I have AWS instances (behind a load balancer) serving a Node.js / Express app for mobile clients. I would like to enable SSL for the API calls on this app. There are multiple tutorials on how to enhance my Express app to use SSL, but can can folks advise please what should be the ELB configuration in such a scenario?
Should I have the ELB listeners (both load-balancer side as well as instance-side) to be http (not https)? And then make the Node.js app use a certificate from say LetsEncrypt?
Or should I instead have the load balancer be https based (and thus have its own associated certificate from AWS Certificate Manager)? In that case, what happens to the LetsEncrypt certificate - do I still integrate that with the Node.js app?
Many thanks!
You would enable SSL on the load balancer and use an ACM certificate. You wouldn't need a SSL certificate on the NodeJS server unless you just want the communication between the ELB and the server to also be encrypted.
Related
I hava a Nodejs/Express application running on AWS. My public URL (www.example.com) is registered in a host provider (SiteGround).
My host provider DNS entry for the application points to AWS (application.example.com points to my AWS public IP).
My host provider has also our company web site running WordPress.
So, if you point to our public URL you get our website. Pointing to the application you get our SaaS login page.
All of that runs fine with HTTP. I have now a task to migrate everything to HTTPS. I've checked how to add HTTPS to nodejs, all fine.
My question is related to certificates. Questions:
a) Should I get the SSL certificate on my host company or on AWS? Both offers the certificates.
b) Do I need a certificate on AWS (to be added to nodejs) and at my domain (to allow HTTPS domain access) or just in nodejs ?
It does not matter from where you get your certificate as long as your provider gives you an authorized certificate. However, if you use Amazon's certificate manager, it can be be easier to integrate with their services.
If you are serving your application through AWS load balancer then you don't need to add it to the Node.js application, instead you get a certificate through the certificate manager and add it to the listening interface in the load balancer, it gets served automatically this way.
Create a Classic Load Balancer with an HTTPS Listener
HTTPS Listeners for Your Application Load Balancer
If you are serving your application directly, then you will need to add it to the Node.js application (e.g. using https module).
I'll try to answer each question below:
a) Should I get the SSL certificate on my host company or on AWS? Both
offers the certificates.
If the Amazon issued certificate is strong enough for your needs, like basic https encryption, I would opt to use them for the sake of simplicity. You just need to fill the form, validate and Amazon is in charge of making it secure and renew it automatically when it expires.
b) Do I need a certificate on AWS (to be added to nodejs) and at my
domain (to allow HTTPS domain access) or just in nodejs ?
AWS issued certificates can only be used with AWS managed services such as Application Load Balancer and CloudFront - CDN. There are many docs explaining about how to setup an ELB with AWS Certificate and EC2 Backend, check Create a Classic Load Balancer with an HTTPS Listener
In order to use them inside your EC2 vm you would need to download and configure it in your webserver. I think AWS will never allow it to avoid security breaches.
It doesn't matter how you will get a certificate. You can request free certificates with Letsencrypt using API, you can create certificates in AWS Load Balancer (but don't forget to check if AWS certificate limitations are fine for your case)
AWS LoadBalancer will be in front of your EC2 so it will sign certificates for you.
If you have an option to get certificate files (e.g. you create certificates yourself by using letsencrypt or other cert provider), you should keep certificates on your EC2 instance (if you have multiple instances, you should keep certificates on each instance). And you should use Network Load Balancer on tcp level, so NLB will just proxy your traffic which was already signed correctly.
Also you can use existing third-party solutions from AWS marketplace or non-AWS solutions. E.g. you can use AWS Kilo SLL. It is easy to setup, it will create and renew certificates for your domains. So you will have just an extra EC2 isntance which will sign all your traffic depending on the request domain. Mostly sure there are other alternatives similar solution to use, for our 240 domains Kilo works fine
I use netlify.com for the front-end (React.js) which automatically comes with https, but it's not allowing me to make https requests to the express server as my express server does not have a cert.
How do I get a cert for my express server (which serves only RESTFUL APIs) with AWS Certificate Manager? It's asking for domain name but all I have is a static IP for the AWS EC2 instance.
If AWS Certificate Manager is not suitable for this case, what's the easiest free way to get a cert and set it up for the Express server? I'm running the Express server directly via node, without apache/nginx.
You will have to point a domain name to the REST API server. You can't request an SSL certificate for an IP address. Do you not own a domain name that is pointing to your React app already? You should setup a subdomain like api.example.com that points to your API server, and then request an Amazon SSL certificate for that subdomain.
Note, you must be using an Elastic Load Balancer or CloudFront to use an Amazon Certificate Manager SSL certificate. You can't install it directly on an EC2 instance.
I have an Express app running on AWS EB which I want to secure with SSL. From what I understand I can either set this up at the application level using the https module or at the EB environment level by applying the certificate to the load balancer.
I have done the second of these two options and have it working but I'm unsure on the best practice. Should I be doing it at the express application level or via the EB Load balancer or should I be doing both?
Adding SSL certificate at the ELB level is the right choice which I believe should be sufficient.
The advantage is when you have SSL Certificates at ELB level, offloading happens at multiple servers managed by Amazon used for ELBs, reducing the computational demand from your web server. Also the configuration is lean & transparent.
Note: For added security you can place the web servers in private subnets while keeping ELB public.
I'm quite new to this. I have a node-express https server that currently runs locally on my machine. My simple website runs on this https sever and make xmlhttp requests to consume some APIs (as these APIs only accept requests from https endpoint). At the moment I'm using a self signed SSL certificate.
I'd like to deploy the server with html, js files to EC2 and make it accessible to the public. My questions are
Can I use AWS Certificate Manager to generate a SSL certificate, and how to use it with node-express server? Can node-express use this SSL certificate on EC2? or do I need to use this SSL certificate with Elastic Beanstalk and ELB?
I did some research but the ACM documentation said an email will be sent to the registered domain owner for each domain name in the certificate request. I don't have a domain as I plan to have users access my site using IP address. What do I do in this case?
Many thanks for your help!
You can't use an ACM certificate directly with NodeJS. You have to place a load balancer in front of your server and install the ACM certificate on the load balancer.
The ACM service does not support SSL certificates for IP addresses, only domain names. I recommend obtaining a domain name.
I have written an express application which I have deployed on AWS. I want to understand if I need to enable https in my node js express server code or if the https enabled in the AWS console is enough i.e. is https between the web client and the AWS load balancer enough to protect my site or do i need to enable https within AWS infrastructure internally as well. Are there any other security considerations to be aware of in this scenario?