Problem running Express app over HTTPS on aws - node.js

I have an ExpressJS backend and I want to run over https on aws (so I don't get 'mixed type content' error when trying to connect with my frontend which runs over https), it's running great using http but when using https it doesn't work.
I asked this question before and I got answers like 'use nginx', 'use load balancer', unfortunately I don't know much about this stuff as I'm not very experienced with all aws variations and options, are there any tutorials I can follow step by step ? or any easy way to serve my backend over https without complexity?

any easy way to serve my backend over https without complexity?
The easiest way (don't confused with the cheapest way) is to change your EB environment to load-balanced one. You can do this in EB console's configuration settings.
This change will create Application Load Balancer for your app, and place it in-front of your instance. Once ALB is running you can follow this AWS guide:
How can I configure HTTPS for my Elastic Beanstalk environment?
In the above, only section Terminate HTTPS on the load balancer would be relevant.
Depending on the nature of your application, is it fully dynamic, or more on static side, you could also consider using Using Elastic Beanstalk with Amazon CloudFront, instead of using ALB. CloudFront could be also be easily setup to use HTTPS between clients and CloudFront, but the issue is that traffic between CloudFront and your EB instance would go over the internet unencrypted (HTTP). Obviously, you could make it HTTPS, but this requires further changes and configurations which does not fall into category of "easy ways".

Related

AWS Loadbalancer Proxy for Nodejs

I have configured the load balancer to route the request to two of Ec2 Instance running a NodeJs server. I need to direct the request coming from both http (port 80) and https (port 443) to http (port 80) of the EC2 instances in NodeJs. I have uploaded the ssl certificate to AWS and configured the load balancer to use ssl certificate. The problem is the request coming from http port doesn't automatically route to https. It has to be a server side script or snipped which I need to write in server.js which should be routing the http to https, i tried to do it and it run into endless redirection. So questions -
Is there any guide to do this from AWS ?
If not then how one can achieve this, any pointers or suggestions would be greatly appreciated.
On the server side you can check the X-Forwarded-Proto
(original request protocol) and if it's heaving value http you can send redirect (http 302) to a url with https protocol..
though with ALB (application load balancer you may specify a set of rules, maybe it's possible to do that there..)
I couldn't find a guide from AWS, but I will keep searching and update the answer in the case I find it.
Usually, when you write applications in Node.js, you specify which port should your app run at. It means that you will need two different servers listening. And when your app receives a request on port 80 (HTTP), it should redirect to your HTTPS server, like in this answer.
Another point that may be relevant to your question is that, in production environments, you don't usually bind a port to your Node.js server, since it's not production ready. You probably want to use a reverse proxy and load balancer like Nginx or HAProxy.
If you are using the AWS ALB (Application Load Balancer) they announced the http->https redirect today. Take a look: https://exampleloadbalancer.com/redirect_demo.html
Put your ELB behind the Cloudfront and in settings of your distribution select forward HTTP to HTTPS.
The following doc will be helpful
https://docs.aws.amazon.com/waf/latest/developerguide/tutorials-ddos-cross-service-ELB.html
This method has two benefit:
1-Your problem will be solve
2-You can use the benefit of the powerful CDN, for more information about Cloudfront read https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html
Update:
You can forward traffic from HTTP to HTTPS by edit your Listeners setting in your ELB.

Why are there multiple POST requests with /FotorShopSurpport API on my AWS Elastic Bean Stalk node server?

I see multiple POST requests throughout my logs:
POST /FotorShopSurpport/fetchModulesByAppkey
POST /FotorShopSurpport/fetchRecommendResource
POST /FotorShopSurpport/batchResourcePkgNumByType
I don't have any API matching that route neither am I calling this APIs on my server. I recently created this server and no one even knows link to the server apart from me.
Is this something Elastic Beanstalk doing? Or is it totally different?
I have several other servers through elastic beanstalk and these requests are the first time I have seen in any logs.
Found some access logs containing "FotorShopSurpport" on google. The requests are for store.fotor.com.
$ host store.fotor.com
store.fotor.com is an alias for elb-store-376424179.us-west-2.elb.amazonaws.com.
elb-store-376424179.us-west-2.elb.amazonaws.com has address 52.34.194.249
elb-store-376424179.us-west-2.elb.amazonaws.com has address 35.160.57.75
Some client trying to access store.fotor.com is using the wrong IP, maybe because of too agressive caching. ELB keeps changing IPs. I have seen such request in my access logs too. Make sure your webserver is configured to only serve requests for your own hostnames.

Where to terminate SSL/TLS in Node & Nginx

I'm building a web application using the MEAN stack. The site contains authentication (using passport.js) so I would like to secure our connection with SSL/TLS.
For our deployment we're using nginx as a reverse proxy to the Node app running on the same AWS EC2 instance.
My question is: With my setup, what is the best practice way to setup an https (SSL/TLS) connection? Should I get a certificate and set it up at the nginx layer? Should I do it in my node app directly? Is there some other better way?
I've done some googling but haven't found anything profound. If anyone could point me to an article on the topic that would be very useful as well.
Thanks in advance!
First it's good to have SSL running on NGINX. So the communication is encrypted for the visitor in the first place (at least to the NGINX). If you're running Node on the same instance it's probably not absolutely necessary to encrypt also the traffic between Node and NGINX. But as soon as you have NGINX on another place running you should use SSL on Node too. As the data could potentially be accessed by Hackers.

node.js autoscaling/load balancing any methods? with socket.io

I am trying to deploy a node.js project so it can auto scale with a loadbalancer.
I have tried AWS ELB elastic beanstalk. After a much time spent, the ELB doesn't like the socket.io connect as much as expected.
From this I have searched many methods to fix this issue:
nginx proxying
changed listeners on the loadbalancer to allow TCP port 3000 (other ports too depending on the forum/question I looked at)
redis server to share socket connection between different nodes.
I can't really put all the sites that I've tried to get this working.
But it hasn't worked at all.
The only thing I probably haven't tried is using route53...
So the question is:
If there is someone that has a proper node.js app with socket.io working with elastic beanstalk (or EC2 instances with a load balancer and auto scaling) working, is there a way to do this, and what would that method be?
If there are links that have a few step by step methods that would be awesome.
Thanks in advance!

Can I use Amazon ELB instead of nginx as load balancer for my Node.Js app?

I have a Node.js app and I've seen a lot of posts here in SO that it needs to be behind a nginx as load balancer. Since I'm already accustomed to Amazon's services, thus my question.
Yes, but there are a few gotcha to keep in mind:
If you have a single server, ensure you don't return anything except 200 to the page that ELB uses to check health. We had a 301 from our non-www to www site, and that made ELB not send anything to our server because of it.
You'll get the ELB's IP instead of the client's in your logs. There is an ngx_real_ip module, but it takes from config hacking to get it to work.
ELB works great in front of a basic Node.js application. If you want WebSockets, you need to configure it for TCP balancing. TCP balancing doesn't support sticky sessions though, so you get one or the other.

Resources