admin/cmc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

36.2 Providing HTTPS access to the backend through Elastic LoadBalancer (ELB) and Amazon Certificate Manager (ACM) (#36, #32)

Browse Source
This commit is contained in:
Art
2021-09-27 15:45:35 +03:00
parent a6eee3d2f2
commit d4ad1e070b
1 changed files with 95 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

105
README.md
View File

@ -80,7 +80,7 @@ Create EC2 instance with custom security rules
- `ls -lh support-portal.jar` -> view permissions - `ls -lh support-portal.jar` -> view permissions
- `./support-portal.jar` - `./support-portal.jar`
#### 207. Deploying Angular Application ##### 207. Deploying Angular Application
1. Build Angular Application 1. Build Angular Application
- `ng build --prod` - `ng build --prod`
@ -89,7 +89,7 @@ Create EC2 instance with custom security rules
3. Move files to httpd directory 3. Move files to httpd directory
- `sudo cp ~/support-portal-frontend/* /var/www/html` - `sudo cp ~/support-portal-frontend/* /var/www/html`
#### 208. Creating Unix Service ##### 208. Creating Unix Service
1. Create dedicated user to run this app as a service 1. Create dedicated user to run this app as a service
- without ability to login - without ability to login
@ -139,7 +139,7 @@ Create EC2 instance with custom security rules
- `sudo nano /etc/environment` - `sudo nano /etc/environment`
- `SPRING_PROFILES_ACTIVE=aws-local` - `SPRING_PROFILES_ACTIVE=aws-local`
#### 208.2 Creating Unix Service - Correct Way ##### 208.2 Creating Unix Service - Correct Way
- cd /etc/systemd/system - cd /etc/systemd/system
- Create a file named your-service.service and include the following: - Create a file named your-service.service and include the following:
@ -166,7 +166,7 @@ WantedBy=multi-user.target
- To enable your service on every reboot - To enable your service on every reboot
- `sudo systemctl enable supportapi.service` - `sudo systemctl enable supportapi.service`
#### 209. Testing in Production ##### 209. Testing in Production
- Test with: - Test with:
- Username: `art.shyshkin` - Username: `art.shyshkin`
@ -175,7 +175,7 @@ WantedBy=multi-user.target
- Username: `shyshkin.art` - Username: `shyshkin.art`
- Password: `5C<"0dVx=>` - Password: `5C<"0dVx=>`
#### 33 deploy frontend into s3 bucket ##### 33 deploy frontend into s3 bucket
1. S3 console 1. S3 console
- Create bucket: `portal.shyshkin.net` - Create bucket: `portal.shyshkin.net`
@ -251,7 +251,7 @@ WantedBy=multi-user.target
- `[Service]` - `[Service]`
- `Environment="SPRING_PROFILES_ACTIVE=aws-rds"` - `Environment="SPRING_PROFILES_ACTIVE=aws-rds"`
#### 34.1 Create EC2 instance for Docker ##### 34.1 Create EC2 instance for Docker
- Create EC2 instance - Create EC2 instance
- User Data: - User Data:
@ -281,21 +281,21 @@ systemctl restart docker
- Allow port 3306 from `docker-security-group` - Allow port 3306 from `docker-security-group`
- Attach SG to database in RDS `portal-db` - Attach SG to database in RDS `portal-db`
#### 34.3 Build and Run Docker image in Docker EC2 ##### 34.3 Build and Run Docker image in Docker EC2
- `mvn clean package docker:build docker:start` - `mvn clean package docker:build docker:start`
#### 34.4 Configure frontend to call new backend ##### 34.4 Configure frontend to call new backend
- `ng build` - `ng build`
- upload `dist/support-portal-frontend` to S3 - upload `dist/support-portal-frontend` to S3
#### 34.5 Logging remote docker ##### 34.5 Logging remote docker
- `mvn docker:logs` - `mvn docker:logs`
- `mvn docker:logs -Ddocker.follow` - `mvn docker:logs -Ddocker.follow`
#### 34.6 Persisting images to EC2 filesystem ##### 34.6 Persisting images to EC2 filesystem
1. Initial state 1. Initial state
- `docker container exec -it b36 bash` - `docker container exec -it b36 bash`
@ -320,7 +320,7 @@ systemctl restart docker
