1 SSL Cert for Multiple Dynamic Elastic Beanstalk Environments - ssl

I'm basically trying to setup review apps where our CI spins up a review app such as review-app-<tag>.review.ourdomain.com based on push to a git branch.
Our CI spins up a new elastic beanstalk environment per review app. I currently have a wildcard SSL cert hooked up to our domain, which works properly.
Now, I need to figure out how to get https to work for our review apps. One solution would be to leverage Cloudflare's API to add DNS records that point review-app-<tag>.review to the appropriate elastic beanstalk instance's load balancer. However, DNS takes a while to propagate sometimes so it's not a great solution especially for CI workflows.
How can I get this to work without modifying DNS records? Is there a hack that could be put in place by modifying our Nginx config or using a Shared Application Load Balancer?

Related

Can I access a full list of cloudflare tunnels through their dashboard?

I have some tunnels created through CLI on several servers locally.
Their domain names are shown in Cloudflare DNS settings as "managed by a cloudflare tunnel".
However, in Access -> Tunnels I do not see their domain names listed.
Are CLI-created tunnels accessible anywhere in their Web GUI?
When created using the CLI, you will see the tunnels on the GUI but not the ingress hosts listed on the config of the tunnel.
If you want to get them on the GUI, you will need to migrate the config so that it is hosted on CF.
Bear in mind, the migration process is one way only (once hosted, you cannot reverse the process).
This shouldn't be a problem unless you're using free TLDs (like .tk .ga .ml ... and the likes) cause all these TLDs are excluded from the CF API and consequently you will not be able to manage them from within the GUI.

It's possible to use a dynamic route in the nginx ingress controller?

Our services use a K8s service with a reverse proxy to receive a request by multiple domains and redirect to our services, additionally, we manage SSL certificates powered by let's encrypt for every user that configures their domain in our service. Resuming I have multiple .conf files in the nginx for every domain that is configured. Works really great.
But now we need to increase our levels of security and availability and now we ready to configure the ingress in K8s to handle this problem for us because they are built for it.
Everything looks fine until we discover that every time that I need to configure a new domain as a host in the ingress I need to alter the config file and re-apply.
So that's the problem, I want to apply the same concept that I already have running, but in the nginx ingress controller. It's that possible? I have more than 10k domains up and running, I can't configure all in my ingress resource file.
Any thoughts?
In terms of scaling Kubernetes 10k domains should be fine to be configured in an Ingress resource. You might want to check how much storage you have in the etcd nodes to make sure you can store enough data there.
The default etcd storage is 2Gb, but if you keep increasing it's something to keep in mind.
You can also refer to the K8s best practices when it comes to building large clusters.
Another practice that you can use is to use apply and not create when changing the ingress resource, that way the changes are incremental. Furthermore, if you are using K8s 1.18 or later you can take advantage of Server Side Apply.

Install Wildcard SSL Certificate on AWS Elastic Beanstalk

I'm not the most advanced AWS user there is, and have come across a bit of a roadblock.
I've got 2 Elastic Beanstalk Environments, each with a Load Balancer, 2 EC2 instances and they share a RDS instance. One environment is for Development and the other for Production.
I have purchased a wildcard SSL certificate from Thawte, and would like to install it on both the Development and Production environments. I've gone through other threads about adding SSL certificates in AWS, but the admin interface has changed since they were written so I've been going round in circles trying to figure it out.
Also, do I install the same SSL certificate on both Load Balancers? Or is it a case of only having one load balancer and redirecting traffic depending on the domain?
Thanks
You will need two load balancers, one for each environment. For uploading the certificate, it sounds like you are creating your Beanstalk environment through the console. In that case, after you create the environment, go to the EC2 tab, then 'Load Balancers', then 'Listeners'. Edit that, change the protocol to https. You'll see there is a place to change the certificate:
That will give you a place to upload the certificate:
Now that the cert is there, you can use the Elastic Beanstalk configuration to change future environments to use that cert:

