I have an instance listening on port 8080.
I want to create a load balancer to map 443 (ssl) to the instance port 8080 so that ssl terminates at the load balancer and traffic between the lb and the instance is not encrypted.
I have uploaded the ssl cert, created an HTTP load balancer but can't seem to figure out how to set up the forwarding like that.
Coming from AWS ELB, there's a simple way to do this, can't find a way to do it on Google Cloud Platform.
Any thoughts ?
Found it.
Create an instance group that has at least 1 live instance
Create http load balancer with the following:
Upload a SSL certificate
Create a backend service to point to the instance group. Make sure the protocol is HTTP
Create a target https proxy with the certificate you uploaded
Finally, create a global forwarding rule that points HTTPS to the target proxy you created before.
Related
I have a GCP instance group with 2 instances. Both are up and running. I want to configure a load balancer (HTTPS) to manage the traffic.
I've set up a forwarding rule with the HTTP-protocol and a certificate managed by google. This all works, but only when the traffic between the load balancer and the backend (the instances) is plain HTTP.
Steps I did so far
I create a template and this template is just a normal N1 series machine. I checked the boxes to create firewall rules for allowing http and https traffic.
I create a firewall rule named "allow-ports". This firewall rule targets all instances in the network, has a 0.0.0.0/0 IP-range and allow port tcp = 80, 443. How I see this, this firewall rule should open both the http (80) and https (443) port.
I create an instance group with port mapping. "http-port" = 80, "https-port" = 443. I use the template I just created.
When the instance group is created, I check if this is running. With SSH, I get access to the instances and install apache (sudo apt-get install -y apache2) on the both. When navigating to their external IP's in the browser, I see them both.
I create a HTTP(S) load balancer, with the option "From internet to my VMs". For backend configuration, I add a backend service with my instance group, protocol HTTP, named port "http-port". For frontend configuration, I set up the HTTPS protocol, create an IPv4 IP address, create a google-managed ssl certificate, and I'm done. I also added health checks btw.
Now... these steps work (after a few minutes). With the cloud DNS, I have set up a domain name which points to the IP address of the load balancer. When going to , I see the apache page.
What doesn't work?
When I change the backend configuration to HTTPS (and named port "https-port"), I get a 502 server error. So it seems to me that there is some connection, but there is an error. Could this be an apache error?
I have spent a whole day, creating and recreating instance groups, firewall rules, load balancers, ... but nothing seems to work. I'm surely missing something, probably something dumb, but I have no clue what it could be.
What do I want to achieve?
I do not only want a secure (HTTPS) connection between the client and my load balancer, I also want a secure connection between the load balancer and the backend service (the instance group). Because GCP offers the option to use the HTTPS protocol when creating a backend service, I feel that this could be done.
To be honest: I'm reading some articles about the fact that the internal traffic is secured, so a HTTPS connection is not necessary. But that doesn't matter to me, I really want to know how this works!
EDIT
I'm using the correct VPC (default). I also edited the firewall rule from 0.0.0.0/0 to 130.211.0.0/22 and 35.191.0.0/16 (see: https://cloud.google.com/compute/docs/tutorials/globally-autoscaling-a-web-service-on-compute-engine?hl=nl#configure_the_load_balancer).
In addition to my previous comment. I followed your steps at my test project to find out the cause of your issue. I installed the same configuration and checked it with HTTP at the back-end. As it was expected, I found no errors. After that, I installed SSL certificates to the back-end and to the load balancer. Then I switched my back-end, load balancer and health checks to HTTPS and disabled HTTP at the back-end. At this point, I found no errors also.
So, I decided to get 502 error in my test configuration in some way. I switched my health check at the load balancer to HTTP. A few minutes later I tried to reach my test service again and got 502 error. When I switched back my health check to HTTPS 502 error gone away.
During this test, I didn't change firewall rules, but allowed HTTP and HTTPS traffic in my instance template and I used default network.
I am very new to load balancers. I have just set one up that listens on SSL. I also created an EC2 instance and added it to the target group of the "Application Load Balancer". The target group is also connected by SSL.
I have installed apache on the EC2 instance and placed an index.html file in the /var/www/html directory.
I would have thought typing the load balancer associated domain address (www.example.com) would route me to the index.html file of the EC2 instance (which is the only target). However I am getting a Bad Gateway 502 error.
Initially I only had SSH inbound rule on the EC2. I opened up 443 for HTTPS but that didn't make a difference.
Do I need to install a certificate for the SSL on the EC2 as well as the load balancer? And do I need to open any additional ports?
Very new to this all and not sure how the load balancer communicates with the EC2 instance. Hoping that it would be internal so that the EC2 instance was not at all exposed in isolation.
So many things can go wrong here but (assuming that you have correctly configured the load balancer) I think what you have should work if you add HTTP listener to your load balancer, change your target group's protocol to HTTP (because the load balancer talks to the EC2 over HTTP), and then, add something like this to your .htaccess:
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule . https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]
You can read more here.