- `'~/supportportal' cannot be relativized, cannot resolve arbitrary user home paths.` - `'~/supportportal' cannot be relativized, cannot resolve arbitrary user home paths.`
- add `<volume>/home/ec2-user/supportportal:/root/supportportal</volume>` - success - add `<volume>/home/ec2-user/supportportal:/root/supportportal</volume>` - success
#### 36 Deploy Spring Boot JAR file on AWS Elastic Beanstalk ##### 36.1 Deploy Spring Boot JAR file on AWS Elastic Beanstalk
1. Info about deployment Spring Boot app on AWS 1. Info about deployment Spring Boot app on AWS
- AWS EBS expects for your apps to listen on port 5000 - AWS EBS expects for your apps to listen on port 5000
@ -371,5 +371,88 @@ systemctl restart docker
- Visit `http://portal-bean.shyshkin.net` -> have a response from spring boot app -> OK - Visit `http://portal-bean.shyshkin.net` -> have a response from spring boot app -> OK
- Test with Angular App: `localhost:4200` - Test with Angular App: `localhost:4200`
##### 36.2 Providing HTTPS access to the backend through Elastic LoadBalancer (ELB) and Amazon Certificate Manager (ACM)
1. Provision certificate
- ACM console
- Provision certificates
- Request a public certificate
- Domain name: `portal-back-secure.shyshkin.net`
- DNS validation
- Create record in Route53
- About 30 minutes -> Pending validation (it took about a minute for me)
- Certificate issued
2. Create environment
- Beanstalk console
- Application -> `support-portal-backend`
- Create environment -> Web server environment -> Supportportalbackend-secured
- Domain -> Leave blank
- Java
- Application code -> Existing version
- Configure more options
- High Availability (with Load Balancer)
- Software -> Environment properties
- SPRING_PROFILES_ACTIVE: aws-rds
- Instances
- EC2 Security Groups: `mysql-marker-sg`
- Load Balancer -> Edit
- Listeners -> Add Listener
- Port: 443
- Protocol: HTTPS
- Certificate: `portal-back-secure.shyshkin.net - e0c...`
- SSL policy: ELBSecurityPolicy-TLS-1-2-Ext-2018-06 (how strong security policy will be)
- Add
- We may disable HTTP (80), but just keep it for now
- Save
- This is `custom configuration`
- Create environment
3. Create CNAME for load balancer URL
- Route53 console
- Hosted zone -> shyshkin.net
- Add Record
- Simple routing
- Record name: `portal-back-secure`.shyshkin.net
- Record type: CNAME
- Value: `supportportalbackend-secured.eba-wfr5wya3.eu-north-1.elasticbeanstalk.com`
4. Wait some time
5. Visit HTTP and HTTPS
- `http://portal-back-secure.shyshkin.net/` -> OK
- `https://portal-back-secure.shyshkin.net/` -> OK
6. View certificate info
- Chrome -> Lock sign
- Certificate
- Publisher
- CN = Amazon
- OU = Server CA 1B
- O = Amazon
- C = US
7. Verify Certificate in use
- ACM console - certificate for `portal-back-secure.shyshkin.net`
- In Use -> Yes
- Associated resources:
- `arn:aws:elasticloadbalancing:eu-north-1:392971033516:loadbalancer/app/awseb-AWSEB-1OGG0G42RZOR2/f2dec1e6adf1a4de`
8. Disable HTTP
- Beanstalk
- Environment: Supportportalbackend-secured
- Configuration
- Load Balancer -> Edit
- Listeners -> HTTP -> Disable -> Apply
- Test it:
- `http://portal-back-secure.shyshkin.net` -> Timeout
- `https://portal-back-secure.shyshkin.net` -> OK
9. Apply redirection HTTP -> HTTPS
- Enable HTTP back (like in step 8)
- Follow [How can I redirect HTTP requests to HTTPS using an Application Load Balancer?](https://aws.amazon.com/premiumsupport/knowledge-center/elb-redirect-http-to-https-using-alb/)
- EC2 console -> Load Balancer
- Find our ALB
- Listeners -> HTTP -> View/Edit Rules
- Edit -> DEFAULT -> Then -> Edit to
- `Redirect to` -> HTTPS -> 443
- Update
- Test it
- `https://portal-back-secure.shyshkin.net/` -> OK
- `http://portal-back-secure.shyshkin.net/` -> redirect to `https://portal-back-secure.shyshkin.net/` -> OK
10. But now visiting direct LoadBalancer gave an error
- `https://supportportalbackend-secured.eba-wfr5wya3.eu-north-1.elasticbeanstalk.com`
- `NET::ERR_CERT_COMMON_NAME_INVALID`