I created an aplication but Its is not linked to my domain
exp: "site.com", "www.site.com", when I access it I get:
I need to make my ElasticBeanstalk application connect to my domain (jamelaumn.com) im the owner
here's my application loadbalancer prints:
currently I have no rules on EB LB
My EC2 LoadBalancer::
Based on the comments and your updates. I see two issues.
SSL certificate is setup for jamelaumn.com. This will not work. It must be setup for *.jamelaumn.com or api.jamelaumn.com. So you have to make new SSL certificate and add it to your ALB.
You have to redirect port 80 (http) to 443 (https) on your load balancer. The process is described in How can I redirect HTTP requests to HTTPS using an Application Load Balancer?
Related
I've got a NAS (Synology) which hosts soem of my work.
There is a mariadb database, a web server (nginx) and Docker for hosting my personal python API.
Here is a graphical view:
As you can see, I also made a front (Vue JS) web page which uses the python API.
I want to secure all of that with HTTPS.
I successfully add a Let's Encrypt (LE) certificate and the web client use it with no problem.
But the python API is served only over HTTP, on the web client gives this error:
Mixed Content: The page at 'https://mydomain.fr/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://mydomain:12345/myroute'. This request has been blocked; the content must be served over HTTPS.
And I understand it.
So I want my python API to use HTTPS.
I use a gunicorn server, and I tried several things:
Add ssl_context:
app.run(host='0.0.0.0', ssl_context='adhoc')
Add some files given by LE (I don't understand what I do):
CMD ["gunicorn", "--certfile=certificat.pem", "--keyfile=cleprivee.key", "--ca_certs=ca.cer", "-b", "0.0.0.0:5000", "feed:app"]
But I only got "Time out" with thoses tests.
Do I have to use the same certificate as the web server for the api?
How do i "give" it to the api?
I just published a Python / Flask serverless website (no .htaccess), and I am trying to redirect all non-www to www.
I use NameCheap as my DNS registrar, and AWS API Gateway to serve the website. My main record for the website is:
CNAME: www -> abc012def3456.cloudfront.net
This CNAME works perfectly; I can access my website at https://www.example.com or http://www.example.com (which redirects to the https version).
To redirect the non-www to www, I added:
URL Redirect Record (301): # -> https://www.example.com
The thing is, http://example.com successfully redirects me to https://www.example.com, but https://example.com does not. Instead, it just does not respond.
What am I doing wrong? Are there any other recommended ways to redirect both http://example.com and https://example.com to https://www.example.com?
You can use elastic loadbalancers in AWS to redirect traffic from http to https. Below is a link to the docs
https://aws.amazon.com/premiumsupport/knowledge-center/elb-redirect-http-to-https-using-alb/
The basics are:
Create an https listener that redirects traffic to your flask server(s) on the port they are listening to
Create an http listener that redirects traffic to your https listener.
Happy Encrypting!
you can use python3-certbot to automate such stuffs
because certbot is an https installer or automatic https for the website/server manually
instead of editing it from a .htaccess file
https://pypi.org/project/certbot/
I am using the Automated Certificate Management through heroku in order to implement SSL for my application. My application will successfully connect securely using HTTPS if https://www.myapp.com is used, but if www.myapp.com or myapp.com is used, it defaults to HTTP.
In Heroku the domains that have been added are respectively as follows:
Domain Name: myapp.com, www.myapp.com
DNS Target: myapp.com.herokudns.com, www.myapp.com.herokudns.com
In google domains I have a subdomain forward record as follows:
myapp.com -> https://www.myapp.com
and under Custom resource records I have:
Name: www
Type: CNAME
Date: www.myapp.com.herokudns.com
Is there a way to force https through google domains or heroku-cli, or is this something I need to do in my Python app?
The easiest way is to use flask-sslify:
https://github.com/kennethreitz/flask-sslify
It turns every http request to your app into a https request
you only have to add one line of code to you app (or app factory):
from flask import Flask
from flask_sslify import SSLify
app = Flask(__name__)
sslify = SSLify(app)
flask-sslify doesn't seem to be maintained anymore. Heroku suggests looking at flask-talisman. But the csp requirements don't look trivial to me.
