This project describe how to create secure connection with HTTPs protocol with AWS resources.
AWS resources, that used in project
- Create domaine
- Register domaine in AWS Route53
- Create certificate for domaine
- Create EC2 instance
- Create Load Balancer and Target Groups
Create your domaine. You can buy it in AWS in Route53 or buy in other place. Also you can take fo free domaine for 1 year, for example in myFreenom.
You need to register your domaine in AWS Route53.
- Write your domaine name
- Write description if you want
- Choose type of hosted zone. If you need associate hosted zone with AWS VPC - use
private hosted zone, else usepublic hosted zone - Add tag if it necessary
- Click on
create hosted zone
3. When you create hosted zone youu will see 2 records: NS (Name server), SOA (Start Of Authority). From NS you should write value.
In my case it is:
- ns-329.awsdns-41.com.
- ns-527.awsdns-01.net.
- ns-1599.awsdns-07.co.uk.
- ns-1298.awsdns-34.org.
4. Value from NS record you need to register in your Domaine Service, which you create here.
In my case it is look something like this
Congratulations! If you use free domaine, you register you domain in AWS Route53 without extra pay!
1. Open AWS Certificate Manager and click on Reguest a certificate.
Write full name of domaine, than choose validation method. If you use DNS validation - you will add extra record on Route53 to validate your domaine from AWS (it is *recommended** way). If you use Email validation - you will recive validation massage on your domaine email (for example: admin@lisenok-aws.tk). Than choose tags if it necessary for you and click Request.
.png)
You will see Domains something like this. You need copy CNAME name and CNAME value.
5. Create new record in AWS Route53.
Now your certificate has "pending" status. You need to create new record on AWS Route53. Return to Route53, choose your hosted zone and click on Create record.
When you create new record, you need:
- Paste
CNAME nametoRecord name. Be carefull, and remove from CNAME your domaine name. For example, in my case I remove.lixenok-aws.tk.. - Choose
CNAME - Routes traffis to another domaine name and to some AWS resourcesas arecord type - Paste
CNAME valuetovalue - click on
Create records
Wait 1-2 minutes and your certificate will have Success status
1. Search EC2 service and click on Launch instance
2.2 Choose key pair if you want to SSH conncection to server. If it is your first type, firtsly create key pair and download private key, you will need that key wor SSH conncection.
Security Group (SG) - it is AWS Firewall for your webservers. Input nesessary ports, choose protocol and choose source. Source - it is destination IP-address that will allow traffic, if you want allow traffic from all IP in the Internet use 0.0.0.0/0. If you need SSH connection, open 22 port. Also you will need HTTP and HTTPs port (80, 443). Also you need to choose network (VPC).
My Security group:
| Port | Protocol | Source |
|---|---|---|
| 22 | TCP | My IP |
| 80 | TCP | 0.0.0.0/0 (All IPv4) |
| 443 | TCP | 0.0.0.0/0 (All IPv4) |
AWS has differant types of storage, you can reed about it here
CLick on Advance settings and scroll down. Copy/paste this script and paste into user data. This script will be running after installation of OS and install to your server Apache2. Also you can customize this user data if nessecary.
#!/bin/bash
sudo apt update
sudo apt dist-upgrade -y
sudo apt install -y apache2
Unfortunately, you can`t install SSL/TLS certificate to AWS EC2 instance, but you can attach certificate to load balancer and have secure connection to your web-appliaction.
Open AWS EC2 GUI console and scroll down throw navigation panel that located on left side. You will see menu Load balancing, click on Target groups, than click on Create target group.
In ths case, I use HTTP, because after ALB traffic will be decrypt.
It is mean, that ALB will check if your server heathy, if now it can create new server or give you notification about server. In this example, I do not create "blue-green deployment" and do not give notification about servervs health. By default, I use HTTP protocol and path "/", it is mean that ALB will be checked root directory (index.html page) of web-application.
1.4 Register targets for TG
Priviously, we create AWS EC2 instance. Now, we can register this instance to the TG.
Secelt you instance and click on Include ad pending below.
.png)
You can choose what type of load balancer you want. AWS support Classic Load Balancer (Previous genetation) and Application Load Balancer for SSL/TLC certificates. In this project I use ALB.
2.1 Open EC2 and search load balncing. You will see Load balancer, go there and click Create Load Balancer.
In my case i use this configuration:
| Type | value |
|---|---|
| Name | webserver-alb |
| Scheme | Internet-facing |
| IP address type | IPv4 |
| VPC | default |
| Mappings | us-east-2(a,b,c) |
| Security groups | Open ports: 80, 443 (HTTP, HTTPs) |
| Listeners and routings | HTTP, HTTPs (default action: TG from previous step) |
| Security listener settings | ELBSecurityPolicy-2016-08, From ACM |
.png)
.png)
.png)
.png)
.png)
After configuration of ALB, you can click on Create load balancer
Return to AWS Route53 and go to your domain. Click on create record. If you need to register you ALB with the same address as the domain, you could leave the field empty Record name. Go to Alias name and press checkbox Yes. In alias you need to select Application Load Balancer, select you region and click on youe Application load balancer.
It is optional step, but if you want to have redirection from HTTP to HTTPs, you can return to Application Load Balancer, choose your ALB and click on Listeners. Choose HTTP: 80 and click on edit. Remove forwarding as a default option and select redirection with 443 port.
.png)
.png)