Articles in this section

Securing Requests to a CloudFormation Stack with HTTPS

Avatar
Ant
  • Updated
Follow

The example Senzing CloudFormation templates, such as the Senzing deployment template, are implemented to showcase the rapid deployment of example architecture(s) within AWS. These templates are provided for demonstration and educational purposes, and to form the foundation of your own templates. They are not fully secured for productionized deployments as provided, but serve as a basis for your own templates and customization.

Components of these templates create AWS services with publicly accessible endpoints (an internet domain such as mydomain.com). An example of such an end point is an AWS load balancer accepting requests for the services in an example CloudFormation stack; like the Senzing REST API server. 

The example template(s) create public facing endpoints listening for HTTP requests. Any data transmitted over HTTP is not secure and can be read as plain text. This is acceptable for test or demo data and to comprehend the example AWS based architectures. For a productionized deployment you would use HTTPS (HTTP secure) for the listening endpoints.

To implement the use of HTTPS you need to provide a certificate (from a Certificate Authority (CA)) and prove you control the endpoint. These are not actions Senzing can perform on your behalf or automate the use of HTTPS in a common example CloudFormation template.

For additional information on HTTPS review What is HTTPS.

 

Calling HTTP Endpoints from HTTPS Clients

In addition to HTTP not being secure, building your own applications that make requests to, for example, the Senzing REST server listening for HTTP requests will cause errors. 

The following shows an example error received from an application deployed on AWS Amplify and making a request to the Senzing REST server deployed using an example Senzing CloudFormation template. 

 

mceclip5.png

AWS Amplify applications use HTTPS secured via a certificate AWS allocated to the Amplify application and automatically generated domain name. This error occurs because the Amplify application, which is accessed over HTTPS, subsequently makes a request over HTTP to the Senzing REST server. This chain of requests is considered insecure and Mixed Content because the original request to the Amplify application was secure but it is requesting resources over an insecure HTTP connection. 

For further information on mixed content review this MDN page.

 

AWS Route 53 - Domain & Certificate

Info

Instructions outlined herein offer a straightforward method of providing secure HTTPS transport using services directly from within AWS. This isn't the only approach to achieving this outcome, but serves as an example to people who may be newer to the topics covered. For example, you may already have your own domain(s) secured with certificates to use instead of the steps outlined here.

These instructions do incur additional costs with AWS. These instructions also need privileges within AWS to create the resources discussed.

 

When creating a load balancer with AWS from the example template(s), the template defaults to specifying HTTP as the protocol. During the CloudFormation stack deployment, AWS assigns a domain name (endpoint) to the load balancer servicing requests. These can be seen in the Outputs tab of the CloudFormation stack created from the template:

 

mceclip0.png

The endpoint URL is identical for each service, the load balancer listens on different port numbers and redirects the incoming request based on the port number. 

AWS doesn't provide the ability to modify or create certificates against these default endpoints. To enable the use of HTTPS to send requests to the load balancer and subsequent services you need to use a custom domain with an associated secure certificate. Further information can be found within the AWS Documentation.

The following instructions outline how to use AWS Route 53 and AWS Certificate Manager to create a custom domain with associated secure certificate to use HTTPS with the load balancer.

 

Register a New Domain

Full details can be found on the Route 53 documentation.

  • Login to your AWS account console, navigate to the Route 53 service
  • From the Dashboard locate Register Domain, enter a new domain name and click Check to see availability

mceclip1.png

  • The Domain Search panel will show you the availability of your chosen domain name. If it is available it is automatically added for purchase.

  • Click Continue

mceclip21.png

  • Enter your Registrant Contact details in the Contact Details panel
  • Click Continue
  • Verify your details on the Verify & Purchase panel
    • You can choose to automatically renew your domain
    • Agree to the Terms and Conditions
  • Click Complete Order
    • Domain registration can take some time, our experience has been it is usually completed very quickly. 
  • Click Go To Domains
    • You'll be in the Pending requests panel for your domains registered with Route 53
    • The initial Status will be 'Domain registration in progress'
    • Refresh with the refresh icon in the upper right hand corner to monitor and verify completion of the request, or await the confirmation email from AWS that registration has completed
  • Once complete, the new domain registration can be viewed and actioned upon from Registered Domains 

mceclip3.png

 

Register a Certificate

Certificates can be created directly with AWS Certificate Manager and requested via the load balancer. These instructions will create the certificate via the load balancer configuration.

  • Navigate to the AWS EC2 service console page
  • In the left hand menu under Load Balancing, select Load Balancers
  • Locate the load balancer that does not begin with internal- for the DNS name
    •  It is the load balancer with the DNS name that matches the hostname in the 'UrlXxxx' variables in the Cloudformation 'Outputs' tab
    • In the following screenshot it is the second entry
  • Click the checkbox to the left of the load balancer
  • Click on the Listeners tab

mceclip4.png

 

The first listener to modify to HTTPS and initially request the new certificate to secure the newly registered domain will be the REST server; port 8251. 

