EC2 backend and Firebase frontend using HTTPS - node.js

I have read many similar questions and found numerous articles elsewhere but I'm still unsure how to solve this.
What I'm trying to achieve:
Set my node app on AWS EC2 up to be able to communicate on HTTPS for free or at the lowest cost possible, while still being production ready.
What I have done:
Added inbound rules on my EC2 instance to accepts all traffic
on HTTP and HTTPS and additionally added a rule for HTTPS on PORT 443
specifically.
Set my node app to listen on port 443.
Most articles I have read recommend setting up a reverse proxy server using NGINX and a custom domain with an SSL certificate.
This leads me to the following questions:
Do I need a custom domain for my backend, for it to communicate on HTTPS?
If yes, can I use my Firebase free domain or a subdomain of it? E.g. https://myapp.firebaseapp.com/ or https://api.myapp.firebaseapp.com/
If yes and no, and I buy a custom domain, can I use mydomain.com for my frontend and api.mydomain.com for my backend - can this be done using the same SSL certificate?
Do I need a reverse proxy server?

Related

How to point AWS EC2 Server to my Godaddy domain

I have MERN stack app and both Reactjs and Nodejs are running on Same host/IP of EC2 . I have bought a domain from Godaddy so how can i point it to my domain . Am getting this error on Godaddy
Also how can i add SSL certificate for both (Frontend and NodejsServer / both running on same instance with different ports e.g 3002:react , 4000:nodejs)
It can be achieved using Route53, providing high level overview here and pointing to the AWS Documentation
Set static IP of your EC2 instance (Elastic IP)
Configure hosted zones in Route53
Create records in Godaddy
Full documentation here https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-ec2-instance.html
It depend how you want to setup SSL for FrontEnd and Backend
Ideally for FrontEnd you point your domain to the right port of FE 3002 so that when you open your site www.mysite.com then it opens your FE
For BE, you can use your static IP or the AWS provided host name and to setup SSL follow this SO post
Frontend (domain.com and www.domain.com)
Use AWS apmilify to host your static files, it will give you dns record that you can add on godaddy.
Backend (server.domain.com)
Put a loadbalancer Infront of your ec2 instance that will handle ssl and it will give you a dns record that you can add on godaddy. Loadbalancer should listen on 80 and 443 ports and can forward to 4000 on ec2 instance.
please note this is just a quick recommendation just for your use case, there are many better ways to deploy MERN apps.

Cant connect to the cloudflare with A - DNS

My ubuntu server work correctly in port 80 using nginx, it's finally switch to port:3000 for Nodejs app to run. Everything okay when i pass the dns to the browser but when I try to connect with cloudflare It's appear the 502 bad gateway code when access the domain name? I'm kind of new in cdn hosting please tell me what to do! Many thanks
My Cloudflare Setup
Assuming you are running your webservice on port 80 publicly available:
What you could do is to disable the encryption between Cloudflare and your origin (not recommended):
Select your Domain, go to SSL/TLS -> Overview. Select "Off (not secure)"
But you really shouldn't do this for a production environment.
Your nginx should support encrypted traffic over HTTPS.
Issue a selfsigned certificate (not recommended), have a look at certbot or better:
Issue a Cloudflare Origin Certificate (SSL/TLS -> Origin Server)

Redirect traffic from http to https on node.js instance on elastic beanstalk

I want to redirect traffic from http to https on my load balanced node.js instance running on Amazon Linux + nginx on elastic beanstalk.
I configured the load balancer to route traffic on port 80 and 443 to the instance:
When I access the page with https://url.com I have a secure https connection but I can still force http by opening the url with http://url.com.
I want to prevent this by forcing the incoming traffic on port 80 to be redirected to 443.
I found this configuration file in the official AWS documentation:
https://github.com/awsdocs/elastic-beanstalk-samples/blob/master/configuration-files/aws-provided/security-configuration/https-redirect/nodejs/https-redirect-nodejs.config
I created an .ebextensions folder and placed the configuration file in there.
I deployed the application but the redirection still does not work.
Has anybody solved this kind of problem?
Anything else I could try?
In EB you can use Classic, network and application load balances.
If you expect http and https traffic only, switch to Application ELB and do http to https redirection on ELB.
Moreover you can request for SSL certificate in ACM (for free) and attache it to your SLL listener.

Add ssl to rest api

I have an express js application running on aws ec2 instance that acts as rest api for my application. If i want to add ssl certification for my expressjs api what should i do?
1)Do i need to get a domain with ssl certification and map it to my ec2 ip address?
2)Or its enough to put aws API gateway in front of my ec2 instance , use the free ssl from ACM and get a domain without ssl?
3)Or get a domain with ssl and also ssl in acm?
(kind of confused with understanding domain and ssl, any help would be appreciated)
Thanks in advance.
The default pattern for this kind of use case, assuming that you don't want to manage a domain + certificate, is to put your EC2 instance behind a service that integrates with ACM, such as Elastic Load Balancing (ELB) or an Amazon CloudFront distribution.
API Gateway, while also giving you an SSL certificate, would also bring many other features that you'd still have to pay for.
Example
EDIT:
Original question was not formatted properly and I missed option 3).
If you are going to get a domain, then you have other options such as managing it with Route53 and directing your traffic to the EC2, or do the same but with the domain registrar. This assumes that the EC2 has a static IP address that allows you to address it. At this point, you can get an SSL Cert either via AWS ACM or by other means directly on the EC2 (i.e. Let's Encrypt). The difference between the two, aside from price, would be that one requires you to manage your own certificate while the other is an AWS managed service.

AWS EC2 LoadBalancing SSL nodeJS - Where am I going wrong

I am fairly new to all this (being an app/mobile web developer).
I have setup an instance on EC2 which runs perfectly under http.
I want to add https support as I want to write a service worker.
I have used Amazons Certificate Manager to obtain a certificate
I have created an ELB and added a listener at 443 for https
I am not entirely sure whether my ELB and EC2 instance are connected. Following some instructions I attempted to create a CNAME rule in my Route53 setup but it would not accept it (pointing to the ELB DNS).
My understanding is that if they are then my http nodejs instance should now automatically support https.
This is currently not the case. My nodejs code is unchanged (it still only creates a http server listening at port 3002.
When I do a http call to the domain (http://example.com:3002) it works but a https call (https://example.com:3002) does not with a Site can not be reached failure.
This leads me to believe that the ELB and the EC2 are not associated. Can anyone suggest where I may have gone wrong as I have hunted the internet for 3 days and not found any step by step instructions for this.
You need to focus on this part of your question:
I am not entirely sure whether my ELB and EC2 instance are connected.
Following some instructions I attempted to create a CNAME rule in my
Route53 setup but it would not accept it (pointing to the ELB DNS).
Why are you not sure they are connected? You should be able to look at the health check section in the load balancer UI and see that the server instance is "connected" and healthy. If it isn't, then that is the first thing you need to fix.
Regarding the CNAME in Route53, what do you mean it wouldn't accept it? What are the details of that issue? Until you have your DNS pointing to the load balancer you won't actually be using the load balancer, so that's another issue you need to fix.
When I do a http call to the domain (http://example.com:3002) it works
but a https call (https://example.com:3002) does not with a Site can
not be reached failure.
If you had an error setting up the DNS then of course this isn't going to work. You shouldn't even be attempting to test this yet until you get the DNS configured.

Resources