I open Visual Studio 2019 and create a new project (Container application for kubernetes). I tick enable https support and then when I start debugging in Visual Studio; I can browse to the https address.
I then try to go one step further. I have Kubernetes enabled in Docker Desktop on my development PC and follow these instructions (after opening all the .yaml files and changing all references of https to http and all references of port 80 to port 443):
1) cd C:\mvcsecure
2) docker build -t mvcsecure:stable -f c:\mvcsecure\mvcsecure\Dockerfile .
3) cd c:\mvcsecure\mvcsecure\charts
4) helm install mvcsecure ./mvcsecure/
5) kubectl expose deployment mvcsecure --type=NodePort --name=mvcsecure-service
6) kubectl get service
mvcsecure-service NodePort 10.96.128.133 <none> 443:31577/TCP 6s
7) I then try to browse to: https://localhost:31577 and it says:
Cannot securely connect to this page
Notice there is no option to trust a certificate or anything.
What changes must I make to the default Helm charts created by Visual Studio to get https working on my basic service? I cannot find any documentation or examples online. It would be great to see an example of a https service (mvc or api) deployed to Kubernetes using Helm. I could post the .yaml file code if needed,, however there is a lot of it.
I am wanting to use kubernetes cluster root certificate as described here: How to access a kubernetes service through https?
I have checked that all TLS and SSL options are ticked in Internet Options.
In case when Your application accepts HTTP traffic and You want to make is secure (HTTPS); I suggest to try TLS termination with kubernetes ingress.
Kubernetes documentation has great explanation how to configure TLS termination. With ingress object You can make Your HTTP service be accessible via HTTPS from outside of the cluster.
This means that connections made to service will be made in HTTPS and get decrypted to HTTP once internally in Your cluster before reaching the service.
Hope it helps.
Related
Requirement: To set up a Kubernetes service that is publicly accessible on browser on HTTPS
I browsed through the internet and everywhere I saw nginx-ingress which can give https url.
I have ingress setup and its working as expected
But my doubt is, this ingress will only run on my local, as I make the changes in /etc/hosts file of local? How can I make https url publicly accessible? I want my load balancer service to be accessed publicly with HTTPS. I have my application running on GKE Cluster. Please guide
What is the easiest way to route an externally hosted domain to my VM instance on GCP (with a fixed IP) and connect over HTTPS? Currently only HTTP works, forwarded via the entry in the A Records. Which service is best suited for this on GCP? I am happy about every suggestion.
You can point your domain to VM via adding A record in DNS. For managing the https you can setup the nginx or apache and generate or add the SSL/TLS certificate there.
For generating free SSL/TLS certificate you can use : https://certbot.eff.org/
it's easy to manage and install the SSL/TLS certificate with certbot also it's having functionality of auto-renewal of certificates.
Thank you very much. Certbot looks good. :)
A) Currently I have the following configuration:
Domain at Active24 (A record points to server)
Server is Alfresco on a VM instance on GCP
Server is Apache Tomcat on Debian 9
I can manage on the command line, but it's not my daily business.
I installed Certbot and had the certificate installed (sudo certbot --apache)
B) Now, after installing Certbot, here's the situation:
When I open the URL/Domain I get to the Alfresco Login Screen. Browser does not show HTTPS.
After entering my login data, HTTPS appears, but I cannot access the Share environment. Instead I see an Alfresco error page with a button to return to the dashboard.
When I click on the "Back to Dashboard" button, I return to the login screen.
I think I still have to configure Apache to forward to the appropriate destinations. But I can't find any instructions for this.
C) My next questions are:
Did Certbot install an additional server as a proxy, or did it configure the existing one?
In which directory do I find the appropriate server settings?
Thanks a lot!
When installing ASP.NET Core apps on a windows machine, I used to install the websites within IIS, I used the bindings there to route depending on the URL to the correct web application and I used Letsencrypt to create the SSL certificates.
Now I want to start shipping my applications using Docker. The samples show, how to easily create an ASP.NET Core dockerized project, but that's where most of them end. So in the end I've got an ASP.NET application in my docker running listening on port 5000.
Are there any suggestion or resources showing how to set it up on a production system?
multiple web sites listening on the standard ports 80 and 443 and forwaring to the correct docker image
SSL certificate handling
Setup ngingx as a front end. It is world-class solution, used by top-traffic sites as a front-end for incoming requests.
Among other features it does:
Redirecting based on plenty of rules
SSL management (you can use unencrypted connections behind it)
Load balancing
It is free and available as docker image.
So, you open only ngingx outside your docker network, and make it route all your traffic inside.
Setup reverse proxy like nginx, even in IIS also you redirect to corresponding docker service having a particular port. You can fan out traffic to respective ports.
Image: https://blogs.msdn.microsoft.com/friis/2016/08/25/setup-iis-with-url-rewrite-as-a-reverse-proxy-for-real-world-apps/
As the title says i'd like to deploy from VS2010 AWS toolkit or Jenkins (preferably) an ssl cert to the website running on AWS Win2008/IIS7. Either as a redeployment or new deployment.
I've looked around and there's nothing on this, why? Appears to be possible with ElasticBeanstalk but that's not what i'm running at this stage.
Is it impossible and i'm silly for not knowing that?
If so what options do i have? I'm new to AWS so open to all suggestions!
There is no way to deploy a cert to an EC2 instance from VS2010. I don't believe IIS provides a command line utility to import a certificate, so it would be tough for the AWS toolkit to bootstrap that for you. If you ever get into Cloud Formation, you may find a way to do it with cfn-init and PowerShell. Importing a cert to a Windows instace on bootup and creating an https binding that uses that cert is not something that's going to be quick to set up.
