Im facing some problems with AWS S3, i figured out that if i set some RoutingRules, it will only works at <bucket_name>.s3-website-us-east-1.amazonaws.com endpoint but this endpoint don't have SSL, is there another endpoint that has SSL s3.amazonaws.com/<bucket_name> but these RoutingRules doesn't work there.
Is there a way to make RoutingRules works at s3.amazonaws.com/<bucket_name> endpoint? or SSL works at <bucket_name>.s3-website-us-east-1.amazonaws.com?
I hear something about cloudfront but idk much about.
<bucket_name>.s3-website-us-east-1.amazonaws.com is a website endpoint, whereas the other one is a REST API endpoint. You can see the difference here.
You can see the example walkthroughs how to setup a static website on S3 and add CloudFront (where you can add SSL/TLS).
For your use case, as you have already identified you can use AWS CloudFront. It mainly provides two functions,
Acts as a CDN caching the static content based on your configuration.
Acts as a proxy where you can connect S3 buckets or other endpoints to CloudFront with routing rules where your DNS points to CloudFront.
In addition you can associate AWS Certificate Manager issued free SSL certificates with CloudFront.
Configuring CloudFront to S3 is straightforward. Check the AWS Getting Started Guide for more details.
Related
I have deployed a Python Flask based app in AWS. It is running fine on http://<ip>. I need to convert this to https. I have sent request for admin to enable port 443 for https.
Will that automatically make my app to https or do I need to install or setup something else to make it happen?
You have multiple choices for this;
Use ACM (Easiest?!):
if you're using AWS loadbalancers, you can create a certificate using ACM service and assign it to your loadbalancer and modify your Target Groups in EC2 panel.
If you are using cloudfront, you can also configure your SSL/TLS there. (Not changing the loadbalancer and target groups). It will work as an upper layer.
Use other certificate providers excluding AWS ACM:
You can setup something like Lets Encrypt or use Cloudflare services.
Note: it really depends on how your cloud stack currently is, you maybe be only deploying on EC2 Server and having Nginx configured and having everything else done outside of AWS with other services or you can have Lets Encrypt certificate on your ALB.
This post just gives you some keywords, you can search and see exact instruction/tutorial for every solutions.
I transferred a web site to AWS that has Angular on one server, Nodejs/Express on another server and using a PostgreSQL DB in RDB. This works great and is currently running but not great for scalability and availability.
So I have moved the Angular to be served from an S3 bucket accessed through CloudFront and updated with a WebHook into my GitHub repo. This all seems to work great.
I have the Nodejs/Express using Elastic Beanstalk and once again with using a WebHook it updates from the GitHub repo. Still have a couple items to work out on the deploy with this but I think they will be minor (which means they will bite me later).
What I cannot seem to figure out is a way to allow the Angular to do API calls to the load balancer in Elastic Beanstalk.
Do I still use proxy.config.json? If so what do I point it to? I tried to create a CNAME record in Route 53 for api.myapp.com pointing to the value of the load balancer DNS. That didn't seem to work.
Do I use AWS API Gateway. I tried some different things in here by didn't seem to be able to get it to work. The only thing that seemed a possibility would require me to define each of the APIs which if it is even possible would be my last resort.
Is this something that cannot be done?
I have read a lot of articles of somewhat similar questions but none seemed to fit close enough to give me an answer. Maybe I am just looking at the incorrectly. Any help would be much appreciated.
Edited
After chasing many squirrels the past couple days I think I have it narrowed down to configuration issue with CloudFront.
I have a route in Route 53 that points to my CloudFront as "dev.mydomain.com" and that works great.
I have a route in Route 53 that points to my Elastic Beanstalk Load Balancer as "api.mydomain.com".
I can make a call by entering the url into a browser such as "https://api.mydomain.com/api/getInfo" and it returns the information along with the cors headers. When I have the app make the same call that is being served from an S3 bucket by CloudFront I get "Access to XMLHttpRequest at 'https://api.mydomain.com/api/getInfo' from origin 'https://dev.mydomain.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource." and sure enough there is none of the cors headers in the response header.
I have found a couple articles that seem to deal with this but they have not worked (or I am implementing them incorrectly). I have tried to create an origin, I have tried to create a behavior. Nothing has worked so far.
I anyone has dealt with this or knows of an article that would help I would appreciate it greatly.
You can create a custom domain name for your load balancer url from Route53. You need to create an A record with Alias property set to yes pointing to the load balancer's dns URL.
Amazon Route 53 also offers alias records, which are an Amazon Route
53-specific extension to DNS. You can create alias records to route
traffic to selected AWS resources, including Amazon Elastic Load
Balancing load balancers, Amazon CloudFront distributions, AWS Elastic
Beanstalk environments, API Gateways, VPC interface endpoints, and
Amazon S3 buckets that are configured as websites
Hope this helps.
Reference:
Question "Which DNS record types does Amazon Route 53 support?" on https://aws.amazon.com/route53/faqs/
Solved
The answer to this question got me close to where I wanted to be but it still was not responding to all my calls. Finally figured out that it was the database calls that were not responding. I am not setting the database up with the elastic beanstalk since I am doing a proof of concept for a production setup so the database needs to be separate. Finally figured out that I had not added a rule in the security group on the database to allow the elastic beanstalk calls. After adding that rule and adding the behavior and origin rules in CloudFront it seems to work like a charm.
