I have used Elastic Beanstalk to serve my application.I have created a CF domain with custom SSL certificate with origin as the ELB. I have set the Origin Protocol Policy as 'HTTP Only' and the Viewer Protocol Policy as HTTP and HTTPS. The CF url works fine after it is deployed and gets redirected to the abc.example.com. But after the CF url is added as CNAME to abc.example.com in the Cpanel server, it shows 'Redirected too many times' error.
Related
We have been working on a flow of upstream services on Azure. The following is the architecture:
User -> DNS -> Azure CDN -> Azure Traffic Manager -> Frontend Load Balancer (Firewall NVA) -> Azure Application Gateway -> Backend Pool (VM-Webserver)
The above flow was designed for a client and we are provisioning the same. The entire end to end flow works with HTTP requests.
But for HTTPS with SSL, the flow works only till traffic manager, as soon as we add CDN in the flow, it gives error, 'Request cannot be served', when checked in browser, it shows 502 bad gateway in developer tools
What we have seen so far:
The end to end flow is working seamless for HTTP requests For
HTTPs/SSL requests following configs have been done:
a) CDN : We have a profile with Custom Domain and HTTPS and Certificate enabled over it.The profile has both 80,443 enabled
b) Traffic manager : Endpoint set to port 443
c) Application Gateway : Plan to use end to end SSL encryption
i) Listener is on 443 port and has a pfx certificate
ii) HTTP setting with HTTPS and has a cer certificate from the original webserver
We have tried different combinations of configuration with CDN and traffic manager but doesn't seem to be working. I need this flow to be working end to end for HTTPS requests. This is for a prod migration to Azure.
Sorry for not following up and reverting on this.
As for the above issue and requirements, it was resolved.
Following were the steps taken:
CDN was configured with Origin type was select as Custom Origin - Original Hostname was given as traffic manager URL For Eg. abc.trafficmanager.net. Origin Host Header was left as blank
For Traffic manager profile changed the endpoint as Azure endpoint selected Target resource type as Public IP Address and added the public IP address of Load Balancer
For Application Gateway, it had to be made sure that we used PROPER CA CERTIFIED CERTIFICATE for end to end SSL encryption, we were trying it with self signed one hence did not work. We purchased one and used it, CDN responded as expected
Another important observation was that, for Application gateway in the HTTP settings (i.e. backend settings), the same CER certificate can be used for multiple websites for backend server certificate whitelisting.
The certificate (cer) that you wish to use, set it as the default certificate on your server, say for a particular website named abcxyz.com. Then the certificate of abcxyz.com can be used for whitelisting the backend for all the websites on that server
In short, app gateway backend only checks if the certificate (cer) is valid, it has nothing to do with the hostname or the certificate is of which domain, if the certificate matches and is valid, it is whitelisted
So folks, with all the detailed study and trails with logical reasoning, we were able to get the same exact flow as mentioned above working for both HTTP and HTTPs, with SSL encryption as well as SSL offloading for application gateway.
Thank you once again for all the support and suggestions !!
Why I am unable to add domain to azure web app for a domain coming via Cloudflare proxy even though I have configured the URL to resolve to azurewebsites.net URL via CNAME?
Here are the steps to get through Cloudflare proxy:
First you need to turn off proxy in Cloudflare.
Configure the URL to point to azurewebsites.net URL in DNS
Then add the custom domain.
Once the domain is added, enable the proxy again.
Let's say a website with the domain www.example.com is hosted on a LAMP server of a webhoster, which is not Amazon. The domain is managed by Route53.
Is it possible to somehow keep all settings on the LAMP webserver and still use www.example.com as the domain for Cloudfront? Like:
Client -> www.example.com -> Cloudfront Edge Server -> Custom origin available over www.example.com on LAMP webserver of third party webhoster
Basically, I want to use www.example.com for both the Cloudfront Edge Server and the LAMP server.
