I have an ec2 instance (ubuntu) that runs my node.js back-end: APi + Mongodb. I run the node server with PM2. I'm trying to add https to it.
Here's my node.js code:
const express = require("express");
const app = express();
const fs = require("fs");
const https = require("https");
var options = {
key: fs.readFileSync("./privatekey.pem"),
cert: fs.readFileSync("./server.crt"),
};
const port = process.env.PORT || 3000;
https
.createServer(options, app)
.listen(port, () => console.log(`listening to port ${port}`));
The HTTP works. When I go to the https at port 3000 I get this message:
"This connection is not private". This website may be impersonating "ec2-XX-XXX-XXX-XXX" ....."
I understand that the certificates are only good at localhost? But how can I make them work in prod? From my understanding, it's not possible to buy SSL certs for Ip address?
Any suggestions?
PS: I tried with port 443 but ran into a permission issue (showing in PM2 logs)...
-------EDIT----
My point was to connect my front end (in one instance) to my back-end (in another instance) without any SSL security error.
I ended up creating a sub-domain in AWS hosted zone that re-direct to my front-end domain. I used Nginx and Certobot to upload a new SSL cert to my subdomain instance.
I previously created a sub-domain before but did it the wrong way. I followed this tutorial this time around and it took 2min.
https://dev.to/arswaw/create-a-subdomain-in-amazon-route53-in-2-minutes-3hf0
it's not possible to buy SSL certs for Ip address?
You should get your own domain. Buy it on Route53 or any other domain re-seller you prefer. Then, you can get your own SSL cert for your domain.
If you don't want to use certbot on the instances, you can create an SSL cert (within ACM) and assign it to an ELB from within the AWS console.
Just place your instance that needs the SSL cert inside the ELB's target group and update your DNS to reflect this. If you have 2 EC2 instances, you can do this with another ELB too. It costs a bit more money, but now the onus is on AWS to renew the certificates and you wont need to use certbot on the instances at all. I'd advise to use DNS validation when it comes to creating your certificate in ACM and use a wildcard (*.mydomain.com) to allow for your backend subdomain.
You will need to create a subdomain for your backend service and update your nginx config (on the backend EC2 instance), to listen for traffic.
The end product should be 2 instances, 2 ELBs, one wildcard SSL cert.
Related
I have MERN stack app and both Reactjs and Nodejs are running on Same host/IP of EC2 . I have bought a domain from Godaddy so how can i point it to my domain . Am getting this error on Godaddy
Also how can i add SSL certificate for both (Frontend and NodejsServer / both running on same instance with different ports e.g 3002:react , 4000:nodejs)
It can be achieved using Route53, providing high level overview here and pointing to the AWS Documentation
Set static IP of your EC2 instance (Elastic IP)
Configure hosted zones in Route53
Create records in Godaddy
Full documentation here https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-ec2-instance.html
It depend how you want to setup SSL for FrontEnd and Backend
Ideally for FrontEnd you point your domain to the right port of FE 3002 so that when you open your site www.mysite.com then it opens your FE
For BE, you can use your static IP or the AWS provided host name and to setup SSL follow this SO post
Frontend (domain.com and www.domain.com)
Use AWS apmilify to host your static files, it will give you dns record that you can add on godaddy.
Backend (server.domain.com)
Put a loadbalancer Infront of your ec2 instance that will handle ssl and it will give you a dns record that you can add on godaddy. Loadbalancer should listen on 80 and 443 ports and can forward to 4000 on ec2 instance.
please note this is just a quick recommendation just for your use case, there are many better ways to deploy MERN apps.
My ubuntu server work correctly in port 80 using nginx, it's finally switch to port:3000 for Nodejs app to run. Everything okay when i pass the dns to the browser but when I try to connect with cloudflare It's appear the 502 bad gateway code when access the domain name? I'm kind of new in cdn hosting please tell me what to do! Many thanks
My Cloudflare Setup
Assuming you are running your webservice on port 80 publicly available:
What you could do is to disable the encryption between Cloudflare and your origin (not recommended):
Select your Domain, go to SSL/TLS -> Overview. Select "Off (not secure)"
But you really shouldn't do this for a production environment.
Your nginx should support encrypted traffic over HTTPS.
Issue a selfsigned certificate (not recommended), have a look at certbot or better:
Issue a Cloudflare Origin Certificate (SSL/TLS -> Origin Server)
I have read many similar questions and found numerous articles elsewhere but I'm still unsure how to solve this.
