How to add HTTPS on the EBS link on aws? - node.js

I have deployed my frontend in S3 bucket. backend is on EBS. bucket is secured with https but backend api's are not so frontend is not able to connect with the api's. i wanted to add HTTPS for the api's on EBS. i have generated Certificate for the domain name also. i have created a load balancer for the ec2 where my api's are deployed but still i'm not able to connect with it. i have set the Security groups groups also which routes the traffic from port 80 to 443. i don't know where i'm doing wrong or which step i'm missing.
Need help to know the full process and how this all mess is connected with each other.

Related

How to convert http to https API URL deployed in AWS

I have deployed a Python Flask based app in AWS. It is running fine on http://<ip>. I need to convert this to https. I have sent request for admin to enable port 443 for https.
Will that automatically make my app to https or do I need to install or setup something else to make it happen?
You have multiple choices for this;
Use ACM (Easiest?!):
if you're using AWS loadbalancers, you can create a certificate using ACM service and assign it to your loadbalancer and modify your Target Groups in EC2 panel.
If you are using cloudfront, you can also configure your SSL/TLS there. (Not changing the loadbalancer and target groups). It will work as an upper layer.
Use other certificate providers excluding AWS ACM:
You can setup something like Lets Encrypt or use Cloudflare services.
Note: it really depends on how your cloud stack currently is, you maybe be only deploying on EC2 Server and having Nginx configured and having everything else done outside of AWS with other services or you can have Lets Encrypt certificate on your ALB.
This post just gives you some keywords, you can search and see exact instruction/tutorial for every solutions.

Setting up AWS ELB with backend express app

I have a web project I am building for fun. It is react, express, mongodb
I currently have an aws domain we will call foo.com that my react app is linked to. I am using S3 and cloudfront to route foo.com as my react app sitting in S3.
I created an SSL cert for foo.com.
That all works
Now on an EC2 instance I have a Express.js app that I am using as a rest server. So my react app uses my elastic ip to call using REST on my EC2 instance.
Since I added SSL to my react app it now will not allow non SSL calls into my api so I am trying to fix that.
I setup an ELB and used my foo.com cert (Mistake?) pointing at my EC2 and opened port 80 and 443 via security group, all works. Except my cert is for foo.com. and my backend server is just setup to use elastic up. Or I guess now the load balancer URL. So I get an invalid certificate name error if I try to load the URL to my express app via the load balancer URL.
How do I use SSL to have my react app make http calls to my express backend. Do I create a new cert? The cert seems to want a DNS name like foo.com but my backend server is just an elastic ip.
Not really sure how to tie all this together I think I am 90% where I need to be.?
Need to get my react app on S3 with a cert and DNS name foo.com to talk to my rest server (express) on EC2 instance using just elastic IP? or Load Balancer URL? What do I do for a cert for that?
You need to add the cert to the load balancer, and point a domain at the load balancer. Something like api.foo.com. You do this by creating a CNAME record in your DNS provider, that points to the load balancer's DNS name. Then have your React app make calls to your API at that domain name. You can create the certs for free in AWS Certificate Manager that will attach to an ELB.
The cert you add to the load balancer will either need to be for api.foo.com or *.foo.com.

Routing to cloudfront via ELB and to EKS container by path

I currently have an API backend deployed as a pod inside EKS which I exposed it through using ELB via kubernetes service, and an AngularJS frontend hosted in S3 delivered through Cloudfront, which calls the API.
Is there any way that I could have frontend and backend as domain.com and domain.com/api respectively with the current setup?
The only other way I could think of is not using Cloudfront to host the AngularJS frontend, but instead dockerize it and deploy as a pod in the same cluster as the backend API but I am just wondering if there is a way that I could use Cloudfront (or any other services or ways) to do some kind path-based proxying to decide which end it should redirect.
Thanks in advance.
DNS records work with domains and subdomains but not paths. This means for /api to be interpreted and routed you need a proxy server or an ingress in Kubernetes case.
A simpler approach would be to use api.domain.com and domain.com then create separate A records pointing to your backend and CDN/S3 bucket, respectively.
If you swap the hosting of your AngularJS frontend from S3 to a Nginx container in EKS you can run your frontend and API behind an ingress controller. You can then target the load balancer created for the ingress from CloudFront with a single DNS record.
Note - You will need to configure the cache settings on your API otherwise CloudFront will cache the API output.

