I am running a Spring Boot application in EC2. I want to make the API calls as HTTPS instead of HTTP.
This is what I did:
Brought a domain in godaddy and configured it in Route 53.
Created a cert from AWS certificate manager.
Created a Load Balancer and added the cert.
In route 53 directed my traffic to ELB.
Above things are working fine now. I have only one instance. Use of ELB is only for SSL. But I want to get rid of ELB as it is costing me more
Is there any other way I can make the API calls as HTTPS for spring boot application running on ec2 without ELB?
ELB can be quite expensive, and most of all useless if you have only one instance.
Try to put CloudFront in....well...front of your instance. You get the benefit of managing AWS certificates in the same way you are doing with the LB, and also you can take advantage of caching and edge locations.
You can also redirect Route53 to CloudFront, just add a CNAME to your hosted zone that reference the cloud front DNS.
Related
I have a Spring boot application deployed using AWS Elastic Beanstalk, im using S3 bucket for my angular app.
I have generated certifacate using aws certifacate manager and created CloudFront Distribution so my angular app is loaded on https.
The problem is I am calling a rest API from Https deployed Application to Http Rest API.
I keep getting this error:
Mixed Content: The page at "https://mywebsite.com" was loaded over HTTPS, but requested an insecure XMLHttpRequest 'http://myendpoint'. This request has been blocked; the content must be served over HTTPS.
I tried generating my own certificate in my spring boot application it worked locally but once deployed on elastic beanstalk web services doesnt respond.
any tip on how use https / beanstalk ?
The error message sums the problem clearly. It would be a huge security issue to allow unencrypted data transfer, for seemingly securely encrypted web page.
Moreover, you don't really want to do SSL termination on your instances, for performance reasons, you don't want to manually manage keys an so forth.
In your situation, I would advise setting up a CloudFront distribution in front of your ALB (which I assume you have). That will solve your problems immediately, as CloudFront will automatically setup a domain for you and will expose your endpoints via HTTPS. Afterwards if you decide, you can easily setup a custom domain and certificates.
Finally, I recommend reading this article to make sure you avoid common pitfalls when configuring ALB and CloudFront.
Best, Stefan
I deployed one web application to EB. I used Route 53 to redirect two domains to my application. On EB environment, it seems it only allows me to add one certificate to port 443 for my load balancer. Let's say my users only use my domain names to access my web application. How should I go about creating and adding SSL certificate(s) to secure the connections from those two domains to my application.
Yes, you can add. In the EB concole, you can add only 1 SSL cert. To add other ones, you have to do it directly in the EC2 console on your load balancer.
The load balancer used by your EB env supports multiple certificates. So you can add extra SSL certificates to your HTTPS listener.
Helpful information is below:
How do I add multiple SSL certificates to the Application Load Balancer in my Elastic Beanstalk environment?
How can I add certificates for multiple domains to an ELB using AWS Certificate Manager?
Application Load Balancers Now Support Multiple TLS Certificates With Smart Selection Using SNI
Elastic Beanstalk Add more than one ssl certificate
Alternatively, you can register multiple domains under one certificate.
In the EC2 console, you have an option (marked below) to modify the SSL certificates for your HTTPS listener:
Currently I have setup my web application on my 2 instance (ec2). Both instance have same web module and also SSL certificate.
And then I also have setup 1 load balancer for both instance for high availability.
But I was wondering on domain name part. Because both instance have different IP, and right now I only assign 1 IP instance into our domain provider.
So basically do I need provide both instance IP into my domain provider? Sorry I was newbie on this domain part :(
wasabiz, since you are a newbie, I would suggest going with AWS Beanstalk path.
To answer your question.
You can use Route53 to create/import your domain Name. The domain can point to DNS name of the Loadbalancer. From there LB will route the traffic to your EC2 instances. You need to introduce the autoscaling layer and move the EC2 instances inside it. So that the auto scalaing requirements can be fulfilled. All these options are configurable in AWS BeanStalk.
You have options to generate TSL certificates in AWS which is free to be used in AWS infrastructure. Otherwise, if you already have a certificate, you can import the certificate into AWS through AWS Certificate Manager and use it where ever needed, eg:load balancer.
I'm building a small web application for a personal project. It will be an Angular web application which will talk to a Spring-Boot service layer which in turn will read/write stuff to MongoDb.
