Is it possible to configure dns settings in such way so web application is using www.domain.com and amazon aws api gateway uses www.domain.com/api?
Not using pure DNS, it would only let you point a subdomain to a destination, DNS doesn't see the path.
You can use something like nginx to proxy the path, or use api.domain.com for your API, which probably is better, as you don't need to proxy the requests at all.
You can configure AWS CloudFront as a proxy to map both API Gateway and Web Server (Or web application hosted in AWS S3) as origins. Then configure
www.domain.com to point to CloudFront.
This also improves the application performance, if you cache the static content, serving from the web application, by using the CloudFront CDN network of edge locations.
When mapping API Gateway do the following configuration for it to work.
Whitelist the headers and exclude Host header.
Set TTL values to zero.
Make the origin and behaviors for API Gateway https only.
To map www.domain.com/api to API Gateway, use the stage name as 'api' with CloudFront behavior mapping for /api/* .
Related
I have deployed a Python Flask based app in AWS. It is running fine on http://<ip>. I need to convert this to https. I have sent request for admin to enable port 443 for https.
Will that automatically make my app to https or do I need to install or setup something else to make it happen?
You have multiple choices for this;
Use ACM (Easiest?!):
if you're using AWS loadbalancers, you can create a certificate using ACM service and assign it to your loadbalancer and modify your Target Groups in EC2 panel.
If you are using cloudfront, you can also configure your SSL/TLS there. (Not changing the loadbalancer and target groups). It will work as an upper layer.
Use other certificate providers excluding AWS ACM:
You can setup something like Lets Encrypt or use Cloudflare services.
Note: it really depends on how your cloud stack currently is, you maybe be only deploying on EC2 Server and having Nginx configured and having everything else done outside of AWS with other services or you can have Lets Encrypt certificate on your ALB.
This post just gives you some keywords, you can search and see exact instruction/tutorial for every solutions.
I have a web project I am building for fun. It is react, express, mongodb
I currently have an aws domain we will call foo.com that my react app is linked to. I am using S3 and cloudfront to route foo.com as my react app sitting in S3.
I created an SSL cert for foo.com.
That all works
Now on an EC2 instance I have a Express.js app that I am using as a rest server. So my react app uses my elastic ip to call using REST on my EC2 instance.
Since I added SSL to my react app it now will not allow non SSL calls into my api so I am trying to fix that.
I setup an ELB and used my foo.com cert (Mistake?) pointing at my EC2 and opened port 80 and 443 via security group, all works. Except my cert is for foo.com. and my backend server is just setup to use elastic up. Or I guess now the load balancer URL. So I get an invalid certificate name error if I try to load the URL to my express app via the load balancer URL.
How do I use SSL to have my react app make http calls to my express backend. Do I create a new cert? The cert seems to want a DNS name like foo.com but my backend server is just an elastic ip.
Not really sure how to tie all this together I think I am 90% where I need to be.?
Need to get my react app on S3 with a cert and DNS name foo.com to talk to my rest server (express) on EC2 instance using just elastic IP? or Load Balancer URL? What do I do for a cert for that?
You need to add the cert to the load balancer, and point a domain at the load balancer. Something like api.foo.com. You do this by creating a CNAME record in your DNS provider, that points to the load balancer's DNS name. Then have your React app make calls to your API at that domain name. You can create the certs for free in AWS Certificate Manager that will attach to an ELB.
The cert you add to the load balancer will either need to be for api.foo.com or *.foo.com.
I currently have an API backend deployed as a pod inside EKS which I exposed it through using ELB via kubernetes service, and an AngularJS frontend hosted in S3 delivered through Cloudfront, which calls the API.
Is there any way that I could have frontend and backend as domain.com and domain.com/api respectively with the current setup?
The only other way I could think of is not using Cloudfront to host the AngularJS frontend, but instead dockerize it and deploy as a pod in the same cluster as the backend API but I am just wondering if there is a way that I could use Cloudfront (or any other services or ways) to do some kind path-based proxying to decide which end it should redirect.
Thanks in advance.
DNS records work with domains and subdomains but not paths. This means for /api to be interpreted and routed you need a proxy server or an ingress in Kubernetes case.
A simpler approach would be to use api.domain.com and domain.com then create separate A records pointing to your backend and CDN/S3 bucket, respectively.
If you swap the hosting of your AngularJS frontend from S3 to a Nginx container in EKS you can run your frontend and API behind an ingress controller. You can then target the load balancer created for the ingress from CloudFront with a single DNS record.
Note - You will need to configure the cache settings on your API otherwise CloudFront will cache the API output.
I have a Web app for docker currently running django with gunicorn as wsgi server and Nginx as reverse proxy. I am not serving any static assets via Nginx and the SSL is taken care by Azure.
So my question is, if I use Azure application gateway (with or without WAF) can I remove Nginx? I don't see any use for it, unless I want to use cache, which I don't. HTTP/2 is also provided by application gateway.
Both Nginx and Azure Application Gateway act as a reverse proxy with Layer 7 load‑balancing features plus a WAF to ensure strong protection against common web vulnerabilities and exploits.
Application Gateway supports autoscaling, SSL offloading, and end-to-end SSL, a web application firewall (WAF), cookie-based session affinity, URL path-based routing, multisite hosting, redirection, rewrite HTTP headers and other features. For a full list of supported features, see Introduction to Application Gateway. Also, you're aware of application gateway limits.
Whereas Nginx provides better URL rewriting and redirecting features than Application gateway. See the feedback. With Nginx, you can rewrite the URL of a request before passing it to a backend server. This means you can alter the location of files or request paths without modifying the URL advertised to clients. You can also redirect requests.
In my opinion, if you just want to simply use for load balancing without complex rewriting the URL, it's enough to use Azure Application Gateway. For complex use rewrite cases, you can plus Nginx. Read create Nginx rewrite rules and more details here.
Go for Azure Application gateway... and get rid of Nginx. When in cloud, it makes sense to use all PaaS platform features.
I have two web apps setup in Azure, and for simplicity let's call them webapp1 and webapp2. They sit behind an application gateway, which is selecting the correct web app based on the subdirectory in the URL.
Here's a basic example of how I've set it up:
www.mydomain.com -> webapp1 (the default route)
www.mydomain.com/app -> webapp2
This is working fine, except for one problem: if webapp2 redirects to the login page, for example, the domain in the URL changes to the azurewebsites.net domain. Instead of redirecting to www.mydomain.com/login, it's going to webapp2.azurewebsites.net/login.
I'm fairly new to Azure application gateway, but I know it injects the x-forwarded-* and x-original-host headers. I assumed the gateway would either alter the redirected url request to correct the domain or the config on the web app would use the x-original-host instead. Neither of these things are happening.
Is there a way to configure either the web app or the gateway to make sure the host name doesn't change on redirects? Would this scenario work better with a separate web app/VM with a classic IIS reverse proxy setup instead of the application gateway?
Currently Application Gateway would not overwrite the response from the backend. We do inject X-Original-Host and your application should use that to write the redirect URL correctly back to mydomain.
Example to configure URL rewrite on web app can be found here. An example of rewriting default *.azurewebsites.net domain to a custom domain can be found here