  • Select the checkbox to the left of the Listener ID titled HTTP : 8250
  • Click the Edit button above the listener entries
  • In the Listeners panel for HTTP : 8250 change the Protocol : port entries to HTTPS and 8250
  • Click the Request new ACM certificate link below the Default SSL certificate entry boxes

mceclip6.png

  • A new tab will open titled Request a certificate
  • In the entry box under Domain name* enter the domain you registered in the previous step
    • Note you can create a wildcard certificate using *. before your domain name. This is recommended and used later in this article. Using a wildcard certificate enables the securing and use of multiple domains, e.g., app.mydomain.com, rest.mydomain.com, etc. This can be useful for providing other AWS services with a custom domain too, for example an AWS Amplify app. 
  • Click Next

mceclip7.png

  • On the Select validation method panel select DNS validation
  • Click Next
  • On the Add tags panel, add any tags if required (this is metadata for your own use and can be left empty)
  • Click Review
  • On the Review panel click Confirm and request
  • On the Validation panel
    • Expand the twisty under Domain
    • Click the Create record in Route 53 button
    • Click the Create button in the pop up panel

mceclip8.png 

      • Click Continue 

The request to create a secure certificate has been completed and AWS will automatically create the required DNS entry for this domain under Route 53 to validate it. From the certificates screen you may initially see a notification of Validation not complete. You can refresh the entries with the refresh button in the upper right hand corner. 

Once the certificate has been validated the Status will change to Issued

 

mceclip9.png

The current browser tab can now be closed, you should be back in the browser tab for the listener where you clicked to request a new certificate. To specify the listener to use the newly created certificate:

  • In the Protocol: port drop-down box, verify that the value is HTTPS
  • Under Default SSL certificate select From ACM (recommended)
  • Click the refresh button to the right of the two drop-down boxes
  • Under Default SSL certificate, in the right-hand drop-down box, select the certificate that was just created
  • In the upper right, click the Update button

mceclip11.png

  • Click the < arrow in the top left hand corner

Check the listeners for the load balancer, the Listener ID entry for port 8250 will now report HTTPS instead of HTTP. 

mceclip12.png

 

The other listeners can now be secured in the same way as outlined above. For the additional listeners there is no need to create additional certificates, use the same one as created in the Default SSL certificate entry box. The following outlines this when securing port 8251 with HTTPS:

 

mceclip13.png

 

Once all listeners have been secured with the new certificate and HTTPS, the listener entries should look similar to:

mceclip14.png

 

Update DNS Entry for the Domain

The final step is to modify the DNS entry for the newly registered domain and create an alias to point to the CloudFormation load balancer. 

  • Navigate to the AWS Route 53 console page
  • In the left hand menu select Hosted zones
  • Click your newly registered domain under Domain name
  • Click the Create record button

mceclip15.png

 

  • Enter the following for the new DNS record
    • Routing policy = Simple routing
    • Record name = A prefix of your choosing to identify your Senzing CloudFormation stack
    • Alias = Select it to on
    • Record Type = A
    • Route Traffic to
      • Choose endpoint = Alias to Application and Classic Load Balancer
      • Choose Region = The region your CloudFormation stack is in
      • Choose load balancer = Select the non internal load balancer
  • Click the Create records button

mceclip16.png

 

 

Testing HTTPS

There are numerous ways to test the new HTTPS configuration including from your own applications. The URL endpoint for the services in the CloudFormation stack is now the Record name used when creating the DNS alias entry in the previous step. In the screenshot and example above: cfnstack.xxxxxxxxx.com. The port numbers for each service remain the same.

Browser

Testing the REST API server with the heartbeat method:

mceclip17.png

 

Curl Command

Testing the REST API server with the version method:

--> curl -X GET https://cfnstack.xxxxxxxxxx.com:8250/version 
{"meta":{"httpMethod":"GET","httpStatusCode":200,"timings":{"overall":1,"enqueued":0,"nativeAPI":0,"nativeAPI:product.version":0,"processRawData":1},"timestamp":"2021-02-09T06:09:41.744Z","version":"2.3.1","restApiVersion":"2.3.0"},"links":{"self":"http://cfnstack.senzingtestcfn.com:8250/version"},"data":{"apiServerVersion":"2.3.1","restApiVersion":"2.3.0","nativeApiVersion":"2.3.0","nativeApiBuildNumber":"2020_12_07__02_00","nativeApiBuildDate":"2020-12-07T10:00:00.000Z","configCompatibilityVersion":"9"}}

Notice if trying to use HTTP now the request is rejected: 

--> curl -X GET http://cfnstack.senzingtestcfn.com:8250/version
<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
</body>
</html>

 

Swagger Editor

Link to Swagger editor

  • In the Servers drop-down box, choose {protocol}://{host}:{port}
  • In the protocol drop-down box, choose https
  • In the host text box, enter the hostname just created

 

mceclip19.png

  • Click Try it out for the heartbeat method
  • Click Execute

 

mceclip20.png

 

 

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.