Setting up DNS on Cloudflare to point to an ALB on AWS. It seems when I make a CNAME record pointing to the DNS name of the ALB it fails with a 522 error.
When I do an nslookup on the DNS name of the load balancer, and change the records to A records with one of the IPs, everything works as expected. This solution is not going to work, since 1) I'm not taking advantage of the load balancing aspect of the DNS name, and 2) the IPs of the load balancer can change at any moment.
The load balancer has the same SSL certs as Cloudflare, and is using listeners with the host as the condition.
For example: test.domain.com forwards to one target group, and test2.domain.com forwards to a different target group.
Is there something I am missing with this kind of setup? Why would it be working when using an IP address, but not with the CNAME?
Update: Including example listener setup in Terraform:
resource "aws_lb_listener_rule" "nginx" {
listener_arn = "${var.https_listener_arn}"
priority = 1
action {
type = "forward"
target_group_arn = "${aws_lb_target_group.nginx.arn}"
}
condition {
field = "host-header"
values = ["${var.frontend_host}"]
}
}
Related
I have a strange problem wherein I am able to connect to an EC2 instance in a public subnet in AWS VPC using RDP and HTTP. However after successfully connecting to the instance through RDP, i am not able to connect to Internet (from the instance).
a) I created a non-default AWS VPC and associated an IGW to it. The address range of VPC is 10.0.0.0/16. A subnet with the address space 10.0.5.0/24 was created
c) In order to make the subnet public, i decided to retain the Main Route Table as it is and created an additional Route table with the following entries
10.0.0.0/16 local
0.0.0.0/0 igw
d) This route table was associated with the subnet 10.0.5.0/24. This makes it a public subnet
e) The NACL is set to allow:
INBOUND traffic HTTP(80),HTTPS(80),SSH(22), RDP(3389) for IPV4 and NACL
outbound traffic ALL TRAFFIC ALL PROTOCOL ALL PORT Range Destination 0.0.0.0/0
f) The security group settings are:
Inbound All traffic All All 0.0.0.0/0
Outbound All traffic All All 0.0.0.0/0
g) I created a single EC2 instance in the public subnet and assigned a Elastic EIP to it. I am able to connect to this using RDP and able to access the IIS Welcome page by typing the public DNS name of the EC2 in my local browser. However, from the instance when i open IE and try accessing any popular websites i am not able to access the Internet. I always get a 'Can't reach this page'
h) I disabled Windows Firewall and tried accessing Internet. But still it didnt work.
i) The tracert output just shows Request timed Out in all the lines.
Any help would be appreciated.
Thanks and Regards
Govind
First, verify that the following conditions are met:
The route table in the instance’s subnet has a default route to an
internet gateway. The security group attached to the instance’s
elastic network interface must allow outbound traffic on the following
ports: Port 80 for HTTP traffic Port 443 for HTTPs traffic Identify
the network access control lists (ACLs) that are associated with the
subnet that the instance is located on. These network ACLs must have
rules to allow inbound and outbound traffic on ports 80 and 443.
You don't need to open all the ports to enable outgoing web traffic.
https://aws.amazon.com/premiumsupport/knowledge-center/ec2-connect-internet-gateway/
Finally i was able to fix this issue. I added
ALL TCP TCP (6) 0 - 65535 0.0.0.0/0 ALLOW
as an INBOUND rule in NACL. Immediately i was able to access the Internet from the browser in Ec2 instance.
However i am not convinced that all the ports should be opened to use browser on an EC2 instance in the public subnet. Is there a better way to do this ?
Can i consider setting up a Forward Proxy server as a solution for browser based outgoing traffic as in this case ? Please suggest
I am trying to implement https support for my GCP VM. For the purpose, I created all the load balancing components i.e. instance group, health check, backend service, url map & target proxy. All were created without error.
However now when I am creating a global forwarding rule for the final step, I am getting the following error:
ERROR: (gcloud.compute.forwarding-rules.create) Could not fetch
resource:
- Invalid value for field 'resource.IPAddress': '35.xxx.xxx.xxx'. Invalid IP address specified.
I am using the following command:
gcloud compute forwarding-rules create fa-global-fwding-rule-1 --target-https-proxy=fa-https-proxy-1 --ports=443 --global --address=35.xxx.xxx.xxx
(IP add digits masked with xxx)
What am I missing?