forwarding HTTPS from Plesk to AWS EC2

I'am quite new to setting up and managing websites, domains and stuff.
I purchased a domain (let's say example.de) and registerd it on my vserver running Parallels Plesk. As I need secure access I requested and created a SSL-Certificate at startssl.com. The developed application (Spring-Boot) runs on an EC2-Instance at AWS. The Product-Website runs on an Apache-Webserver on an EC2 instance. I need to secure both, the App (app.example.de) and the Website (example.de) using SSL.
What I want to archive is a redirect from the domain https://example.de to the EC2 Instance. I already tried several things - some I remember from the try&error marathon
Configure Plesk frame-forwarding the traffic on https://example.de to the ec2-ip
Obviously the Browser warns me that the Certificate is issued for example.de and not for and classifies the traffic as unsecure. Same like when accessing it like https://...
I also uploaded the certificate at Plesk - Also without success
Is there a solution for my setup? Or do I need (or is it recommened) to use Amazon Route53 for that task? Would be nice if someone could guide me and provide some tipps as I am pretty new to this topics.
Thanks
It seems there is no way around AWS route 53.
I figured out that there is a Extension for Plesk that is designed to route traffic using route53 and even a nice manual article at the Plesk homepage how to use any external DNS and also Route53 Extension. As this Extension requires a newer version of Plesk, than that one I am using I wasn't able to install it. I am pretty much bound to this version, so an update didn't come into question. I cannot tell for sure if using this Extension solves my initial problem, but it seems to be a potential solution.
The most simplistic solution (at least for me):
I ended up moving my Domain the AWS, created a Hosted-Zone, Added a Record Set with the IP of the EC2 and the DNS Server provided due the hosted Zone. Everything is now working like a charm.
Some more Background: The Product-Website and App-Frontend are running inside an Apache where I installed mod_ssl and configured SSL access. The Application backend runs as a Spring-Boot-App in a Tomcat where I also configured SSL using a TomcatConnectorCustomizer.
This setup works for my scenario

HTTPS not working (on AWS Elastic Beanstalk based site)

The site works perfectly fine on HTTP, however, does not work on HTTPS.
I've followed all the steps on this page to create a self-signed certificate and add it to my Elastic Beanstalk environment.
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https.html
I'm also getting a successful certificate response back from IAM using the following command:
aws iam get-server-certificate --server-certificate-name
After updating Elastic Beanstalk with the certificate, I've also added add a rule to the security group that allows inbound traffic from 0.0.0.0/0 to port 443.
Finally, I've also validated that my load-balancer listener has HTTPS set up correctly.
In spite of all that, my calls to https is not resolving, while http is working perfectly fine.
Any other thoughts on this? Any help would be much appreciated.
Please let me know if you need any more information. Desperately looking for some insight/help into this.
Anyway, not being able to resolve this issue with my site/code, I tried to set up HTTPS on the sample site provided on Elastic Beanstalk. Interestingly enough, even that is not working.
I want to provide an update that I was finally able to resolve the issue.
The root-cause was because I missed to set up an Inbound Rule for the Security Group of the Load Balancer.
For whatever reason, when I read the documentation, I understood that the Inbound Rule needed to be set up for the Security Group of the Instance (and not the Load Balancer). Only after I started tracing the Load Balancer did I realize that I should perhaps try setting up the Rule for the Security Group of the Load Balancer. So, the problem is resolved. Below is the setting I used.
HTTPS 443 HTTP 80 <name of the certificate>
I'd have to say that the documentation could be a bit more clear to clearly identify the change required to the Security Group of the Load Balancer (and not the Instance).
Amazon recently released AWS Certificate Manager :
Go to https://console.aws.amazon.com/acm/home
Add your domain and validate it by email
After the certificate is issued, deploy it to your Elastic Load Balancers following the steps (and easily setup your security groups)
It's event better for a performance point of view:
Because ELB supports SSL offload, deploying a certificate to a load
balancer (rather than to the EC2 instances behind it) will reduce the
amount of encryption and decryption work that the instances need to
handle.
follow the doc for more information:
https://aws.amazon.com/fr/blogs/aws/new-aws-certificate-manager-deploy-ssltls-based-apps-on-aws/
I can't believe this...but it goes to show how bad the AWS console is...I had to scroll down and click "Apply" on an invisible button when it shows "Pending create" after add making me think it's working...facepalm.
Hello i was had like this and i follow this steps and works to me:
Generate certificate
the first thing is request a Request certificate on AWS Certificate Manager (ACM)
take a look on this video to create a new one https://youtu.be/bWPTq8z1vFY
Configurations of the Elastic Beanstalk
on the configuration -> load balancer
create a new listener:
in this step i get this :
Creat a new record on route 53
so i use route53 to host my site
go to route 53 ->select your host zone and create a new record
choose the option of alias to select your route traffic in your case Elastic Beanstalk, your region and the name of your application
this works if you use route 53 and EB but in other host providers i thing i woiuld work too.