I am using AWS EC2 instances with ELB. I know that ELB itself has SSL connection enabled. My EC2 instances does not support SSL.
Here comes my problem. I need to implement some kind of authentication method like oAuth.
Is there a way to authenticate users with ELB?
You can't do that on ELB.
I recommend you to take a look at the ELB documentation http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/Welcome.html and this blog post http://harish11g.blogspot.com.br/2012/03/ssl-offloading-elastic-load-balancing.html
In Kong, you can do one thing. You can terminate SSL (trusted, can use free SSL via ACM) on ELB of KONG and use the feature Accept HTTP if already terminated in OAUTH2 plugin. But keep in mind the ELB Listeners will be (Secure TCP 443)--> (Secure TCP 8443 [https port exposed by KONG]).
Related
I can't seem to figure out if this is common practice or not, but I want to create a website (Running on a container) and then have traffic forwarded to the website from a wildcard on my domain, I want to secure it and use Nginx Proxy Manager and Let's Encrypt to manage the certificate.
Do I keep the website running on my internal server as just HTTP:80 and redirect traffic to to via Nginx? My current site is just a serverside Blazor webapp.
I've seen other people do this, but it makes me wonder if that is indeed secure, at some point between Nginx and the internal server it is not encrypted. Is my understanding correct?
I imagine it looks something like this:
Client connects securely to Nginx Proxy Manager (HTTPS)
Nginx Proxy Manager then decrypts and forwards to the Internal Website (HTTP)
Is my understanding correct?
Is this common practice, or is there a better way to achieve what I want?
I have a Ruby on Rails App hosted on AWS using Elastic-beanstalk which works with HTTP 1 now I want to use HTTP 2. Can someone suggest me the best approach
If I remember correctly when you add a new load balancer to your Elastic Beanstalk environment, it defaults to using a Classic Load Balancer, which doesn't support HTTP/2, I think the solution would be using an Application Load Balancer that does support it, you can find this info here. You can also specify it while creating your environment as you can see here. This will only allow HTTP/2 communication between the client and the ALB, your ALB will convert those HTTP/2 requests into HTTP/1.1 to communicate with your instance.
As seen here: "If end-to-end HTTP/2 is a requirement for your application you can use a Layer 4 ELB ( Classic Load Balancer with TCP listener or Network Load Balancer). If you are interested also in SSL offloading the only option for now is Classic Load Balancer with an SSL listener."
I've setup 2 Rails server instances with an Elastic Load Balancer. I setup SSL via opsworks and when I hit the IP of my instances with https e.g. https://1.2.3.4 I can see the correct certificate.
However, when I hit the domain of the Elastic Load Balancer, a timeout is thrown (loads endlessly).
How should I setup ELB, to properly redirect with https to my instances?
Found the answer was in Security Groups. Besides setting all inbound connections to accept HTTPS protocol and port 443, you have to set the outbound connections of the ELB. I found out that they were only to HTTP, and trying to access the instances with HTTPS it failed. I setup a new outbound rule HTTPS to anywhere and it worked!
We configured ELB with sticky sessions for the JSESSIONID cookie for two tomcats (tomcat1 and tomcat2)(Flow is - Apache Http Server - ELB - tomcats)
AJP protocol with port 8009 has been configured on tomcat side as from AWS ELB there is no AJP option, we have configured with tcp:8009
So the Apache httpd.conf entry is, (xxx.amazonaws.com is ELB name)
BalancerMember ajp://xxx.amazonaws.com:8009
Somehow the sticky session is not working, the http request is sent to both tomcat servers. Is it because of the protocol on ELB side (tcp:8009)? We are not sure what is missing here, Need help!!
Once you change it to TCP you lose sticky sessions. It is an ELB limitation. You might be able to get away with switching the protocol to HTTP but with a different port other than 80.
Unless I am mistaken, you might have to setup an HA Proxy or something else instead of the ELB. Something that can do both TCP with sticky.
It is well know that websockets+sticky doesn't work on amazon.
https://forums.aws.amazon.com/thread.jspa?messageID=627367
I have running my own website for security reasons at an unusual port: https on Port 11223 instead oh 443.
This website provides the feature to login with an google account, realized by using the google OAuth API.
At the last step of authentication (redirecting back from google OAuth to my system), an network timeout happens.
On the other hand: if my server is running https on default port 443 instead of 11223, everything works fine.
I have configured the google OAuth client settings (Redirect URIs, Home page URL, JavaScript origins) for using the special port 112233. But without success.
Maybe it's important to know, the Server is behind a firewall with NAT. This means, the firewall receives https connections to port 11223 to redirect this to the internal webserver running https only on port 11223. But I think, this is not the point.
What could be the reason, why port 443 works but port 11223 doesn't.
I guess google OAuth does not support webservers running on an unusual prot!?!
The port number is 16 bits and thus can not exceed 65535.
Could it be proxy configuration issues? I recommend you configure your firewall to return 404 on the port 11223 and see what happens.