There really needs to be a simpler solution for this.
Q. How do I set django ALLOW_HOSTS on elastic beanstalk instance to allow Elastic Load Balancer IP?
Background
I deployed django website on elastic beanstalk. Website domain is added to ALLOW_HOSTS so normal requests are accepted by django correctly.
ALLOWED_HOSTS = ['.mydomain.com']
Elastic Load balancer visit Elastic beanstalk instances directly with IP address for health check, so next line allow the health check:
# add elastic beanstalk instance local ip
aws_ip = requests.get('http://169.254.169.254/latest/meta-data/local-ipv4', timeout=0.1).text
ALLOWED_HOSTS.append(aws_ip)
But I still got invalid HOST IP errors that seems elastic beanstalk instances are visited with elastic load balancer public IP. There are solutions online for EC2 deployments as you can set HTTPD softwares to set http HOST header when it's visited by IP directly. But we cannot config apache on elastic beanstalk. So how do I add elastic load balancer IP to the ALLOW_HOSTS?
There is no good reason to accept traffic that is directed to your ELB's IP. For the health check, my preferred method:
import requests
try:
internal_ip = requests.get('http://instance-data/latest/meta-data/local-ipv4').text
except requests.exceptions.ConnectionError:
pass
else:
ALLOWED_HOSTS.append(internal_ip)
del requests
No complicated apache configuration, which depend on your domain
Fails quickly on dns, no need to rely on timeout
I believe the best approach would be to configure Apache to handle request host validation. Even with beanstalk you should be able to configure Apache using .ebextensions.
The general idea is to check incoming requests for the 'ELB-HealthChecker/1.0' User-Agent and the health check URL you set as the request's REQUEST_URI. Those requests can have their host header changed to an allowed host with the RequestHeader set Host command.
If really don't want to configure Apache, you could implement a custom middleware to override Django's CommonMiddleware to allow the health checker requests to bypass Django's ALLOWED_HOST validation.
I went into greater detail in this answer if you need more on implementing one of these solutions.
Adding the local IP of the EC2 instance to the allowed hosts worked for me.
settings.py:
import socket
hostname = socket.gethostname()
local_ip = socket.gethostbyname(hostname)
ALLOWED_HOSTS = ['...', local_ip]
You add list of IPs assigned to that host.
Only the IP address no http:// or /latest/media...
In settings.py this is the configuration I use and it works well for me (for DEV at least) :
# AWS config for ElasticBeanstalk
ALLOWED_HOSTS = [
'127.0.0.1',
'localhost',
'.compute-1.amazonaws.com', # allows viewing of instances directly
'.elasticbeanstalk.com'
]
I hope it helps.
I am implementing a two-way SSL authentication and then additional authentication via Kerberos after which it redirects the user to an internal server via reverse proxy.
i.e:
SSL auth <--> Apache Server + kerberos auth using login/password <--reverse proxy-->> internal server
This setup currently works:
Now my idea is to use this configuration as I can control the behavior of the user via Tornado
SSL auth <--> Apache server <---> Tornado webserver for kerberos auth <---> reverse proxy <---> internal server
And I have got the SSL authentication and the Kerberos authentication working.
However, how do I tell Tornado to reverse proxy(apache) to the internal server?
Tornado doesn't have any built-in reverse proxy functionality, but in the simple case a reverse proxy is just a RequestHandler that passes through to an HTTP client:
class ReverseProxyHandler(RequestHandler):
#gen.coroutine
def get(self):
resp = AsyncHTTPClient().fetch(self.convert_url(self.request),
headers=self.request.headers)
self.set_status(resp.code)
for k,v in resp.headers.get_all():
self.add_header(k, v)
self.write(resp.body)
It could get a lot more complicated than that depending on what your requirements are. This is only a simple thing to build if you can be sure that your internal server doesn't do anything tricky.