I have deployed a Python Flask based app in AWS. It is running fine on http://<ip>. I need to convert this to https. I have sent request for admin to enable port 443 for https.
Will that automatically make my app to https or do I need to install or setup something else to make it happen?
You have multiple choices for this;
Use ACM (Easiest?!):
if you're using AWS loadbalancers, you can create a certificate using ACM service and assign it to your loadbalancer and modify your Target Groups in EC2 panel.
If you are using cloudfront, you can also configure your SSL/TLS there. (Not changing the loadbalancer and target groups). It will work as an upper layer.
Use other certificate providers excluding AWS ACM:
You can setup something like Lets Encrypt or use Cloudflare services.
Note: it really depends on how your cloud stack currently is, you maybe be only deploying on EC2 Server and having Nginx configured and having everything else done outside of AWS with other services or you can have Lets Encrypt certificate on your ALB.
This post just gives you some keywords, you can search and see exact instruction/tutorial for every solutions.
Related
Background
I have a system running on Azure iot edge. The system is composed of multiple modules that expose REST interfaces. To make everything look tidy from the client's perspective (a browser on another machine in the same network) we use an Azure Function and its reverse proxy capabilities.
So, basically, the client makes a request to an endpoint of the function, if the route matches one in the "proxies" config, it is routed to the correct module using the docker network provided by the iot edge product.
Problem
Now, what I would like to accomplish is that the client would use an https connection to make the request to the function.
So the browser would make a request to https://:8000/Somemodule/Resource and this request would be routed by the af proxy to http://Somemodule:80/Resource .
So my question is, how do I enable https in a function running locally in a docker container, and can the reverse proxy work as described above?
Thanks for any help!
For HTTPS, you primarily need a SSL certificate and reverse proxy like nginx that can do SSL Termination since I believe Azure Functions doesn't support it as part of the runtime itself (which is what the docker container has).
Nginx is a popular and fairly common choice to use for SSL Termination. You would have to configure it for SSL with your domain information and setup your Azure Function as its upstream.
That being said, you could actually just use nginx as your proxy directly too, completely removing the need for Azure Functions, unless you are using it for Functions and Proxies. Your current proxy entries would just become an upstream definition for each module and separate locations (basically path) that would route the requests.
I have an amazon ec2 instance running apache server and nodejs express app. It has an auto assigned IP - http://ec2-13-126-38-24.ap-south-1.compute.amazonaws.com
I want to be able to access my node app on "https" instead of just http as it needs to be integrated with a frontend app. Does anyone know how to achieve this? Its kind of stupid that heroku provides ssl enabled subdomains by default but aws does not. What am I missing here?
this is intentional. AWS does not allow adding SSL certificates to their auto assigned domain. It wont work even if you try lets encrypt. Only solution is to have a custom domain instead.
I hava a Nodejs/Express application running on AWS. My public URL (www.example.com) is registered in a host provider (SiteGround).
My host provider DNS entry for the application points to AWS (application.example.com points to my AWS public IP).
My host provider has also our company web site running WordPress.
So, if you point to our public URL you get our website. Pointing to the application you get our SaaS login page.
All of that runs fine with HTTP. I have now a task to migrate everything to HTTPS. I've checked how to add HTTPS to nodejs, all fine.
My question is related to certificates. Questions:
a) Should I get the SSL certificate on my host company or on AWS? Both offers the certificates.
b) Do I need a certificate on AWS (to be added to nodejs) and at my domain (to allow HTTPS domain access) or just in nodejs ?
It does not matter from where you get your certificate as long as your provider gives you an authorized certificate. However, if you use Amazon's certificate manager, it can be be easier to integrate with their services.
If you are serving your application through AWS load balancer then you don't need to add it to the Node.js application, instead you get a certificate through the certificate manager and add it to the listening interface in the load balancer, it gets served automatically this way.
Create a Classic Load Balancer with an HTTPS Listener
HTTPS Listeners for Your Application Load Balancer
If you are serving your application directly, then you will need to add it to the Node.js application (e.g. using https module).
I'll try to answer each question below:
a) Should I get the SSL certificate on my host company or on AWS? Both
offers the certificates.
If the Amazon issued certificate is strong enough for your needs, like basic https encryption, I would opt to use them for the sake of simplicity. You just need to fill the form, validate and Amazon is in charge of making it secure and renew it automatically when it expires.
b) Do I need a certificate on AWS (to be added to nodejs) and at my
domain (to allow HTTPS domain access) or just in nodejs ?
AWS issued certificates can only be used with AWS managed services such as Application Load Balancer and CloudFront - CDN. There are many docs explaining about how to setup an ELB with AWS Certificate and EC2 Backend, check Create a Classic Load Balancer with an HTTPS Listener
In order to use them inside your EC2 vm you would need to download and configure it in your webserver. I think AWS will never allow it to avoid security breaches.
It doesn't matter how you will get a certificate. You can request free certificates with Letsencrypt using API, you can create certificates in AWS Load Balancer (but don't forget to check if AWS certificate limitations are fine for your case)
AWS LoadBalancer will be in front of your EC2 so it will sign certificates for you.
If you have an option to get certificate files (e.g. you create certificates yourself by using letsencrypt or other cert provider), you should keep certificates on your EC2 instance (if you have multiple instances, you should keep certificates on each instance). And you should use Network Load Balancer on tcp level, so NLB will just proxy your traffic which was already signed correctly.
Also you can use existing third-party solutions from AWS marketplace or non-AWS solutions. E.g. you can use AWS Kilo SLL. It is easy to setup, it will create and renew certificates for your domains. So you will have just an extra EC2 isntance which will sign all your traffic depending on the request domain. Mostly sure there are other alternatives similar solution to use, for our 240 domains Kilo works fine
I have 2 clusters running 2 services and several nodejs instances.
I want to have a reverse proxy in front of my clusters and i have been facing many problems/questions:
do i have to manually update the SSL certificate on every instance everytime it expires?
should the SSL encryption be used only outside the reverse proxy?
do i have to deploy an nginx cluster or is there an AWS service for this?
where can i find documentation for this?
If the answer is too big a reference to some documentation would suffice.
You have two options available
AWS CloudFront
AWS Application ELB
Using either one you can terminate tge SSL externally to the EC2 and also use AWS issued free SSL certificates.
I have develop an node.js app and successfully upload and deploy it using AWS tools and Elastic Beanstalk. My app is reachable through the url provided by EB.
I create a SSL Certification through AWS Certificate Manager and assign it from configuration menu. Load Balancer Config
When i checked Load balancer and security group configuration everything looks fine but if i'm trying to get https://myappurl.us-west-2.elasticbeanstalk.com i get privacy error response.
I think that this is more likely a Amazon support question but maybe someone know if i miss something.
Thanks
The SSL certificate will be for a specific domain. It is certainly not for the myappurl.us-west-2.elasticbeanstalk.com domain because you don't own the domain elasticbeanstalk.com so there's no way you could have created a valid SSL certificate for that domain. The SSL certificate is only going to work with the custom domain you created the certificate for, and only when you have that custom domain actually pointing to your Elastic Beanstalk environment.
SSL certificate works as per the domain name they were generated. As per your comment you got that certificate for myapp.mydomain.io so it will not work for myappurl.us-west-2.elasticbeanstalk.com you have to map myapp.mydomain.io to point to the EB and then your myapp.mydomain.io will serve the SSL certificate. https://myapp.mydomain.io.