With Elastic Beanstalk, you don't have to deploy your certificate to your instances, you just have to import it to IAM, and then specify the imported certificate when you start beanstalk. Your instance can communicate with Beanstalk's load balancer via http port 80, or you can use a self signed cert on your instance to secure communication between the instances and the load balancer.
I have a Windows/.NET elastic beanstalk instance with an SSL cert setup on the load balancer. By default this creates a port forwarding from https/443 to http/80. I would like to have 443/https on the load balancer forward to 443 https on the beanstalk instance.
I was trying to do what is documented here:
I reconfigured the corresponding EC2 instance EC2-->Load Balancers-->Listeners so that HTTPS forward to HTTPS configured with my SSL cert, the problem is when I try and make an HTTPS request after that it just times out. It seems like the ElasticBeanstalk instance doesn't like me modifying the EC2 Listeners.
Any ideas?
To get SSL to work in between the LoadBalancer and the Elastic beanstalk I need several things:
Configure the EC2 LoadBalancer to forward port 443 to port 443 (on SSL). I already had this part in the question above.
Configure the IIS on the EC2 instance like any other site with SSL:
a). Install SSL Cert on EC2 instance in IIS.
b). Add https/443 binding with the SSL cert.
The problem was I was expecting #2 for free. On Windows Azure this is pretty much free when you configure certificates on your instance, but as of now this is not the case on AMZN ElasticBeanstalk for windows.
I also would expect #2 to be scriptable so I could scale up or down instances without have to manually do #2. I was looking for some easy way to tie in power-shell scripts on my EB instances but they apparently don't have this feature either.
My final solution was to create a custom vm images (AMI) with the SSL cert installed an the https binding already added. If I do this I can deploy the ElasticBeanstalk image with my SSL stuff already setup. Doing this then allows me to scale up or down without any configuration.
This was a particular problem for me with my ASP.NET MVC project with various OAuth providers. Basically anything that should use https was broken under Elastic Beanstalk. I tried coding around it by looking for the X-Forwarded-Proto HTTP header, but it was pretty nasty. So I really wanted SSL straight through to my EC2 instances.
It probably took me 3h to figure out how to do this without using an AMI, so hopefully this helps someone.
I've previously tried the custom AMI approach and, though it works, it presents two problems:
I have to patch and maintain my own AMI which is time consuming. If I use a standard image, I can just rebuild the environment when a newer image is available.
I can't source-control my configuration settings - they are just embedded in an opaque AMI somewhere in the cloud.
I adapted this from this post.
First of all, you need to add a directory to the root of your visual studio web project called: .ebextensions.
Inside it, create a text file called environment.config - we're going to use YAML here, so don't edit it in Visual Studio in case it thinks it's an Application Config file and adds tabs - YAML is whitespace sensitive. The syntax for the file is documented on Amazon.
My file has a bunch of other settings for tuning IIS, but the relevant bit looks like this:
container_commands:
site_add_ssl_binding:
command: PowerShell -ExecutionPolicy Bypass -File "C:\\inetpub\\wwwroot\\.ebextensions\\ssl.ps1"
This will execute a custom PowerShell script called ssl.ps1. So let's create that inside the .ebextensions directory:
# If there is no existing SSL binding
if ( -not(Get-WebBinding "Default Web Site" -Port 443) ) {
# Import the .pfx file into the certificate store
$securepwd = ConvertTo-SecureString -String "YOUR_PFX_PASSWORD_HERE" -Force -AsPlainText
$cert = Import-PfxCertificate -FilePath C:\inetpub\wwwroot\.ebextensions\my-certificate.pfx cert:\localMachine\my -Password $securepwd
# Create site binding in IIS
New-WebBinding -Name "Default Web Site" -IP "*" -Port 443 -Protocol https
New-Item IIS:SslBindings\0.0.0.0!443 -value $cert
}
When executed, this command will import a .pfx file into the certificate store, and then create the SSL binding on port 443 of your website.
With the original code that I referenced, I had all kinds of issues with dodgy character encodings. So if you copy/paste this sample and it doesn't work, you can test it by remoting into your EC2 instance, opening a command prompt and executing the command directly: PowerShell -ExecutionPolicy Bypass -File "C:\inetpub\wwwroot\.ebextensions\ssl.ps1"
You'll need to add your .pfx file to the .ebextensions directory too. In Visual Studio, make sure that all of the files are included in the project, and have a Build Action of Content (tip select the file in the Solution Explorer and press F4). The solution explorer should look like:
web-project.csproj
.ebextensions
environment.config
my-certificate.pfx
ssl.ps1
...
Then using the AWS Toolkit for Visual Studio, right-click on your project and select Publish to AWS and follow the prompts. This will upload your deployment package to your Elastic Beanstalk environment, and install it. Your customisations will be executed during a deployment, or whenever a new EC2 instance is provisioned.
Following a successful execution, the .ebextensions directory gets deleted.
If you don't want to include the .pfx file inside your Visual Studio project, the original example uses PowerShell to download the .pfx file from an S3 instance. You can also avoid embedding the password in the .ps1 by referencing an Elastic Beanstalk environment variable.
To get this working end-to-end you'll also need to:
Configure your load-balancer to forward 443 traffic to port 443 on your EC2 instances - the default switches to port 80.
Configure the security group out of the load-balancer to allow 443 traffic.
Configure the security group into the EC2 instances to allow 443 traffic.
With some instance types, you can configure Elastic Beanstalk app servers via configuration files. You can use this technique to enable SSL.
See Serve HTTPS From Elastic Beanstalk Application Instances for example configuration.