWS?
Note - I was able to see my certificate when going to EC2 / Load balancers and was able to change the load balancer from HTTP to HTTPS and choose my certificate there.
But this did not reflect on Elastic Beanstalk load balancer configuration that still shows port 80. Using HTTPS to the beanstalk did not work this way.
Help!
Through the console, there is currently no way to assign your certificate you created in the Certificate Manager to your Beanstalk environment.
In order to accomplish this, you will need to use the AWS CLI. I was able to accomplish this, and luckily, it is easy.
In short, you need to:
create a elb-acm.json file and place it somewhere in your web root. I put mind directly in the web root of my application.
go to the Certificate Manager and get the arn ID of your certificate
use the update environment command to apply your certificate to your environment
aws elasticbeanstalk update-environment --environment-name Your-Environment --option-settings file://PATH-TO-JSON/elb-acm.json
For me the path was simply file://elb-ecm.json since (I believe the reason is because) I was running the command while in the web root and the file was in that same directory This article goes into detail (and worked for me). Good luck!
Please note, though you can, you should NOT assign the certificate directly through the Load Balancer console (EC2 > Load Balancers) because the load balancer will be blown away and recreated whenever you rebuild your Beanstalk Environment.
Also, make sure you have setup your certificate how you want it before you apply it to your Beanstalk environment. For example, if you want *.mydomain.com and the naked mydomain.com to both be secure, make sure that's fully configured first since there is no easy way to "de-associate" your certificate from your environment once your run these commands (you would basically need to terminate your environment altogether and create a new one if I'm not mistaken in this scenario).
Also, you will want to have some redirect code in your app to perform a 301 redirect on any non-secure request coming in once you have your certificate setup. To perform the redirect you will need to look for the X-Forwarded-Proto header on the incoming request. If it's not secure, you should redirect to the secure port. For example, here is how my application code looks:
// in production, only allow secure requests (https)
public function performSecureRedirect(rc) {
// based on domain comparison
var isLive = myEnvironmentData.isLive;
// setting up the health check url is important for smooth beanstalk deployments
// beanstalk issues this healthcheck request via a non-secure port
var isAmazonHealthcheckUrl = rc.event eq "system.healthcheck";
if (isLive and not isAmazonHealthcheckUrl) {
var headerData = getHTTPRequestData().headers;
// x-forwarded-proto is a special header
// setup by Amazon ELB (Elastic Load Balancer)
var requestProtocol = getHttpRequestData().headers['x-forwarded-proto'];
var isSecureRequest = requestProtocol eq "https";
if (not isSecureRequest) {
location("https://" & cgi.server_name & cgi.path_info, false, 301);
}
}
}
The answer by Brian FitzGerald and this blog helped me figure out a simple way to do that (set https on the Elastic beanstalk load balancer and use a CRM certificate for it).
The solution is simpler using AWS Elastic Beanstalk CLI (eb for short). After you set up the environment properly you can use eb config command.
When the edit window opens up scroll down to aws:elb:loadbalancer section.
Modify the load balancer section to be so (in my case I removed port 80 altogether, you may want to keep it):
aws:elb:loadbalancer:
CrossZone: 'true'
LoadBalancerHTTPPort: 'OFF'
LoadBalancerHTTPSPort: '443'
LoadBalancerPortProtocol: HTTP
LoadBalancerSSLPortProtocol: HTTPS
SSLCertificateId: PLACE HERE THE CRM CERTIFICATE ARN
SecurityGroups: '{"Fn::GetAtt":["AWSEBLoadBalancerSecurityGroup","GroupId"]},{"Ref":"AWSEBLoadBalancerSecurityGroup"}'
The arn of the certificate can be found in AWS > Certificate Manager.
Open the certificate and copy the ARN number (on the bottom right).
I saved the configuration, waited for the environment to get updated and that was it.