I hope to host all this on a single EC2 instance in AWS. My question is how to configure a web server (like Apache but doesn't have to be) to 'beautify' the URLs a bit. Example, without touching anything angular will run at something like host:4200 and the service layer at host:8080. I will then have to map a proper domain to host in AWS, but the hiding of ports etc is where it gets murky for me.
I want to be able to hit my web app at domain.com (no ports etc) and I also want my service layer to ideally have a similar setup e.g. domain.com/service (no ports etc).
How do I configure a webservice to do this for me? Examples or pointers to specific examples would be ideal, but even a pointer to the right documentation will be helpful.
This thread is kind of similar to what I want but not too helpful: How to deploy Spring framework backend and Angular 2 frontend application in any online server?
You can use a setup with AWS CloudFront as reverse proxy and CDN cache. You can map the Domain Name and SSL Certificates(You can use AWS issued free SSL Certificates through AWS Certificate Manager) to CloudFront while the EC2 instance is plugged as an origin behind CloudFront as shown in the following diagram.
In the diagram I have optionally added, which is a common practice in designing applications in AWS.
Hosting the Angular App in S3
Using Autoscaling & Loadbalancing for EC2 instances.
You need to use Apache or other web server as a reverse proxy. Start here -
https://devops.profitbricks.com/tutorials/configure-apache-as-a-reverse-proxy-using-mod_proxy-on-ubuntu/
You then will need to setup a custom domain name. The easiest option is to just use an ELB (now called Classic Load Balancer). More details are here -
http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/using-domain-names-with-elb.html
I'm running into this problem trying to link my Godaddy domain with an AWS Elastic Beanstalk instance. I found a lot of documentation on how to link an EC2 instance with a domain on Godaddy but not for Elastic Beanstalk instance. So I ended up with this URL: www.MY_SITE.elasticbeanstalk.com
Here is what I did for an EC2 instance:
I updated the Nameservers on my Godaddy domain with the ones from my Route 53 Hosted Zone.
I created a new Elastic IP on the EC2 console.
I went back to Godaddy and updated the DNS A # field from their DNS Manager, with the EC2 Elastic IP one.
You normally have to wait 1h to 48h and it should work.
How can I do the same for a AWS Elastic Beanstalk instance, not an EC2 one? I can't see the instance I created from my EC2 console in order to link it to an Elastic IP.
Hope this is clear enough.. Any help?
No need to create a CNAME or do any forwarding - this is bad from the point of SEO and not recommended by Amazon. Even you should not point a record to IP directly - it will cause a lot of troubles in the future because IP can be changed any moment.
The most elegant way is to migrate DNS service from GoDaddy to Route 53. You still will be with GoDaddy, but handling requests for your site will be on Amazon's side.
Here is what you need to do:
Create a new Hosted Zone for your site in Route 53 console:
Open newly added domain name, find NS record and copy servers:
In GoDaddy's Domain Manager export records via "Export Zone File (Windows)".
Import those records to Route 53 ("Import Zone File" button).
In GoDaddy's Domain Manager set custom DNS nameservers, obtained on the 2nd step:
Migrating might take some time (even days).
Now you can link you domain with your Elastic Beanstalk site. To do so select/create proper A record type in Route 53 and set Alias for it:
Here's what I did when I was facing the problem of linking a GoDaddy domain with AWS ElasticBeanstalk.
DNS Manager:
A record #: 64.202.189.170 (that is GoDaddy's forwarding IP btw)
Cname www: AWS EB domain (e.g. awseb-xyz.us-east-1.elb.amazonaws.com)
Forwarding:
Forward Domain to www.example.com (forward only, without masking)
Forward Subdomain to AWS EB domain (e.g. awseb-xyz.us-east-1.elb.amazonaws.com) (with masking)
In order to access the site without www (e.g. http://example.com), I had to set up the forwarding of the domain to the www cname. This www cname then gets forwarded to the AWS EB domain (with masking in order to keep www.example.com in the address bar).
You should add a CNAME record to your Godaddy domain name that maps from www.yourGoDaddyDomain.com -> MY_SITE.elasticbeanstalk.com.
That will direct requests to your domain name to the load balancer that is running in your elastic beanstalk environment. You don't want to route your domain name to a specific server (i.e. an elastic IP), you want it to go to the load balancer and that will route requests to your server(s). Since AWS Load balancers don't use IPs (they use domain names), you don't want to set up an A record for this - a CNAME record maps domain names to domain names.
Look at the "Adding or Editing CNAMEs" section of the GoDaddy documentation on how to do this.
Your route53 configuration has to point to the load balancer, not the ec2 instance