Search code examples
amazon-web-servicesencryptionhttpsamazon-elastic-beanstalkelastic-load-balancer

CNAME to a secure url

I have an AWS Elastic Load Balancer with the following secure url:

https://example.us-west-2.elasticbeanstalk.com/

I also have the following 1&1 registered domain name:

example.com

I then in 1&1 config add a subdomain of www resulting in www.example.com.

I would like to add a CNAME alias to route traffic from the domain name to the ELB.

www.example.com -> https://example.us-west-2.elasticbeanstalk.com/

So I try add the CNAME:

enter image description here

As you can see, it is not accepting the url, as it is an Invalid host name.

I need the alias to pint to the secure (https) url. However, I think this may be the reason for the error.

Question

How do I set up a CNAME to point to a secure url?

Thanks

UPDATE

My Elastic Load Balanacer does have a secure listener.

enter image description here

Solution

  • You have to specify HTTPS in your NGINX using a redirect or Apache using mod_rewrite. If you want a little higher level HTTP to HTTPS roll over, you can do this (most of the time) in your application by specifying where your certs are located and doing a listen on Port 80 with a redirect/relocate to Port 443

    On the DNS level you only specify the location. In your application, or on your server somewhere, you specify the HTTP/HTTPS protocol. DNS, being a protocol itself, cannot specify other protocols in its response. HTTPS is a processor intensive encryption operation done on your server.

    I would highly recommend using AWS Certificate Manager to assign a certificate to your domain. If you'd rather have it in your beanstalk application, check out letsencrypt. It's a wonderful CLI tool for this stuff.

    Here is a helpful resource


    Ubuntu + NGINX + letsencrypt

    Configuring HTTP to HTTPS on Ubuntu. Yes, only one operating system specific example, but letsencrypt should work anywhere with anything, anytime.

    sudo apt-get update
sudo apt-get install letsencrypt
sudo apt-get install nginx
sudo systemctl stop nginx    #if it starts by default...
sudo letsencrypt certonly --standalone -n -m richard@thewhozoo.com.com -d thewhozoo.com -d cname.thewhozoo.com --agree-tos
sudo ls -l /etc/letsencrypt/live/thewhozoo.com/    #you should see your stuff in this folder
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048    #make yo'self a diffie
sudo vim /etc/nginx/sites-available/default

    In your default file: (Snippets from: HERE and HERE and HERE and HERE)

    server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name thewhozoo.com www.thewhozoo.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name thewhozoo.com www.thewhozoo.com;

    ssl_certificate /etc/letsencrypt/live/thewhozoo.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/thewhozoo.com/privkey.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;
}

    Now that your NGINX file has your certs/keys/pems/whatever listed, you have to double check your firewall. For Ubuntu and ufw, you can allow access via:

    sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'
sudo ufw allow 'OpenSSH'
sudo ufw enable
sudo ufw status

    And you should see Nginx HTTPS enabled. No matter what your flavor of HTTPS is (SSL, TLSvXX, etc.) you'll need Port 22 open on the firewall level cause they all use it, hense the 'OpenSSH'. BE SURE TO RUN allow 'OpenSSH' BEFORE ufw enable. If you do not... your SSH session will be terminated and...good luck.

    Now your firewall is good to go, restart nginx and you should be set:

    sudo systemctl start nginx

    Helpful tips for the future: NGINX by default set the renewal policy to 3 months. I'm not certain if this is a "standard" of internet law or not, but the add-on for renewing your certs is:

    Add this to your crontab:

    sudo systemctl stop nginx
sudo letsencrypt renew
sudo systemctl start nginx

    HELPFUL NOTES:

    • You must have the domain name linked to the server of choice BEFORE running letsencrypt. It does a reverse IP Lookup to make sure you are the owner/admin of the domain.

    • You do not need the giant list of encryption types but I would highly recommend keeping most of them. Elliptical Curve Diffie Hellman is a must for the type of key used above, but you can probably cut it down to ECDH?E, AES, GCM, and RSA or SHA depending on how many cipher suites you want to support. IF you aren't going to support SSLvX and only do TLSvX you only need to support (and restrict) the following: ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DHE+AES128:!ADH:!AECDH:!MD5;


    AWS Certificate Manager (ACM) + Elastic Load Balancer

    • Go to your Load Balancer in the EC2 Resource Console
    • Select your listener
      • Should probably say: HTTPS: 443 in bold letters
    • Check it and click Actions => Edit
    • Double check that your Protocol is HTTPS on Port 443 and your target group is good
    • At the bottom of the pop-up, select "Choose an existing certificate from AWS Certificate Manager (ACM)
    • Then select your ACM Certificate
    • Save it
    • SSH into your instance/application on EBS/whatever

    • Write an NGINX policy for redirecting HTTP traffic to HTTPS:

      server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name thewhozoo.com www.thewhozoo.com;
    return 301 https://$host$request_uri;
}

    • Restart NGINX

    For Elastic Beanstalk environment check THIS INFO.

    Wait about 5 minutes for everything to sink in and you should be good to go! Check this for help if needed