DNS setup from Cloudflare to Amazon API Gateway - dns

I have a website mydomain.com with the DNS configured through Cloudflare. I am in the process of setting up an API accessible through api.mydomain.com
The servers I use are hosted on Digital Ocean, but I would like to use some of the features of the Amazon API Gateway Interface (I will later be migrating all servers over to Amazon). The API server is the same as the website (again this will later be separated, but for now the effective A record is the same Digital Ocean node). The API Gateway Interface is configured and I can access it just fine through the provided endpoint someamazonendpointurl.com/stage
On Amazon I have created a Cloudflare distribution with origin api.mydomain.com. It has some basic HTTP to HTTPS behaviours along with query string parameters. I then set a CNAME record on Cloudflare to point to the endpoint URL. When I try and access api.mydomain.com though I get the Chrome error:
ERR_TOO_MANY_REDIRECTS
Does anyone have any idea what I might have misconfigured. I realise this is a bit of an odd setup, but it is a stop-gap while we migrate our servers over to amazon.
UPDATE
I noticed I had a CNAME record in cloudfront to api.mydomain.com. I've now removed this but get:
ERROR
The request could not be satisfied.
Bad request.
Generated by cloudfront (CloudFront)
Request ID: <id>

Most likely you have your SSL mode on Cloudflare set to "Flexible", which doesn't use https to connect to the origin server. API gateway tries to redirect non-secure requests, so you have a redirect loop.
Set your SSL mode to "Full" and you should be good to go! You can do this on the "Crypto" tab of the Cloudflare dashboard.

Related

extending Cloudflare hosted security to the not-cloudflare resources

Halo, i’m a dev recently diving into cloudflare security layers and got few questions on a website security which is deployed to cloudflare. I’m using Pages and my domain is directly hosted by cloudflare Registrar. I’m also using the security layers provided with cloudflare infrastructure, including [ Bots, DDos, Settings, Page Shield ], which can be found in security tab of my domain in cloudflare dashboard. Below list is my questions:
security layers in use: [ Bots, DDos, Settings, Page Shield ]
I’m using firebase hosting to link my firebase functions with the domain which is hosted by cloudflare. In this case, do the above listed security layers of cloudflare automatically protect the firebase hosting resources or traffics?
I’m using cloudflare workers to manage Durable Objects. The Workers’ functions are also linked to the same root domain with different subdomain. In this case, do the above listed security layers of cloudflare automatically protect the Worker traffics?
the proxy status of firebase hosting connection is “DNS only” mode(not “Proxied” mode), since in the case of Proxied, the dns connection does not work(i didn't figure out the reason yet..). In this case, it makes me feel like the firebase hosting resources are not being protected since the orange switch in DNS dash is turned off
please consider the cloudflare plan is Pro
Thank you in advance [:
For the products you are listing, Cloudflare is implemented as a reverse proxy.
This means that from an end user perspective, when they try to connect to your services, their traffic reaches Cloudflare first (since a proxied record resolves to a Cloudflare anycast IP). Cloudflare carries out the features and security services that are configured, then forwards the HTTP requests to your origin infrastructure as specified in your Cloudflare DNS tab. This is true when the traffic is directed to proxied records.
For records in DNS-only mode, Cloudflare only performs DNS resolution (answering to the DNS query for that DNS record). Once this is done, the client will connect directly to the specified resource and the traffic will not be flowing through the Cloudflare network, meaning Cloudflare cannot provide proxy services in this scenario.
For a full explanation, I recommend the following documentation page

Cant connect to the cloudflare with A - DNS

My ubuntu server work correctly in port 80 using nginx, it's finally switch to port:3000 for Nodejs app to run. Everything okay when i pass the dns to the browser but when I try to connect with cloudflare It's appear the 502 bad gateway code when access the domain name? I'm kind of new in cdn hosting please tell me what to do! Many thanks
My Cloudflare Setup
Assuming you are running your webservice on port 80 publicly available:
What you could do is to disable the encryption between Cloudflare and your origin (not recommended):
Select your Domain, go to SSL/TLS -> Overview. Select "Off (not secure)"
But you really shouldn't do this for a production environment.
Your nginx should support encrypted traffic over HTTPS.
Issue a selfsigned certificate (not recommended), have a look at certbot or better:
Issue a Cloudflare Origin Certificate (SSL/TLS -> Origin Server)

HTTPS/SSL Certificates and traffic on Azure - From CDN (custom domain with SSL) to Traffic Manager and end to end flow