Install the SSL certificate on the load balancer instead of the EC2. The EC2 does not need its own SSL certificate.
Here are the steps to add HTTPS to a application load balancer:
When you try to set up HTTPS inbound to the load balancer it will give you a section called "ACM" click into that to get a SSL certificate
The ACM page will give you a section to create a new SSL certificate. You will need to input the domain name and some details, afterwards it will give you a CNAME record. You need to go to your domain's DNS settings to add that new CNAME record.
Once you create a SSL certificate with ACM you'll be able to use that on the load balancer, go back to the HTTPS listener and use that new SSL certificate
Then make sure your load balancer security group allows inbound to 443 port.
After that https should work on the load balancer
Note:
I would only set up https after I get http working first on the load balancer and it is directing to the right ec2.
Since the target group for http and https is the same, you want to make sure the target group is working before messing around with https.
That way you won't have two problems to deal with at the same time (https + incorrectly configured target groups/http). It'll allow to tackle each item step by step.
Hope that helps!
I have a windows 2012 server and have applied an SSL certificate following godaddy's guide:
https://uk.godaddy.com/help/iis-7-install-a-certificate-4801
I have applied the binding on the site in IIS however when I try to view the https site I get "refused to connect".
I have updated the firewall setting to allow port 443.
Any ideas?
It was due to my site using a load balancer.
An additional load balancer for port 443 was required.
Anyone using rackspace will find this useful:
To allow secure traffic you would need an additional load balancer
allowing traffic on port 443, with a shared VIP with the current one.
https://support.rackspace.com/how-to/configure-a-load-balancer/
I'm trying to figure out the best way to manage HTTPS for an EB docker application.
At the moment I'm using the following approach.
ELB accepts HTTPS connections on 443, and forwards to HTTP port 80 on the instance.
ELB accepts HTTP connections on 80, and forwards to HTTP port 8080 on the instance.
Instance accepts HTTP connections on port 80 and forwards to docker app.
Instance accepts HTTP connections on port 8080 and redirects them to HTTPS.
This all works reasonably well. It means the docker app doesn't have to worry about redirects at all. It just listens on port 80, and does it's thing. The ELB and docker host do the rest.
My only concern with this setup, is the docker app doesn't know that it's running secure. If within my application I check for this, it'll fail.
I want to completely separate my docker app from domain names, and SSL certificates that may change, so I would prefer to continue terminating the original HTTPS connection at the ELB. I'm wondering if there is some way I can get the docker host (or ELB) to forward (re-encrypt) request in HTTPS protocol, but using a self-signed certificate, so I can keep it completely generic.
Just to be clear, this would only be between the ELB and/or docker host, and my docker app, not to the browser.
If I create a non-expiring self-signed certificate, and then register this with the web-server in the docker app (currently using Apache2, but could potentially use nginx), and then simply tell the ELB, or docker host to forward requests as HTTPS, will this work? Or would it fall over at some point because the certificate isn't trusted?
Or is there some way to be able to terminate a HTTPS connection at the docker app web-server without actually needing to pre-generate a certificate (I'm guessing no on this, as presumably it'd need to generate a certificate on the fly or something).
Is there a recommended best practice way to do this kind of thing?
A common solution when you have a load balancer terminating client connections and forwarding to backend is for the load balancer to add headers onto the backend requests to fill in any information stripped by having the load balancer there.
ELB has a page on this and uses the following headers:
X-Forwarded-For - The client IP
X-Forwarded-Proto - The scheme/protocol
X-Forwarded-Port - The incoming port.
You would generally not allow these headers directly from the client, unless they were a trusted client. I assume ELB takes care of that for you.
I have a standard Elastic Beanstalk app set up and running great over HTTP. There is one EC2 instance (for now), and the domain is configured with a CNAME pointing to the load balancer. Following the instructions in the AWS documentation, I inputted the SSL certificate and configured the load balancer as such:
Load balancer protocol: HTTPS
Load balancer port: 443
Instance protocol: HTTP
Instance port: 80
Cipher: [default]
SSL certificate: myCert
The changes look like they have been applied; in the load balancer description, I see:
Port configuration:
80 (HTTP) forwarding to 80 (HTTP)
Stickiness: Disabled
443 (HTTPS, Certificate: myCert) forwarding to 80 (HTTP)
Stickiness: Disabled
However, I cannot access the site at the HTTPS load balancer URL or my domain's HTTPS URL. Request times out. The HTTP site continues to work well.
Is there any additional configuration I have to do to have the server respond on HTTPS? Am I correct in assuming that there is no configuration required at the app level, since SSL is terminated at the load balancer and the app will continue to speak HTTP?
What I suspect you are missing is allowing access to your instance from your load balancer's security group.
You can see the load balancer's security group here:
Then you can see add it to your instance's security group here: