I want to have a custom "trusted CA" configuration for my API. When not using ELB, I can achieve this by configuring a "ca.pem" file in my web server. However, when using ELB, I think my web server does't receive the original incoming client certificate (but rather the ELB's certificate instead).
Is it possible to somehow make my custom CA take effect even if behind the ELB?
Your instance not only doesn't see the original client's cert... it isn't actually participating in the same TLS session as the client. ELB Classic and ALB create two independent TLS sessions and tie their payloads together.
To do what you want, the ELB cannot participate in the TLS at all. It has to be all done by your server, and the balancer has to operate at layer 4 or below. This rules out Application Load Balancer, which operated at only layer 7.
There are two solutions for this.
The old solution was to use an ELB (Classic) in TCP mode, with TLS (SSL) disabled. The ELB blindly passes the payload from the encrypted connections through to the instance, which negotiates TLS directly with the browser, and can thus use its CA file to authenticate the browser. It gets a little tricky, though, because by default your instance will not see the client's IP address, and because the ELB is running in layer 4 mode (not to mention handling encrypted traffic that it doesn't understand), it can't add X-Forwarded-For headers... so have to enable "Proxy protocol" support on the ELB, and your instance has to understand how to extract the client address from the Proxy protocol preamble.
The newer solution is a third type of balancer, called a Network Load Balancer. This service operates at layer 3 and allows you to -- essentially -- map a single elastic IP address onto multiple EC2 instances, for balancing incoming requests on specific ports, with health checks to remove unhealthy instances from rotation. Your instances still are responsible for handling all the TLS themselves, but they will see the client address on the incoming connection.
Related
My ios app retrieves some data from third party servers during runetime.
For privacy reasons, I want to hide the IP addresses of my users, in order to prevent those servers to know them. How can I do that ?
My idea is to set up a kind of "proxy server" or "VPN server" inbetween the app and the third party servers. Is that a good idea ?
Thanks for your help!
Yes, proxying is the right way to do this. You could do it with a VPN, but that's overkill, and requires considerable setup on the client side which you don't control.
You can get a web server such as Nginx or Apache to act as a proxy directly through config options, or you can do it via scripting with PHP or whatever. I do the latter to provide a proxied service to gravatar.com. The principle is quite straightforward:
Accept a request from your client.
On your server side, make a request (using an HTTP library, such as Guzzle) to the 3rd party service to get whatever is needed.
Parse the response from there and create a response suitable for your client.
This way the 3rd party service will only ever see the IP of your server, not your client, and you can choose exactly what data from the client you pass through. In my gravatar example, it sends an MD5 hash of the user's email address, which has its own privacy implications, but that's a separate problem!
My backend is a simple dockerized Node.js express app deployed onto elastic beanstalk. It is exposed on port 80. It would be located somewhere like
mybackend.eba-p4e52d.us-east-1.elasticbeanstalk.com
I can call my APIs on the backend
mybackend.eba-p4e52d.us-east-1.elasticbeanstalk.com/hello
mybackend.eba-p4e52d.us-east-1.elasticbeanstalk.com/postSomeDataToMe
and they work! Yay.
The URL is not very user friendly so I was hoping to set up API gateway to allow to me simply forward API requests from
api.myapp.com/apiFamily/ to mybackend.eba-p4e52d.us-east-1.elasticbeanstalk.com
so I can call api.myapp.com/apiFamily/hello or api.myapp.com/apiFamily/postMeSomeData
Unfortunately, I can't figure out (i) if I can do this (ii) how to actually do it.
Can anybody point me to a resource that explains clearly how to do this?
Thanks
Yes, you can do this. For this to happen you need two things:
a custom domain that you own and control, e.g. myapp.com.
a valid, public SSL certificate issued for that domain.
If you don't have them, and want to stay within AWS ecosystem, you can use Route53 to buy and manage your custom domain. For SSL you can use AWS ACM which will provide you with free SSL certificate for the domain.
AWS instructions on how to set it up all is:
Setting up custom domain names for REST APIs
IBM has MQIPT (IBM MQ Internet Pass-Thru) that acts as MQ forwarder/reverse proxy to implement messaging solutions between remote sites across the internet. Is there such an equivalence for Solace?
Solace has all kinds of fancy advanced features for load balancing and hybrid/multi-site deployments like bridges and dynamic message routing, but I don't really know those, and where's the fun in having everything ready-made and pre-solved for you anyway? :-)
So here I am going to assume you want to roll your own solution and use an actual reverse proxy:
You can switch to HTTP-based protocols, and just use any regular HTTP reverse proxy. Solace message brokers have a REST message interface, or if your application already uses the Solace API for messaging (or needs its advanced features), you can switch over to HTTP streaming or WebSockets as a transport by modifying the scheme portion of the broker URL in your application configuration. (http:// or ws:// instead of tcp://) This will only allow you to balance sessions, not individual messages within a single elephant flow.
I have trouble understanding the connection between Zuul and Ribbon.
I think I got Zuul clear. It's a reverse proxy I can contact to reach one of my several instances of a service. It will pick the right server using a round-robin algorithm or whatever you configure it to do. It's a traditional load-balancer. To know the instances available it can use a registry like Eureka.
But I've got more trouble with Ribbon. It's sold as a client-side load balancer but what does it mean ? It doesn't need an external server ? Ribbon is embedded in the client the same way an Eureka client is ? If so how does it work ? Do I need Zuul when I use Ribbon, and vice-versa ?
On some articles, I saw that in fact, Zuul uses Ribbon by default for the load balancing part and it got me even more confused. If this is true what does "client-side" mean ? What does Zuul do except routing ?
I hope you can help me.
Client and Server is always relative. Zuul is a client for your service instances and your service instances are servers for Zuul.
When we are using traditional load balancer (server-side load balancer), API caller (client) only knows a single endpoint that is a load balancer and the client doesn't know the list of servers. Load balancer chooses a server from the list.
When we are using client-side load balancer like Ribbon, API caller (client) should know the list of servers and choose one of them from the list. That's why we call it client-side load balancer.
As you know, Ribbon is a client-side load balancer module and is integrated to many http client modules. As an example, Feign and Load-balanced RestTemplate support Ribbon. Namely Feign and Load-balanced RestTemplate can choose a server from the given list or the list from eureka when used with ribbon.
Regarding Zuul, there is a RibbonRoutingFilter that routes your request to an actual service instance. RibbonRoutingFilter is using Ribbon to choose a server from the list that is given from your configuration or from Eureka. So if you want to use Zuul as a load-balanced reverse proxy, Zuul needs Ribbon.
I am trying to set up a proxy server on my iPhone. I am doing this manual by looking up a proxy server Ip and port from Google and use this as proxy settings on my iPhone.
But when I do this and I try to connect to a random url, it is taking too long and at the end it says: can't open this page because the network is disconnected.
I have tried like 30 different IPs and ports from multiple websites and got none of them worked.
What am I doing wrong?
You're setting up non-working proxy servers.
Almost all "best 100 free public proxy servers" lists are fake or outdated.
The only option to guarantee that proxy is working is to make your own proxy.
I used Amazon free tier instance with Linux and installed proxy on it. It is free for one year.