HTTPS on EC2 instance running python project

十年热恋 提交于 2020-07-23 06:16:07

问题


I'm having considerable difficulty getting HTTPS to resolve on my EC2 instance, which runs a python project. The request just times out (ERR_CONNECTION_TIMED_OUT). HTTP runs ok, however. The steps I've taken are as follows.

  1. I've created a certificate in ACM for the following domains: *.mywebsite.com and mywebsite.com

  1. I've setup Route 53 as follows:

Routing policy on the A records is Simple.

  1. I've gone into the Listener for my Load Balancer for my EC2 instance and CHANGED the port from 80 (HTTP) TO 443 (HTTPS) and added my certificate.

Note: the "Forward To" is a Target Group running on port 80 (HTTP). I've read that this is correct.

  1. I've then gone into the Inbound Rules for my Security group, and added HTTPS

At this point, I've got the following questions:

a) Given that this is a python/Django project, is enabling HTTPS for EC2 possible to do this through the aws website or do I need to add config files and deploy to my instance?

b) Do I need to create a target group running on HTTPS?

c) Do I need listeners on my load balance for port 80 and port 443 or just port 443?

d) On my security group, do I need port 80 to go to 0.0.0.0/0 and ::0/?

e) Should the A record by the DNS name of the load balancer or should it be the CNAME of my environment?

Thanks for your help! Once we get the answer here, I'm going to write a guide and post it on youtube.


回答1:


Let me start by giving you a little bit of overview of how a request flows in this case.

As you have rightly guessed, the Load Balancer, Application Load Balancer to be specific can handle SSL traffic. This also means that from the Load Balancer to the origin server, the mentioned target group in this case, only http traffic will flow and not https. So You don't have to worry about handling certificates on the server. The response from the origin server is then again wrapped up in an SSL tunnel and send back to the client by the ALB.

This means that your end user should be able to connect to the Load Balancer port 443 atleast and also on port 80 (which can redirect to 443).

This means the security group of your load balancer should have port 443 (and optionally 80) open to the world, or to your users.

As between the origin server and the ALB, the traffic flows in the port that your app is running, that is what the security group of the server should allow the access to the ALB.

To rephrase, the server (EC2) security group should allow the ALB on whichever port the application is running.

Note: This doesn't have to be 80 or 443, it can also be 8080, as long as your target group knows about it and is forwarding the request on that port.

Now to answer your questions:

a) Given that this is a python/Django project, is enabling HTTPS for EC2 possible to do this through the aws website or do I need to add config files and deploy to my instance?
You don't have to do this. As I mentioned, the encryption/decryption can be offloaded to ALB. Read more about it int he docs here.

b) Do I need to create a target group running on HTTPS?
This builds up on the previous question, no you don't have to. The app server/EC2 instance should not be concerned with this.

c) Do I need listeners on my load balance for port 80 and port 443 or just port 443?
This depends on your use case. The base necessity is to have only 443. If you want to allow users to still land on the http site and then be redirected to a more secure https version, you can again make use of the ALB for this. More about it here.

d) On my security group, do I need port 80 to go to 0.0.0.0/0 and ::0/?
For ALB, yes but not for the EC2 instances. Remember that Ec2 never communicates directly with users, only with the ALB. So you can control the traffic on EC2 more tightly.

e) Should the A record by the DNS name of the load balancer or should it be the CNAME of my environment?
Use Alias records. They are much easier to manage, and AWS will take care of the mapping. More about this here.



来源:https://stackoverflow.com/questions/62845276/https-on-ec2-instance-running-python-project

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!