Search This Blog

Sunday, April 18, 2021

AWS: Setup ELB and Route53 to handle SSL certificate and www

 This article outlines steps to setup AWS Elastic Load Balancer and Route53 to serve HTTPS connection with SSL certificates for custom domain. I use my domain bitoptech.net for the setup.

I assume that you already know how to create and run an EC2 instance that has a web server running on it. Actually it can be any application server running on any port. But for this example, I use an EC2 running nginx web server for illustration.

 

I. Create Load Balancer

Go to Services, select EC2, you will see Load Balancers in the bar on the left.  Click on Load Balancers, then click on Create Load Balancer button on top left, you will see this screen:

You can fill in any name for Name. Choose Scheme "internet-facing". You can choose IP address type, VPC and Availability Zone based on your own setup.

Remove the Listener HTTP 80, add the Listener HTTPS 443.

Click on "Next: Configure Security Settings". You will see the screen to configure your SSL certificate. I assume that you know how to buy SSL certificate for your domain. Otherwise,  please go google "How to buy SSL certificate for a domain". Or if you are just messing for fun, search "How to generate SSL self signed certificate". In my case, I use a certificate I bought for my other domain, just use here for demo purpose.

Choose "Upload a new SSL certificate to AWS Identity and Access Management (IAM)"

You can paste the private key, certificate and certificate chain to the corresponding boxes. In case you don't know what certificate chain is, please read this article.

In the Security Policy, make sure that you select the latest TLS security:

 

Click "Next: Configure Security Group". At this step, choose whatever Security Group that suits your purpose. I assume that you know how to setup and use Security Groups.

After selecting Security Group, go to the next step: Configure Routing.

The Target Group in this case is a groups of EC2 instances that have nginx running on them. Therefore I choose Protocol HTTP and port 80. You can setup a bunch of EC instances, each of them runs a Rails application on port 3000, so you can set Protocol HTTP and port 3000. On each instance, you must have a Health check endpoint. In my case, I create a file called health_check.html in nginx's html directory.

Click "Next: Register Targets", you will see a list of EC2 instances that you can choose to add to Registered. Click on instances that you want to select, then click the button "Add to Registered".

Click on "Next: Review". After carefully reviewing the settings, click on "Create", you should see a message says that the ELB is created successfully. If you go back to EC2/Load Balancers, you should see the newly created ELB is in the state "provisioning":

 

You should wait until its state turn to active, then you can test it from browser with the ELB's DNS name.

For example: https://https-bitoptech-net-989317831.us-west-1.elb.amazonaws.com

At this point, the browser will complain about the Certificate validation. It is ok, because you buy certificate for "YOUR_DOMAIN.com", but the url here is of the ELB.

 

II. Setup Route53

Click on Services, select Route53. If you never setup Route53, you will see the screen:

 

I assume that you already bought a domain from somewhere else, for example in my case, I already bought bitoptech.net. In this case, we choose DNS management. Click on the button "Get started now" under DNS management.

 

 

Click on "Create Hosted Zone". Enter your domain name and you will see it shows up in Hosted Zone list. Click into it, you will go into the Record Sets screen. You will see two record sets created by AWS: NS (Name Server)  and SOA (Start of Authority).

 

 

When you bought domain from a Domain Provider, usually you will have Domain Control Panel web site provided by the Domain Provider. Go over that Domain Control Panel to change the name servers to match with the name servers in the Value of AWS NS Record:

 

If you don't know where your Domain Control Panel is or how to use it, too bad. I cannot help you there.

After you modify your domain's DNS settings, it will take awhile to sync up to other DNS servers all over the Internet. Back in the old day, it would take about 24 hours. Now it will be synced in under an hour.

Now, go back to AWS Route53 Record Set screen, create a Record Set with type CNAME, and enter the Name "www", the Value is the DNS of the ELB, in this case, it is "https-bitoptech-net-989317831.us-west-1.elb.amazonaws.com"

 

Click on "Create", then we are ready to access https://www.bitoptech.net that points to the ELB.

 

At this point, if you use real certificate for real domain, the browser should show "Secure". On the screen above, it shows "Not Secure" because I use fake certificate for this example. Actually it should show something similar to the screen below.

 

Setup access to URL without "www":  If you want to allow people to access https://bitoptech.net also, you must create a Record Set with Type "A - IP v4 address",  keep the Name empty, set Alias to Yes, then in Alias Target, select the name of the ELB.

 

Now you can access both

https://www.bitoptech.net

https://bitoptech.net

 

If you want to buy real certificate for real domain, maybe the best option is you buy certificate for *.YOUR_DOMAIN.com, so you can use it for all kinds of sub domain/host names.

 

No comments:

Post a Comment

CON NGƯỜI và TINH THẦN

CON NGƯỜI và TINH THẦN 1 –  " Nếu có một gã trọc phú hàng to súng lớn, có thể mua biệt thự alibaba cho em ở, xe lếch xù cho em đi, nạp ...