I already have a working VM instance through http where I had promoted its ephemeral address to a static address (above is the same address 35.xxx.xxx.xxx)
Also once I implement https support, I want the http connect to continue working as well so that my existing apis are not disturbed until I move them to https
Any advice/help?
GCPs Load Balancer does not check to see if the static IP you picked was regional or global. If you accidentally reserved a "regional" IP instead of a "global" IP, it throws that silly error:
Invalid value for field 'resource.IPAddress': '35.xxx.xxx.xxx'.
Invalid IP address specified.
I don’t find any issues with your command, this kind of error is mostly observed due to IP conflict if the specified IP address is in use or not available. The Forwarding Rules map the IP address for your load balancer to the Target Proxy that will handle the requests.So first you will need to create your IP address though. Using this command:
$gcloud compute addresses create my-address --global
And then create a forwarding rule. You will need a global, rather than regional, IP address for your HTTPS load balancer. Using this command :
$gcloud compute forwarding-rules create my-https-forwarding-rule --global
--address 123.123.123.123 --ip-protocol TCP --port-range 443
--target-https-proxy my-https-proxy
Can you confirm if you are using a global or a regional IP address?
For HTTP, You need to create a totally separate Target HTTP Proxy and Forwarding Rule for HTTP. You essentially need to have two load balancers to handle the traffic, and then actually redirect users in your application. Notice that we put the same IP address in for the HTTP Forwarding Rule. This makes it so that we can listen on port 80 and on port 443 at our IP address.
I have created one EC2 instance (as part of the provision of a Tomcat Beanstalk instance). Now I need to configure HTTPS connection to the EC2 instance. As per the Beanstalk documentation, the easiest way is to configure a load balancer that interacts with browsers using HTTPS and that routes traffic to the EC2 instance using HTTP.
So I configured a load balancer under the EC2 management console. After the configuration, I tried to ping the public DNS name of the load balancer or the resolved IP address. The target is reachable but does not produce any response, as shown below:
ping 13.54.72.179
PING 13.54.72.179 (13.54.72.179) 56(84) bytes of data.
^C
13.54.72.179 ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 6139ms
I carefully checked all the configurations, as per the load balancer configuration and trouble-shooting documentation. All seem to have been configured properly.
Target group: the target group has the healthy state in monitoring tab.
VPC: the load balancer availability zone and the EC2 instance are in
the same VPC zone. Also in the route table, there is an internet
gateway associated to 0.0.0.0/0 destination.
load balancer listeners: both HTTP and HTTPS listeners are
configured. Load balancer is also configured for internet-facing
connection.
Security group for load balancer: for inbound traffic, both
HTTP/HTTPS and TCP protocol are configured, accepting all sources;
for outbound traffic: all protocols to all destinations are allowed.
Security group for EC2: for the purpose of testing, we enable all
traffic for all sources in inbound traffic.
I researched a few forum threads about the "load balancer not responding" topic and checked the configurations they mentioned. However, none of them worked for me.
So I am at loss now. Can someone enlighten me where I might have missed in configuring the load balancer? Or what I need to do for trouble-shooting?
How do I connect to the database geoip Haproxy?
an example.
Haproxy decides at ip country and city, and modifies http headers for transmission to the backends:
reqadd X-Country:\ Country
I think what you want is something you should look for in a dynamic dns, like route53 where it can detect the ip and route to the closest load balancer. You can however setup acl requests in haproxy. More in section 7 of the man pages: http://haproxy.1wt.eu/download/1.5/doc/configuration.txt
I have an EC2 micro instance running with the Amazon linux. I installed bind and set up an entry for a certain domain, and it works fine if you are on that server and type:
nslookup the-domain.com localhost
but I can't get to it from external servers by typing
nslookup the-domain.com 10-10-10-10.compute-1.amazonaws.com
In my security group, I set it to allow incoming traffic on port 53 (both TCP and UDP) but still, nothing. Anyone know what I am missing?
Make sure you have this line in your named.conf global options. "any" in these refer to any IP address, you could restrict access to specific clients by listing those IP addresses -
listen-on { any; };
For IPv6:
listen-on-v6 port 53 { any; };
The zones may also have restrictions placed using
allow-query { i.p.ad.rr; }