HTTPS requirements - express server on AWS elastic beanstalk - node.js

I have written an express application which I have deployed on AWS. I want to understand if I need to enable https in my node js express server code or if the https enabled in the AWS console is enough i.e. is https between the web client and the AWS load balancer enough to protect my site or do i need to enable https within AWS infrastructure internally as well. Are there any other security considerations to be aware of in this scenario?

Related

How do I fix the Error when setup AWS Application Load Balancer For Angular+NodeJS Web Application

I set up an Application Load Balancer(AWS) for my website. In my website, I have angular as my frontend, and I have NodeJs and Neptune DB as my backend.
Browser(Local Machine) -> ALB -> EC2 Instance(Web).
I have an url for my web(https://example.com), so when I made a request to https://example.com in my local machine browser, Angular will do a api call using httpclient.get() to fetch data from nodejs at https://example.com/api/ticket.
So my question is when Angular fetch data from NodeJS, will the api call bypass the ALB, what is the host then? Or NodeJs will recognize the request is from the local?
I assume you are using an ALB with Host based routing. In this case you can have a 443 rule for example.com forwarding requests to the EC2 instance. Then in the Nodejs application you can have that api called using the same url.
This means that the request will be routed through the ALB which is also the best practise to do the same.

How to deploy Node.js Express server + Vue.js app on AWS EC2

I'm setting up my website which would run on an AWS Ubuntu EC2. It is a Vue.js SPA relying on a Nodejs Express app with API calls and socket.io. So far both apps are working, the backend is on my AWS EC2 free tier, behind an Elastic Load Balancer, the frontend is on my machine since I working on it. Now I would like to deploy the frontend to my AWS EC2 also but I'm confused how to do it correctly. The tutorials I've found are using nginx but I'm not sure that I need nginx as I already have AWS ELB. Any advices would be great :)
as is says "If you are developing your frontend app separately from your backend - i.e. your backend exposes an API for your frontend to talk to, then your frontend is essentially a purely static app" here
I would choose s3 to host vue app because it's static and can be served using s3 and
I will choose EC2 for hosting my API (server code) and also i'd make an elastic IP to talk to my ec2 server so that on restart i don't have to handle the dynamic IP's
Steps to make your website live
First pull yout node express server on your ec2 instance
start your node express server use pm2 to serve it as an service
expose the served port from security groups of the ec2 instance
make an s3 bucket on aws and upload files to it
Tip: just click upload button after dropping your files to s3 do not go clicking next
after uploading select all the uploaded files and then mark as public
after uploading go to properties of that bucket and then choose static web hosting and type index.html the asked field
** TIP: do not use a load balancer for this application use only when you distribute your system across multiple ec2's**

SSL integration for Node.js app behind AWS ELB

I have AWS instances (behind a load balancer) serving a Node.js / Express app for mobile clients. I would like to enable SSL for the API calls on this app. There are multiple tutorials on how to enhance my Express app to use SSL, but can can folks advise please what should be the ELB configuration in such a scenario?
Should I have the ELB listeners (both load-balancer side as well as instance-side) to be http (not https)? And then make the Node.js app use a certificate from say LetsEncrypt?
Or should I instead have the load balancer be https based (and thus have its own associated certificate from AWS Certificate Manager)? In that case, what happens to the LetsEncrypt certificate - do I still integrate that with the Node.js app?
Many thanks!
You would enable SSL on the load balancer and use an ACM certificate. You wouldn't need a SSL certificate on the NodeJS server unless you just want the communication between the ELB and the server to also be encrypted.

configuring https with express on aws elastic-beanstalk

I have an Express app running on AWS EB which I want to secure with SSL. From what I understand I can either set this up at the application level using the https module or at the EB environment level by applying the certificate to the load balancer.
I have done the second of these two options and have it working but I'm unsure on the best practice. Should I be doing it at the express application level or via the EB Load balancer or should I be doing both?
Adding SSL certificate at the ELB level is the right choice which I believe should be sufficient.
The advantage is when you have SSL Certificates at ELB level, offloading happens at multiple servers managed by Amazon used for ELBs, reducing the computational demand from your web server. Also the configuration is lean & transparent.
Note: For added security you can place the web servers in private subnets while keeping ELB public.

Security of hosting a RESTful API server on AWS Beanstalk or EC2

I want to host a RESTful API on AWS Beanstalk or EC2 so a client server in an on-premise data center can use it.
Is it secure to host a RESTful API server on AWS Beanstalk or EC2 without authentication and secure them only with security group ?
I put the client IP address into the security group which Beanstalk or EC2 instance uses. So only the client with this IP address can connect to the RESTful API server.
The client is located outside the AWS in a on-premise data center.
Is there any better solutions to handle this problem? I know it is possible to connect AWS VPC with on-premise network, but that seems to be a too expensive for us in such small use case.
Is it secure to host a RESTful API server on AWS Beanstalk or EC2 without authentication and secure them only with security group ?
No authentication is not a recommended method for securing RESTful API but security provided by AWS security groups is rock solid.
Another suggestion will be implementing HTTPS instead of HTTP. Please go through this article. http://aws.amazon.com/articles/1928

Resources