I hava a Nodejs/Express application running on AWS. My public URL (www.example.com) is registered in a host provider (SiteGround).
My host provider DNS entry for the application points to AWS (application.example.com points to my AWS public IP).
My host provider has also our company web site running WordPress.
So, if you point to our public URL you get our website. Pointing to the application you get our SaaS login page.
All of that runs fine with HTTP. I have now a task to migrate everything to HTTPS. I've checked how to add HTTPS to nodejs, all fine.
My question is related to certificates. Questions:
a) Should I get the SSL certificate on my host company or on AWS? Both offers the certificates.
b) Do I need a certificate on AWS (to be added to nodejs) and at my domain (to allow HTTPS domain access) or just in nodejs ?
It does not matter from where you get your certificate as long as your provider gives you an authorized certificate. However, if you use Amazon's certificate manager, it can be be easier to integrate with their services.
If you are serving your application through AWS load balancer then you don't need to add it to the Node.js application, instead you get a certificate through the certificate manager and add it to the listening interface in the load balancer, it gets served automatically this way.
Create a Classic Load Balancer with an HTTPS Listener
HTTPS Listeners for Your Application Load Balancer
If you are serving your application directly, then you will need to add it to the Node.js application (e.g. using https module).
I'll try to answer each question below:
a) Should I get the SSL certificate on my host company or on AWS? Both
offers the certificates.
If the Amazon issued certificate is strong enough for your needs, like basic https encryption, I would opt to use them for the sake of simplicity. You just need to fill the form, validate and Amazon is in charge of making it secure and renew it automatically when it expires.
b) Do I need a certificate on AWS (to be added to nodejs) and at my
domain (to allow HTTPS domain access) or just in nodejs ?
AWS issued certificates can only be used with AWS managed services such as Application Load Balancer and CloudFront - CDN. There are many docs explaining about how to setup an ELB with AWS Certificate and EC2 Backend, check Create a Classic Load Balancer with an HTTPS Listener
In order to use them inside your EC2 vm you would need to download and configure it in your webserver. I think AWS will never allow it to avoid security breaches.
It doesn't matter how you will get a certificate. You can request free certificates with Letsencrypt using API, you can create certificates in AWS Load Balancer (but don't forget to check if AWS certificate limitations are fine for your case)
AWS LoadBalancer will be in front of your EC2 so it will sign certificates for you.
If you have an option to get certificate files (e.g. you create certificates yourself by using letsencrypt or other cert provider), you should keep certificates on your EC2 instance (if you have multiple instances, you should keep certificates on each instance). And you should use Network Load Balancer on tcp level, so NLB will just proxy your traffic which was already signed correctly.
Also you can use existing third-party solutions from AWS marketplace or non-AWS solutions. E.g. you can use AWS Kilo SLL. It is easy to setup, it will create and renew certificates for your domains. So you will have just an extra EC2 isntance which will sign all your traffic depending on the request domain. Mostly sure there are other alternatives similar solution to use, for our 240 domains Kilo works fine
Is it possible to configure dns settings in such way so web application is using www.domain.com and amazon aws api gateway uses www.domain.com/api?
Not using pure DNS, it would only let you point a subdomain to a destination, DNS doesn't see the path.
You can use something like nginx to proxy the path, or use api.domain.com for your API, which probably is better, as you don't need to proxy the requests at all.
You can configure AWS CloudFront as a proxy to map both API Gateway and Web Server (Or web application hosted in AWS S3) as origins. Then configure
www.domain.com to point to CloudFront.
This also improves the application performance, if you cache the static content, serving from the web application, by using the CloudFront CDN network of edge locations.
When mapping API Gateway do the following configuration for it to work.
Whitelist the headers and exclude Host header.
Set TTL values to zero.
Make the origin and behaviors for API Gateway https only.
To map www.domain.com/api to API Gateway, use the stage name as 'api' with CloudFront behavior mapping for /api/* .
I have develop an node.js app and successfully upload and deploy it using AWS tools and Elastic Beanstalk. My app is reachable through the url provided by EB.
I create a SSL Certification through AWS Certificate Manager and assign it from configuration menu. Load Balancer Config
When i checked Load balancer and security group configuration everything looks fine but if i'm trying to get https://myappurl.us-west-2.elasticbeanstalk.com i get privacy error response.
I think that this is more likely a Amazon support question but maybe someone know if i miss something.
Thanks
The SSL certificate will be for a specific domain. It is certainly not for the myappurl.us-west-2.elasticbeanstalk.com domain because you don't own the domain elasticbeanstalk.com so there's no way you could have created a valid SSL certificate for that domain. The SSL certificate is only going to work with the custom domain you created the certificate for, and only when you have that custom domain actually pointing to your Elastic Beanstalk environment.
SSL certificate works as per the domain name they were generated. As per your comment you got that certificate for myapp.mydomain.io so it will not work for myappurl.us-west-2.elasticbeanstalk.com you have to map myapp.mydomain.io to point to the EB and then your myapp.mydomain.io will serve the SSL certificate. https://myapp.mydomain.io.