We have an external service that is currently accessible via the http (port 80, non-SSL) and https (port 443, SSL) addresses.
What is the best way to limit connections to only the https address? Is it something we can do via IIS or does it have to be done via code.
Additional info: Regular ASP.NET web service (.asmx) running on IIS on Windows 2003 server. Service is built with C# on .NET 3.5.
Require SSL on the application
In a custom error page for the 403 redirect the browser to the incoming URL, changing http to https along the way.
Note: Keep port 80 open for this - or there won't be a server to listen for requests to redirect.
Just to clarify Greg's point 1. IIS Manager > Site properties > Directory Security > Secure Communications > Require Secure Channel (SSL)
Is just not accepting any connections on port 80 an option? I'm a complete web server noob so I don't know if the server can operate without an unsecured listen port but if the server can operate only listen on port 443 that would seem to be simplest option.
Another option would be a redirect from the unsecure port to the secure one
Related
I setup the certificate, opened the ports and configured django to reply over https in an EBS app.
However, when accessing using https I receive a 408 timeout error. Http access works normally.
How can I get https to work?
You probably configured both the load balancer and your app to communicate using https and port 443. Unless you have the special need to secure communication between your load balancer and your app, they should be communicating using http and port 80.
I have a AWS LoadBalancer which created using Kube, Kops and AWS.
protocl type for the ELB is tcp. this work fine for http requests, means I can access my site with http://testing.example.com. Now I tried to add SSL for this ELB using ACM (Certificate manager). I added my Domain details example.com and *.example.com by requesting a public Certificate. it created successfully and domain validation is also success.
Then I tried to add this ssl to my ELB like below.
went to my ELB and selected the ELB.
Then went to Listeners tab and Added SSL to it like below.
and ELB description is like below.
I cannot access the https://testing.example.com, it hangs for few minutes and nothing happens. what is going on here. hope your help with this.
In the Listener configuration, you are forwarding the default HTTP port 80 to port 30987 on the back-end server. So this tells me that the back-end server is listening for HTTP requests on port 30987.
You then added an SSL listener on the default port 443 but you are forwarding that to port 443 on the back-end server. Do you have something on your back-end listening on port 443 in addition to 30987?
The most likely fix for this is to change the SSL listener on the load balancer to forward to port 30987 on the back-end by setting that as the "Instance Port" setting.
If your backend application (that sits behind the ELB) only listens on HTTP port 30987 then you need some layer of TLS termination before your app server.
More food for thought on this approach:
https://security.stackexchange.com/questions/30403/should-ssl-be-terminated-at-a-load-balancer
Or you need to tweak your backend app server to also listen on an HTTPS / TLS context, in a different port (which you must map in your ELB configuration).
BTW, I would also suggest to switch to and ALB or an NLB.
More info: https://medium.com/cognitoiq/how-cognitoiq-are-using-application-load-balancers-to-cut-elastic-load-balancing-cost-by-90-78d4e980624b
Once you finish the setup of whatever suggestion you picked, run curl -k -I https://testing.example.com/ to check whether of not you are getting blocked by the ELB.
I am trying to configure the redirection for all http traffic to https only. My configuration as follows
We are using ELB and EC2 instances
Configured application Load Balancer in this case.
Backend server is working on port 443, using Nginx
Configured Nginx redirection rule for http to https redirection
Configured ELB listener for both port 80 and 443
Installed SSL Certificate in both backed servers and ELB
My Issue is when a client accesses this application over https URL is working fine in https. But when the clients try to connect this application over http, it is working in http and not redirect it into https.
I need to work this application only in https. How can we force all client communication into https?
Are you checking the right values in the redirect settings? The ALB should set x-forwarded-port and x-forwarded-proto.
Another option would be to use cloudfront in front of your ALB, and set it to force everything to https.
Excuse me if I'm posting this in the wrong category.
I have a node.js app running on an EC2 instance on port 3000.
What is the best way to set up https with my domain, so that when the user goes to
https://www.my-domain.com they're actually hitting my-ec2-instance.com:3000 ?
I actually ended up putting the client on cloudfront, and cloudfront managed setting up SSL with my domain so when I go to https://my-domain.com the client is served just fine, but I cannot make http requests to my server on the EC2 instance because the origin is different. The browser blocks http requests.
