I am deploying a new mesh app with an Asp.Net API core container image. I am able to successfully deploy and access the API using http://[]:80. I used the Following configuration in gateway yaml file:
http:
- name: BenApiHTTP
port: 80
hosts:
- name: "*"
routes:
- name: benapi
match:
path:
value: "/benapiservice/"
rewrite: "/"
type: Prefix
destination:
applicationName: BenApplication
serviceName: BenApi
endpointName: BenApiListener
Now I want to use my own ssl certificate and wants to enable the same api using https i.e. on port 443. So my questions are:
How to upload the ssl certificate in mesh?
What Yaml updates I have to make in gateway.yaml ?
How to set the FQDN for the url ?
Related
I am facing some challenge to forward request from Cloudfront to istio. I have a service running with istio-gateway host configured as
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: <name>
namespace: <namespace>
spec:
gateways:
- <gateway>
hosts:
- <host>
http:
- corsPolicy:
allowCredentials: true
allowHeaders:
.........
..........
I also have Cloudfront being configured for my UI. I want to make an URL relative to my UI so, I have configured some behavior as /login which I want to forward to this above host. However, it is not able to forward the request.
Notes:
I tried matching the TLS protocol both side
matched ACM certificate entry as well
but still getting 404 on this. Any help would be greatly appreciated.
I am dealing with the SSL connection from the Azure Web Appplication Firewall to the Kubernetes Cluster via ISTIO.
The connection from the client to the Azure WAF is already TLS encrypted.
As far as I understand, I have to encrypt the data again in the WAF. Can I use the same certificates that I already used for the connection to the WAF?
Here I would proceed as described in this article:
application-gateway-end-to-end-ssl-powershell
Then I have to deposit the same certificates in Istios Ingress Gateway.
As mentioned here:
Configure a TLS ingress gateway
> cat <<EOF | kubectl apply -f -
>
>
> apiVersion: networking.istio.io/v1alpha3
> kind: Gateway
> metadata:
> name: mygateway
> spec:
> selector:
> istio: ingressgateway # use istio default ingress gateway
> servers:
> - port:
> number: 443
> name: https
> protocol: HTTPS
> tls:
> mode: SIMPLE
> serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
> privateKey: /etc/istio/ingressgateway-certs/tls.key
> hosts:
> - "httpbin.example.com"
> EOF
Is that correct so far?
you need to use the same certificate you specified in the application gateway (so the certificate application gateway expects) in the istio gateway. your gateway configuration looks valid, as long as the cert is the same and host is the same.
For me, finally it worked.
I have a situation, Application Gateway deployed with its own VirtualNetwork and Subnet.
So i made Vnet Peering and thought it would be enough. But it didn't.
After some days of struggling, i have found out my VirtualNetwork Subnet is the same as docker network inside AKS.
When i have recreated ApplicationGateway with new subnet, which does not cover any part of docker subnet, it worked.
I have VPS running Debian 9 with Keter serving single web application.
I've generated certificates using Create certificate button in Origin Certificates section of Crypto tab.
Then I've edited my keter.yaml:
stanzas:
- type: webapp
exec: ../dist/bin/dummy-name
args: []
hosts:
- dummy-domain.info
ssl:
key: /opt/keter/etc/cert/dummy-domain.info.key
certificate: /opt/keter/etc/cert/dummy-domain.info.pem
There are also a remark:
# Enable to force Keter to redirect to https
# Can be added to any stanza
# requires-secure: true
When I've uploaded new bundle it looks like that things does not work correct. My website can be visited via HTTP (works as expected), and HTTPS, but it cannot load generated CSS and JS files from static (links injected in document have http scheme).
What else should I do to make everything work using secure HTTPS connection?
There are unclear options for keter:
# for all stanzas
requires-secure: true
# stanza based
host: ....
secure: true
Also I have no idea which options should I use on CloudFlare too
SSL type now set to Flexible
Always Use HTTPS is OFF
OK, finally I've done following:
Application's keter.yml
stanzas:
- type: webapp
exec: ../dist/bin/dummy-name
args: []
hosts:
- dummy-domain.info
requires-secure: true
ssl:
key: /opt/keter/etc/cert/dummy-domain.info.key
certificate: /opt/keter/etc/cert/dummy-domain.info.pem
Keter configuration on server keter-config.yaml
root: ..
#
# # Keter can listen on multiple ports for incoming connections. These ports can
# # have HTTPS either enabled or disabled.
listeners:
# HTTP
- host: "*4" # Listen on all IPv4 hosts
port: 80 # Could be used to modify port
# HTTPS
- host: "*4"
port: 443
key: cert/dummy-domain.info.key
certificate: cert/dummy-domain.info.pem
CloudFlare config:
SSL type now set to Full
Always Use HTTPS is ON
Also I've restarted keter service
sudo service keter restart
Now everything work as expected.
I have deployed a node.js app to Elastic Beanstalk. When I try to access the page via HTTP: everything works fine. when I try to access via HTTPS: I get a refused to connect error. I have followed the instructions on
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance-nodejs.html
I created a .ebextensions folder and my https-instance-single.config looks like:
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
I have uploaded and deployed the new zip file with these included and still the same thing. I can access via HTTP but not via HTTPS.
Any help would be greatly appreciated.
I would suggest you use LetsEncrypt for Elastic Beanstalk single instance. According to your current configuration, its only open port 443 to serve HTTPS but you are not pointing to certificate. This is the tutorial for LetsEncrypt SSL on Elastic Beanstalk:
https://www.tutcodex.com/ssl-on-single-instance-elastic-beanstalk-tutorial/
I am trying to deploy a Node.js Express server to AWS EB, but have some problem to config the proxy.
If I have no elasticloadbalancing.config file under the extension folder, then I can access to the server through HTTP and port 3000. However if I want to add a config to enable the HTTPS and proxy the listener port 433 to instance port 3000, then the site cannot be loaded.
Here is my Config file,
option_settings:
aws:elb:listener:443:
ListenerProtocol: HTTPS:
SSLCertificationeId: arn****
InstancePort: 3000
InstanceProtocol: HTTP
Could anyone give me any suggestions?
I am not sure if the EB is correctly configured, because once I deployed the config file, all ports in the Load Balancing in the web tier configuration were off. Will the EB use the loading balance automatically?
Here is the web tier config,
And here are listeners
Thanks.
You will need to specify config for opening the instance port access from the ELB.
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 3000
FromPort: 3000
SourceSecurityGroupName: {"Fn::GetAtt" : ["AWSEBLoadBalancer" , "SourceSecurityGroup.GroupName"]}
Please see the documentation available at
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-elb.html