I used self signed openssl for APIs but when they are used client side it is showing the error message in secured response. How to provide original ssl cert? And I'm using elastic bean stalk in aws to host APIs. In that I have come across ACM and that is integrated with Elastic Load Balancing and Amazon CloudFront. So which one should I use from those two? If I use any of those two, will that be enough in production mode? Or should I use any other one?
You can setup a certificate with ACM that matches your DNS record. Then point that DNS record to your Elastic Beanstalk Environments DNS record. Which will be something like ENV-name.76p5XXXX22.us-east-1.elasticbeanstalk.com
AWS has a document you can follow here.
Let's begin.
For development purposes, self signed certificate is okay. You can set NODE_TLS_REJECT_UNAUTHORIZED=0 in environment variables.
For AWS Elastic Beanstalk behind Load Balancer, you can have 2 ways -
One way encrypted - In this you add a certificate in your load balancer only. This way, Client to Load balancer is encrypted and then load balancer to instances is unencrypted. This is safe. I use this. This way I don't have to use any certificates on my instances and I run a normal HTTP server on instances. You can choose to allow only HTTPS or not from load balancer settings.
End to end encrypted - In this you use a certificate on your instances as well and you can choose to forward encrypted traffic directly from Load Balancer to your instances or you can decrypt and re-encrypt traffic and send to instances. I don't have any experience with this. The first option is suitable for most cases. Refer to this: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-endtoend.html
Related
I have an express js application running on aws ec2 instance that acts as rest api for my application. If i want to add ssl certification for my expressjs api what should i do?
1)Do i need to get a domain with ssl certification and map it to my ec2 ip address?
2)Or its enough to put aws API gateway in front of my ec2 instance , use the free ssl from ACM and get a domain without ssl?
3)Or get a domain with ssl and also ssl in acm?
(kind of confused with understanding domain and ssl, any help would be appreciated)
Thanks in advance.
The default pattern for this kind of use case, assuming that you don't want to manage a domain + certificate, is to put your EC2 instance behind a service that integrates with ACM, such as Elastic Load Balancing (ELB) or an Amazon CloudFront distribution.
API Gateway, while also giving you an SSL certificate, would also bring many other features that you'd still have to pay for.
Example
EDIT:
Original question was not formatted properly and I missed option 3).
If you are going to get a domain, then you have other options such as managing it with Route53 and directing your traffic to the EC2, or do the same but with the domain registrar. This assumes that the EC2 has a static IP address that allows you to address it. At this point, you can get an SSL Cert either via AWS ACM or by other means directly on the EC2 (i.e. Let's Encrypt). The difference between the two, aside from price, would be that one requires you to manage your own certificate while the other is an AWS managed service.
I have 3 app servers running a NodeJS/ExpressJS app and a load balancer in front of them that routes the incoming requests (round robin). This setup is currently http based and we would like to have TLS certificate installed to make it https. Our devops guy has left the company and we have a huge gaping hole on understanding and maintaining this. I am pretty sure this setup does not have Apache or nginx in front of the app servers. So how does load balancing work without ngix or Apache? Does the load balancer have to run on a server by itself? if so is that where we need to install the TLS/SSL certificate ? All servers we use are linux based.
Generally, HTTPS termination happens on load balancer and normal HTTP connection is made between load balancer and server. By doing this, please ensure servers are not publicly exposed (not accessible from internet directly without load balancer).
Install the certificate on load balancer and configure it to make http request from loadbalancer to server. I am assuming you are using some IaaS (such as AWS, GCP etc) and these settings are readily available in their documentation.
Typically in AWS, either AWS Application Load Balancer is used for load balancing, which is a managed service provided by AWS where you will pay per hour and based on the traffic. Also, it is possible to terminate the TLS/SSL at Load Balancer Level (Where its also possible to use Free SSL Certificates from AWS Certificate Manager).
Since this Load Balancer is a managed service, the High Availability and Fault Tolerance is taken cared by AWS.
AWS has come up with a new service AWS Certificate Manager. One thing I got from the description is that if we are using this service we don't have to pay for the certificate anymore.
They are providing certificates for Elastic Load Balancer (ELB) and CloudFront, but I didn't find EC2 anywhere.
Is there any way to use the certificate with EC2?
Q: Can I use certificates on Amazon EC2 instances or on my own servers?
No. At this time, certificates provided by ACM can only be used with specific AWS services.
Q: With which AWS services can I use certificates provided by ACM?
You can use ACM with the following AWS services:
• Elastic Load Balancing
• Amazon CloudFront
• AWS Elastic Beanstalk
• Amazon API Gateway
https://aws.amazon.com/certificate-manager/faqs/
You can't install the certificates created by Amazon Certificate Manager (ACM) on resources you have direct low-level access to, like EC2 or servers outside of AWS, because you aren't provided with access to the private keys. These certs can only be deployed on resources managed by the AWS infrastructure -- ELB and CloudFront -- because the AWS infrastructure holds the only copies of the private keys for the certificates that it generates, and maintains them under tight security with auditable internal access controls.
You'd have to have your EC2 machines listening behind CloudFront or ELB (or both, cascaded, would also work) in order to use these certs for content coming from EC2... because you can't install these certs directly on EC2 machines.
No, you cannot use aws certificate manager for deploying certs on EC2. The certificate manager certs can only be deployed against cloudfront and elastic load balancer. Inoredr to use it on ec2, you need to put elb on top of ec2, so that request from client to load balancer will be https protected and from elb to ec2 webserver will be on http.