HTTPS certificates - how to set on my architecture

I hava a Nodejs/Express application running on AWS. My public URL (www.example.com) is registered in a host provider (SiteGround).
My host provider DNS entry for the application points to AWS (application.example.com points to my AWS public IP).
My host provider has also our company web site running WordPress.
So, if you point to our public URL you get our website. Pointing to the application you get our SaaS login page.
All of that runs fine with HTTP. I have now a task to migrate everything to HTTPS. I've checked how to add HTTPS to nodejs, all fine.
My question is related to certificates. Questions:
a) Should I get the SSL certificate on my host company or on AWS? Both offers the certificates.
b) Do I need a certificate on AWS (to be added to nodejs) and at my domain (to allow HTTPS domain access) or just in nodejs ?
It does not matter from where you get your certificate as long as your provider gives you an authorized certificate. However, if you use Amazon's certificate manager, it can be be easier to integrate with their services.
If you are serving your application through AWS load balancer then you don't need to add it to the Node.js application, instead you get a certificate through the certificate manager and add it to the listening interface in the load balancer, it gets served automatically this way.
Create a Classic Load Balancer with an HTTPS Listener
HTTPS Listeners for Your Application Load Balancer
If you are serving your application directly, then you will need to add it to the Node.js application (e.g. using https module).
I'll try to answer each question below:
a) Should I get the SSL certificate on my host company or on AWS? Both
offers the certificates.
If the Amazon issued certificate is strong enough for your needs, like basic https encryption, I would opt to use them for the sake of simplicity. You just need to fill the form, validate and Amazon is in charge of making it secure and renew it automatically when it expires.
b) Do I need a certificate on AWS (to be added to nodejs) and at my
domain (to allow HTTPS domain access) or just in nodejs ?
AWS issued certificates can only be used with AWS managed services such as Application Load Balancer and CloudFront - CDN. There are many docs explaining about how to setup an ELB with AWS Certificate and EC2 Backend, check Create a Classic Load Balancer with an HTTPS Listener
In order to use them inside your EC2 vm you would need to download and configure it in your webserver. I think AWS will never allow it to avoid security breaches.
It doesn't matter how you will get a certificate. You can request free certificates with Letsencrypt using API, you can create certificates in AWS Load Balancer (but don't forget to check if AWS certificate limitations are fine for your case)
AWS LoadBalancer will be in front of your EC2 so it will sign certificates for you.
If you have an option to get certificate files (e.g. you create certificates yourself by using letsencrypt or other cert provider), you should keep certificates on your EC2 instance (if you have multiple instances, you should keep certificates on each instance). And you should use Network Load Balancer on tcp level, so NLB will just proxy your traffic which was already signed correctly.
Also you can use existing third-party solutions from AWS marketplace or non-AWS solutions. E.g. you can use AWS Kilo SLL. It is easy to setup, it will create and renew certificates for your domains. So you will have just an extra EC2 isntance which will sign all your traffic depending on the request domain. Mostly sure there are other alternatives similar solution to use, for our 240 domains Kilo works fine

Security of hosting a RESTful API server on AWS Beanstalk or EC2

I want to host a RESTful API on AWS Beanstalk or EC2 so a client server in an on-premise data center can use it.
Is it secure to host a RESTful API server on AWS Beanstalk or EC2 without authentication and secure them only with security group ?
I put the client IP address into the security group which Beanstalk or EC2 instance uses. So only the client with this IP address can connect to the RESTful API server.
The client is located outside the AWS in a on-premise data center.
Is there any better solutions to handle this problem? I know it is possible to connect AWS VPC with on-premise network, but that seems to be a too expensive for us in such small use case.
Is it secure to host a RESTful API server on AWS Beanstalk or EC2 without authentication and secure them only with security group ?
No authentication is not a recommended method for securing RESTful API but security provided by AWS security groups is rock solid.
Another suggestion will be implementing HTTPS instead of HTTP. Please go through this article. http://aws.amazon.com/articles/1928

Resources