|
| 1 | +# Security |
| 2 | + |
| 3 | +This document details the security configuration required for the solution. In particular, it covers: |
| 4 | + |
| 5 | +- **HTTPS Setup** |
| 6 | + |
| 7 | +Following these guidelines will help ensure that traffic is encrypted over the public network. |
| 8 | + |
| 9 | +--- |
| 10 | + |
| 11 | +## 1. HTTPS Authentication with the ALB |
| 12 | + |
| 13 | +### Overview |
| 14 | + |
| 15 | +Using HTTPS on your ALB guarantees that all client-to-ALB communication is encrypted. This is achieved by: |
| 16 | +- **Obtaining and managing SSL/TLS certificates** using AWS Certificate Manager (ACM). You'll need a domain but you can request a free certificate. |
| 17 | +- **Configuring HTTPS listeners** on the ALB |
| 18 | +- **Automating HTTP to HTTPS redirect** for clients that inadvertently access HTTP endpoints |
| 19 | +- **Allowing traffic in the Security Group of the ALB** |
| 20 | + |
| 21 | +### Step-by-Step Setup |
| 22 | + |
| 23 | +#### 1.1. Request an SSL/TLS Certificate via ACM |
| 24 | + |
| 25 | +1. **Navigate to AWS Certificate Manager (ACM):** |
| 26 | + In the AWS Management Console, go to ACM in the region where your ALB is deployed. |
| 27 | + |
| 28 | +2. **Request the Certificate:** |
| 29 | + - Click on **"Request a certificate"**. |
| 30 | + - Choose **"Request a public certificate"** (or a private one if using a private CA). |
| 31 | + - Enter your domain names (e.g., `example.com`, `*.example.com`). |
| 32 | + - Complete the validation (via DNS or email). DNS validation is generally preferred for automation purposes. |
| 33 | + |
| 34 | +3. **Certificate Validation:** |
| 35 | + Ensure that the certificate status becomes **"Issued"** before proceeding. |
| 36 | + |
| 37 | +#### 1.2. Configure the ALB for HTTPS |
| 38 | + |
| 39 | +1. **Create or Modify the ALB Listener:** |
| 40 | + - Open the **EC2 Dashboard** and navigate to [Load Balancers](https://console.aws.amazon.com/ec2/home?#LoadBalancers:). |
| 41 | + - If you already have an ALB, select it; otherwise, create a new ALB. |
| 42 | + - Under the **Listeners** tab, click **Manage listener** > **Edit Listener**. |
| 43 | + - Configure the listener protocol to **HTTPS** with port **443**. |
| 44 | + - Select the certificate you requested from ACM. |
| 45 | + |
| 46 | +#### 1.3. (Optional) Redirect HTTP Traffic to HTTPS |
| 47 | + |
| 48 | +To enhance security, ensure that any HTTP requests are automatically redirected to HTTPS. |
| 49 | + |
| 50 | +1. **Create an HTTP Listener on Port 80:** |
| 51 | + - Add a listener on port **80**. |
| 52 | + - In the listener settings, add a rule to redirect all traffic to port **443** with the protocol changed to **HTTPS**. |
| 53 | + |
| 54 | + **Example AWS CLI command for redirection:** |
| 55 | + ```bash |
| 56 | + aws elbv2 create-listener \ |
| 57 | + --load-balancer-arn <your-alb-arn> \ |
| 58 | + --protocol HTTP \ |
| 59 | + --port 80 \ |
| 60 | + --default-actions Type=redirect,RedirectConfig="Protocol=https,Port=443,StatusCode=HTTP_301" |
| 61 | + ``` |
| 62 | + |
| 63 | +#### 1.4. Allow traffic in the Security Group of the ALB |
| 64 | + |
| 65 | +1. **Create a Security Group:** |
| 66 | + - Go to the CloudFormation stack you originally used to deploy, select **Resources** and search for **ProxyALBSecurityGroup** |
| 67 | + - Click on the Security Group |
| 68 | + - Edit the Inbound Rules to allow traffic on Port 443 from `0.0.0.0/0` and (optionally) delete the Inbound Rule on Port 80. **Note**: If you delete the rule on port 80, you will need to update the base url to use HTTPS only as it won't redirect HTTP traffic to HTTPS. |
| 69 | + |
| 70 | +Now you should be able to test your application! Use the base url like: |
| 71 | + |
| 72 | +``` |
| 73 | +https://<your-domain>/api/v1 |
| 74 | +``` |
| 75 | + |
| 76 | +--- |
| 77 | + |
| 78 | +By following the steps outlined in this guide, you can configure a secure environment that uses HTTPS via ALB for encrypted traffic. |
0 commit comments