I also tried having the node server deliver my client which works, and you can see it here: http://34.223.222.234:3020/
then I set up Route53 to reroute to the IP address, you can see it here:
http://myonlinetesting.com:3020/
But Route53 won't allow me to add the port number as part of the IP to reroute to. And on top of that I still need to set up SSL so the the user can go to https://myonlinetesting.com. And I also need to reroute http traffic to https so the users is always on https.
From your experience, what is the best way to accomplish a web application set up like this? Do you have cloundfront serve your client and host the server on an EC2 instance? Or do you just have a load balancer in the middle so you can accomplish SSL? Seems like a waste of resources this way, when you don't really need a load balancer. Or do you have your app running on the EC2 instance and somehow are able to route traffic to your-ec2-instace.com:3000 when the user goes to https://yourdomain.com?
I'm pulling my head in different directions without really knowing what the best way to do this is. Any feedback will be greatly appreciated.
Hope this helps :
<VirtualHost *:80>
ServerName yourdomain.com
<Location "/">
ProxyPreserveHost On
ProxyPass http://localhost:3000/
ProxyPassReverse http://localhost:3000/
</Location>
</VirtualHost>
Consider the nodejs app is running on port 3000
You can't point a domain name to a specific port. A domain name points to an entire server, not a specific port on that server. The default HTTP port is 80, and the default HTTPS port is 443. So if you want users to be able to go to your website without having to specify a port number like 3020 then you need to configure your website to run on the default HTTP/HTTPS ports. Or configure your operating system to forward those default ports to the ports your application is actually running on (for example via iptables).
For SSL, since you aren't using a load balancer or a CDN the you will need to install the SSL certificate directly on the server. You can do this for free using Let's Encrypt.
I've created a web service using this example:
http://www.albeesonline.com/blog/2008/07/27/creating-a-webservice-using-rad-7/
When I call the web service to get the WSDL, I use a URL like this:
http://acme.com/storefront/services/InventoryInquiry?wsdl
And WebSphere responds with a WSDL page with a URL like this:
http://acme.com:9082/storefront/services/InventoryInquiry/wsdl/InventoryInquiry.wsdl
What I'd like is for WebSphere to respond using SSL and port 443, and not the WebSphere default host port.
I tried modifying the "Provide HTTP endpoint URL information" page in WebSphere console for the application to use "https://acme.com:443" for the "HTTP URL prefix", but WebSphere doesn't use this, even after restarting WebSphere.
How do I configure WebSphere so that it doesn't use its default ports when responding to web service requests?
I'm using WebSphere 6.1.
Some background information:
The service is included in a J2EE application that uses Struts for its design pattern. The struts-config.xml is configured to serve the app on ports 80 and 443. The WAS server where the app runs is fronted by an Apache web server, which is redirecting requests to the app via a load balancer.
The AWS load balander config is directing requests among four separate WAS servers, each serving a copy of the application. Each WAS server is configured to deliver a unique server ID string back to the user. AWS uses this string to determine which WAS server will handle subsequent requests made by the user. This all works fine for the parts of the J2EE app that are handled by Struts, but the web service exists outside of that context. This seems to be why the web service responds using the WAS default secure port, and not the port defined in Struts.
I can't change the WAS default secure port to 443, because I can't have two instances of WAS on the same server both listening to port 443.
In general you have two choices:
1. You can install IBM Http Server (IHS) and WebSphere Plugin to route requests to WebSphere. IHS uses by default 80 and 443 ports.
2. Change default SSL port in WebSphere - In Server > Ports change the WC_defaulthost_secure from 944x to 443.
There is second issue in your question - do you want to protect using SSL whole service or just WSDL?
To configure it you will either need to define security constraints to protect selected URIs or configure HTTP server to only allow SSL access to the service.
UPDATE
If you have Apache Web server in front, then install and configure WebSphere Plugin (if you currently use mod_proxy or something else). WebSphere Plugin is available for Apache and will do dispatching and load balancing across multiple WAS instances (if they are clustered then you can generate plugin automatically from Deployment Manager, if you have many standalone instances - you will need to merge plugin, there is a tool for that).
It doesn't matter that your app is using Struts, your wsdl can still be served via Http server and plugin.
For redirection to HTTPS you need to solve that issue from your other post - security-constraint in web.xml is not enforced as I assume it is the same environment.