We have been working on a flow of upstream services on Azure. The following is the architecture:
User -> DNS -> Azure CDN -> Azure Traffic Manager -> Frontend Load Balancer (Firewall NVA) -> Azure Application Gateway -> Backend Pool (VM-Webserver)
The above flow was designed for a client and we are provisioning the same. The entire end to end flow works with HTTP requests.
But for HTTPS with SSL, the flow works only till traffic manager, as soon as we add CDN in the flow, it gives error, 'Request cannot be served', when checked in browser, it shows 502 bad gateway in developer tools
What we have seen so far:
The end to end flow is working seamless for HTTP requests For
HTTPs/SSL requests following configs have been done:
a) CDN : We have a profile with Custom Domain and HTTPS and Certificate enabled over it.The profile has both 80,443 enabled
b) Traffic manager : Endpoint set to port 443
c) Application Gateway : Plan to use end to end SSL encryption
i) Listener is on 443 port and has a pfx certificate
ii) HTTP setting with HTTPS and has a cer certificate from the original webserver
We have tried different combinations of configuration with CDN and traffic manager but doesn't seem to be working. I need this flow to be working end to end for HTTPS requests. This is for a prod migration to Azure.
Sorry for not following up and reverting on this.
As for the above issue and requirements, it was resolved.
Following were the steps taken:
CDN was configured with Origin type was select as Custom Origin - Original Hostname was given as traffic manager URL For Eg. abc.trafficmanager.net. Origin Host Header was left as blank
For Traffic manager profile changed the endpoint as Azure endpoint selected Target resource type as Public IP Address and added the public IP address of Load Balancer
For Application Gateway, it had to be made sure that we used PROPER CA CERTIFIED CERTIFICATE for end to end SSL encryption, we were trying it with self signed one hence did not work. We purchased one and used it, CDN responded as expected
Another important observation was that, for Application gateway in the HTTP settings (i.e. backend settings), the same CER certificate can be used for multiple websites for backend server certificate whitelisting.
The certificate (cer) that you wish to use, set it as the default certificate on your server, say for a particular website named abcxyz.com. Then the certificate of abcxyz.com can be used for whitelisting the backend for all the websites on that server
In short, app gateway backend only checks if the certificate (cer) is valid, it has nothing to do with the hostname or the certificate is of which domain, if the certificate matches and is valid, it is whitelisted
So folks, with all the detailed study and trails with logical reasoning, we were able to get the same exact flow as mentioned above working for both HTTP and HTTPs, with SSL encryption as well as SSL offloading for application gateway.
Thank you once again for all the support and suggestions !!

How to fix 504 ERROR with route 53, cloudfront distribution and elastic beanstalk

I'm not able to get my nodejs api working using elastic beanstalk, cloudfront distribution and route 53. I need my api to be running behind an SSL, this is why I'm using cloudfront distribution. I have the following setup.
When I visit my api https://api.mydomain.com I get a 504 with the error message below.
The actual url my api is running on (successfully, using nodejs elastic with beanstalk) is http://dummy-env.n1eijsdai.eu-west-1.elasticbeanstalk.com. I just want to mask that url as api.mydomain.com together with an SSL.
Is there something I've got wrong/ can you suggest anything to try?
Looking through the configuration for cloudfront this looks strange, the picture shows the setting prefixed with S3 but this api is not on an S3 (at least directly) it is hosted by elastic beanstalk.
Thanks,
Error message
504 ERROR
The request could not be satisfied.
CloudFront attempted to establish a connection with the origin, but either the attempt failed or the origin closed the connection.
If you received this error while trying to use an app or access a website, please contact the provider or website owner for assistance.
Route 53
name = api.mydomain.com
Type = (A) Alias target = wqsdn31817
CloudFront Distributions
domain name = wqsdn31817
origin = dummy-env.n1eijsdai.eu-west-1.elasticbeanstalk.com (if I visit this url I see my api running)
SSL certificate = api.mydomain.com
status = deployed
Origin Settings/ Origin Domain Name = http://dummy-env.n1eijsdai.eu-west-1.elasticbeanstalk.com
Origin Settings/ Origin Protocol Policy = HTTPS Only
Elastic Beanstalk
Nodejs api (using express)
In beanstalk Environment ID: e-1nasn4, URL: dummy-env.n1eijsdai.eu-west-1.elasticbeanstalk.com
CloudFront serves 504 only if it couldn't either establish TCP connection or the HTTP first byte response took more then what was configured in Origin read/response timeout.
Does your application work directly with beanstalk link or do you have any security group restriction based on IP ?
I had the same issue. I found that the security group in load balancer was not configured.
So I went to. EC2 -> Load Balancers -> select your loadbalancer
Go to Security and add security wizard that was created for EC2 instance.
And you are done.

How to setup custom submain for Api Gateway for site managed by wix?

Our website mywebsite.com is currently managed by Wix DNS. We wanted to create a subdomain api.mywebsite.com to forward requests to aws api gateway. Here are the steps I tried
Created an ACM certificate for *.mywebsite.com
In AWS console API gateway I created a custom domain and associated it with ACM certificated I created about. I got a cloudfront target domain name somecloudfrontid.cloudfront.net
I created a CNAME record in wix that points api.mywebsite.com to somecloudfrontid.cloudfront.net.
But, when I tried to hit api.mywebsite.com I get this error:
ERROR
The request could not be satisfied.
Bad request. Generated by cloudfront (CloudFront)
Am I missing any step? How can I get this working? Do I need to transfer my domain to AWS router 53 to make it work with AWS?
I suggest transferring the domain to Route53. There you can create an alias for your subdomain under Hosted Zones, and point it directly to your cloudfront target domain, as well as several other AWS resources quite easily.

Resources