Best regards
You cannot do anything like /etc/hosts on CloudFront -- it always uses public DNS to resolve the origin.
However, you can still do what you are trying to do -- but you just need to understand why this solution is indeed what you want, because it will seem like it is not (as you indicated in comments).
In Route 53, create a new A record for a new hostname for the origin server, such as origin.example.com. You do not configure this value anywhere on your origin server at all. Your origin server still believes it is www.example.com.
In Route 53, create an alias A record www.example.com pointing to origin.example.com.
At this point, your site works exactly as you expect and require. The hostname "origin.example.com" is in the resolution path, but this information is invisible and unknown to the origin.
In CloudFront, create a distribution, setting the origin domain name to origin.example.com and the Alternate Domain Name for the distribution to www.example.com.
In the settings for each Cache Behavior, ensure that the Host header is whitelisted for forwarding to the origin.
Change Route 53's alias for www.example.com to point to your CloudFront distribution.
When requests arrive at CloudFront, the request retains the Host: www.example.com header. CloudFront uses DNS to find the IP address for origin.example.com however, it only uses this information to make the connection to the origin. The incoming request is still addressed to www.example.com. If the origin has an SSL certificate for www.example.com, CloudFront will accept it as valid, because you configured the Host header for whitelisting, and it matches the cert.
In this configuration, accessing the CloudFront distribution with the assigned dzczcexample.cloudfront.net hostname in the browser's address bar will not work, because CloudFront will send that hostname to the origin, but once you point the Route 53 alias for www.example.com to the assigned cloudfront.net domain name, requests will be processed correctly.
I've set up paid dynos for my heroku app. The SSL certificate works on my-app.herokuapp.com but when I go to my custom domain I get your connection is not private.
I'm using godaddy as my domain provider. I have my CNAME set with name: www and value: my-app.herokuapp.com
It works on http but not https.
Your SSL certificate has to be registered to the domain name you're serving from. If it "works" on my-app.herokuapp.com then you need to purchase an SSL cert for your custom domain. https://devcenter.heroku.com/articles/ssl-endpoint#acquire-ssl-certificate
Adding a Heroku instance to a subdomain is done by pointing the subdomain to Heroku's dns instance, not the app.
Example:
Create a CNAME record
Host: subdomain (ex: explore.main-street.com)
Target: herokudns (ex: autumn-sunset-1495.herokudns.com)
Read Heroku's docs here.
I have a website mydomain.com with the DNS configured through Cloudflare. I am in the process of setting up an API accessible through api.mydomain.com
The servers I use are hosted on Digital Ocean, but I would like to use some of the features of the Amazon API Gateway Interface (I will later be migrating all servers over to Amazon). The API server is the same as the website (again this will later be separated, but for now the effective A record is the same Digital Ocean node). The API Gateway Interface is configured and I can access it just fine through the provided endpoint someamazonendpointurl.com/stage
On Amazon I have created a Cloudflare distribution with origin api.mydomain.com. It has some basic HTTP to HTTPS behaviours along with query string parameters. I then set a CNAME record on Cloudflare to point to the endpoint URL. When I try and access api.mydomain.com though I get the Chrome error:
ERR_TOO_MANY_REDIRECTS
Does anyone have any idea what I might have misconfigured. I realise this is a bit of an odd setup, but it is a stop-gap while we migrate our servers over to amazon.
UPDATE
I noticed I had a CNAME record in cloudfront to api.mydomain.com. I've now removed this but get:
ERROR
The request could not be satisfied.
Bad request.
Generated by cloudfront (CloudFront)
Request ID: <id>
Most likely you have your SSL mode on Cloudflare set to "Flexible", which doesn't use https to connect to the origin server. API gateway tries to redirect non-secure requests, so you have a redirect loop.
Set your SSL mode to "Full" and you should be good to go! You can do this on the "Crypto" tab of the Cloudflare dashboard.