What I'm trying to achieve:
Set my node app on AWS EC2 up to be able to communicate on HTTPS for free or at the lowest cost possible, while still being production ready.
What I have done:
Added inbound rules on my EC2 instance to accepts all traffic
on HTTP and HTTPS and additionally added a rule for HTTPS on PORT 443
specifically.
Set my node app to listen on port 443.
Most articles I have read recommend setting up a reverse proxy server using NGINX and a custom domain with an SSL certificate.
This leads me to the following questions:
Do I need a custom domain for my backend, for it to communicate on HTTPS?
If yes, can I use my Firebase free domain or a subdomain of it? E.g. https://myapp.firebaseapp.com/ or https://api.myapp.firebaseapp.com/
If yes and no, and I buy a custom domain, can I use mydomain.com for my frontend and api.mydomain.com for my backend - can this be done using the same SSL certificate?
Do I need a reverse proxy server?
I am trying for the simplest deploy to get an https web server up and running in Fargate.
I have used Amazon Certificate Manager to create a public certificate.
I have an Application Load Balancer that is talking to the Fargate container on two ports:
80 for http and
443 for https
This is the problem: when I run my webserver on port 80 (http) and connect via the ALB, it works fine (not secure, but it serves up the html).
When I run my webserver on port 443 with TLS enabled, it does not connect via the ALB.
Another point is that when running my webserver with TLS enabled on port 443, I do not have the certificate or certificate key, and so am confused how to get that from Amazon.
Another question I have is: does it make sense for me to say that the ELB will communicate with the client over HTTPS but that the ELB can communicate with the container via HTTP? Is this secure?
My networking knowledge is very rusty.
does it make sense for me to say that the ELB will communicate with the client over HTTPS but that the ELB can communicate with the container via HTTP?
Yes. You should make sure your web server is accepting traffic from the ALB on port 80. This is done at the application level, on the web server, and with your target group, which is what the ALB will use to determine how it routes traffic to your web server. This is way it typically works:
client --(443)--> ALB --(80)--> web server
Some things to check:
Target group is configured to send traffic to your FG web server on port 80
Target group health check is configured to check port 80
FG task security group has ingress from ALB on port 80
Web server is configured to listen on port 80
Sidenote: You can configure your target group to send traffic to the target (web server in Fargate) on 443, but as you said, without the proper certificate setup in the container, you won't be able to properly terminate SSL and it just wouldn't work. You would need to upload your own cert to ACM for this to work, which sends you down a security rabbit hole, namely how to avoid baking your private key into your Docker image.
I'm struggling with AWS to enable https systematically. I requested a certificate through the certificate manager, and then have the ELB and Security Group listen to HTTPS and port 443.
But I also need my server on the AWS instance to listen to https request on the 443 port, right? My server is running with NodeJS and Express. From what I understood, I'd need to have a certificate (.crt) file and key to do it correctly, but I didn't find out how to download them from AWS Certificate Manager.
Did anyone faced this problem before? Thanks all!
I also need my server on the AWS instance to listen to https request
on the 443 port, right?
Nope, you enable the certificate on the ELB. SSL termination happens on the ELB, and communication between the ELB and your NodeJS server occurs over HTTP inside your VPC. The ELB will send a special HTTP header X-Forwarded-Proto to your NodeJS server, which you can check if you need to know if the connection between the ELB and the client is over HTTP or HTTPS.
You can't download certificates generated by Amazon's ACM service. You can only use them via Load Balancers or CloudFront distributions.
No, You cannot download the certificate, instead of that you can configure your Apache. for configuring https open /etc/apache2/sites-available/default-ssl.conf
and add this lines to that file.
<Location /subDomain>
ProxyPass http://localhost:port
ProxyPassReverse http://localhost:port
</Location>
after adding restart your apache.
And open the browser and check https://yourdns.com/subDomain
My application's ssl certificate (running in AWS ECS) expired 2 days ago. Because that certificate is managed by ACM and can not be downloaded and installed manually. I do the following to renew it:
In ACM, submit the request for renew the certificate, (need to
provide email or DNS provider to verify this domain is owned by you.
) I used email way. After validation, the certificate renew request
's status changed from 'pending' to 'issued'.
There is no place to download the certificate, as above answer, we
need to use ELB or other service to install that certificate. In aws
console, EC2 => Load balancer => View/edit certificates => add the
certificates created for that. => done