If you are using AWS ACM Cert for internal purpose only then you could probably use AWS ACM Private CA to issue the certs.(I think you can use it for public/external traffic purpose as well if your root CA is publicly trusted CA).
https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaGetStarted.html
During Application/EC2/Container startup, set a step to export your ACM Private CA issued Cert/Private Key to your destination and start referring that for serving the traffic.
https://docs.aws.amazon.com/cli/latest/reference/acm/export-certificate.html
One good thing is, you can control who can call export cert feature using IAM Role so not everyone can download private key of the cert.
One downside with this is, private CA is expensive AWS service($400/month).
https://aws.amazon.com/certificate-manager/pricing/
Adding to the comments above, you can't use the AWS Certificate Manager for this, but you can add a Let's Encrypt certificate to ec2 on a Windows server running IIS and it's pretty easy:
Associate an elastic ip with your ec2 instance.
Make sure you have a registered domain. You can't use ec2----------.us-east-1.compute.amazonaws.com type names that come with your instance.
Through your domain provider's DNS settings have your domain point to your Elastic IP.
Connect to your ec2 instance and add your domain name to the site bindings.
Go to https://github.com/PKISharp/win-acme/releases
Look under assets, and use the latest version (win-acme.v2.0.10.444.zip for example). This is the only assets folder that you need.
Unzip the folder, open the terminal as administrator, and cd into the unzipped folder.
Run wacs.exe and follow the prompts.
Make sure the security group assigned to your instance allows traffic (at the very least your own IP) through the HTTPS port you chose in IIS; this is port 443 by default.
I found the links below helpful when I was figuring this out. Here is a video using an earlier release if you need more help, but it's the same idea.
https://www.youtube.com/watch?v=fq5OUOjumuM
Also this article might be helpful:
https://weblog.west-wind.com/posts/2016/feb/22/using-lets-encrypt-with-iis-on-windows
I fear that this might be a programming question, but I am also hopeful that it is common enough that you might have some suggestions.
I am moving to a fail-over environment using AWS elastic load balancers to direct the traffic to the EC2 instances. Currently, I have set up the ELB with a single EC2 instance behind it. You will see why in a moment. This is still in test mode, although it is delivering content to my customers using this ELB -> EC2 path.
In each of my production environments (I have two) I have an AWS certificate on the load balancer and a privately acquired security certificate on the EC2 instance. The load balancer listeners are configured to send traffic received on port 443 to the secure port (443) on the EC2 instance. This is working; however, as I scale up to more EC2 instances behind the load balancer, I have to buy a security certificate for each of these EC2 instances.
Using a recommendation that was proposed to me, I have set up a test environment with a new load balancer and its configured EC2 server. This ELB server sends messages received on its port 443 to port 80 on the EC2 system. I am told that this is the way it should be done - limit encryption/decryption to the load balancer and use unencrypted communication between the load balancer and its instances.
Finally, here is my problem. The HTML pages being served by this application use relative references to the embedded scripts and other artifacts within each page. When the request reaches the EC2 instance (the application server) it has been demoted to HTTP, regardless of what it was originally.This means that the references to these embedded artifacts are rendered as insecure (HTTP). Because the original page reference was secure (HTTPS), the browser refuses to load these insecure resources.
I am already using the header X-Forwarded-Proto within the application to determine if the original request at the load balancer was HTTP or HTTPS. I am hoping against hope that there is some parameter in the EC2 instance that tells it to render relative reference in accordance to the received X-Forwarded-Proto header. Barring that, do you have any ideas about how others have solved this problem?
Thank you for your time and consideration.
First of all it is the right way to go by having the SSL termination at ELB/ALB and then having a security group assigned to EC2 that only accepts traffic from ELB/ALB.
However responding with https urls based on the X-Forwarded-Proto request headers or based on custom configuration, needs to be handle in your application code or webserver.
We have a internal load balancer deployed in Azure, with 4 VM currently in the same load balancer set. We have a software deployed as IaaS, they essentially running a windows service taking traffic from a pre-configured port (not 443)
I am trying to figure out how this will work, to my understanding, internal load balancer does not offload SSL, so my call will be end to end from client to the VM (could be any of the 4), I can configure the software to listen for a secure socket on same load balancer ports, but how should I configure my client to call 4 servers, which certificate to use in this case?
And, what if we have more VM adding to the picture?
Azure Load Balancer (including the Internal one) operates at the network layer, so it does not do SSL offloading or things like cookie-based affinity. If that's what you need, you may look into something like Azure Application Gateway or third-party layer 7 load balancers (Nginx Plus, Barracuda WAF, etc).
In your case, with the standard ILB, all requests will be routed to one of the 4 VMs, and all of them will need to have the SSL certificate installed (the same one in all VMs). SSL certificates, indeed, are bound to a specific hostname, but not a specific machine: if you need to load balance, you're free to re-use the same certificate (and private key) on every instance, as long as they all respond to the same hostname publicly.
Azure Load balancer does not provide SSL offloading. You could leverage KEMP LoadMaster-for-Azure and configure SSL offloading, by uploading certificate on the loadMaster and allow non ssl or SSL traffic to the 4 internal VMs. You could find the details in the below link
https://kemptechnologies.com/solutions/microsoft-load-balancing/loadmaster-azure/
Regards,
Krishna