AWS questions

[Cakedaddy]

For HTTPS you need to open port 443, whitelisting your IP/location. Security Groups under EC2.

I have tried a version of this (I might be doing wrong). Edited my inbound rules to allow my IP address on 443. But my app still won't connect. I even tried https://website:443 with no luck.

I'm editing my EC2 > Security Groups > sg-xxxxxxxxxxxxxxxxxx > Edit inbound rules. Picture below shows current config. I have tried adding my IP address to 443 like it is on 22 and does not work. According to that message, 0.0.0.0/0 allows anyone?

[TheCatt]

Never allow 0.0.0.0 unless you want to be hacked by Chinese.

It's possible your server(?) has a firewall as well.

[Cakedaddy]

Could be, whatever the default is, that's what I have. I set it up using a guide from Appsmith (the 'no code' app that I'm using the create it). Those security settings are default as well. I would not have entered those. I thought 0.0.0.0/0 was odd as well but then thought, "I can't white list every possible user out there. No one would ever get to the site?". I also originally assumed that those were inbound rules to get to the server console, not the app running on it. I also assumed that 0.0.0.0 meant no one, not everyone. So when I saw those rules, I saw "Only I can access on that port and everything else is blocked". I've been assuming a lot.

[TheCatt]

It does say "0.0.0.0" is everyone right in your screenshot

I haven't had to protect a public website in forever. We don't have one at my work.

[thibodeaux]

All I know is I can't type https://website and access my app. It errors out. Also, I have never setup a security certificate or anything, so how could it 'just work'?

That's not SSH, that's SSL... Big difference!

SSH = "login to shell via terminal"

SSL = "https instead of http"

Yeah that's a bit more complex. You need a registered domain and a signed cert. AWS will sell you both of those, and yes it's a few more steps than "just works" but not a whole lot more.

[Cakedaddy]

It does say "0.0.0.0" is everyone right in your screenshot

It doesn't show that message until you go in to edit the rules, which I had not done previously!

[thibodeaux]

How you do this depends on how your app works. You said a while back that you were using containers (ECS?). It now sounds like you're using EC2?

We need to know whether you're serving the site directly from a single "machine" or whether you are using a load balancer (hopefully an "application load balancer" or ALB).

The reason is that the setup for SSL is going to depend on this. If you're using an ALB it's actually pretty straightforward, especially if you get AWS to issue the cert for you via their ACM service. I have actually done this in the past and it wasn't terribly hard IIRC.

If you're serving straight from the machine you gotta get the cert on there somehow plus get the webserver on the machine to know about it, which will depend on what you're running (eg, Apache). Never done this.

[Cakedaddy]

I'm going to call it a t3.medium ec2 instance thing. AWS is calling it an instance (instance type: t3.medium) and I access it by going through an EC2 link.

The container idea was probably the early (first) implementation of the Appsmith platform. I was self hosting on my desktop at home on a container/linux program thing. When I switched to AWS, because I didn't want to deal with uptime, network security, etc, I just followed their guide which required and EC2 - t3.medium setup.

[thibodeaux]

Ok, so you have some web server program running on a single EC2 instance. This is where you will have to install your certificate. You will also have to ensure that the server program itself is listening on port 443, and as discussed above make sure the the security group for your EC2 instance has an inbound rule that allows traffic on that port from 0.0.0.0/0.

Just out of curiosity...can you hit the web app on port 80 with non-secure http (NOT https)?

[Cakedaddy]

Yes. type in website.com and it opens. Although, I'm actually entering my server's IP address, and it opens. The URL is the stupid default one AWS made up and it's long and stupid.

But yes. I've been using the app for about 4 months now. Techs hit it from their mobile phones, etc.

The SSL stuff is being driven by the fact that iphones won't let you download a PDF from an unsecured site. I also want to start tracking GPS locations, and early testing, a long time ago, the phone didn't like sharing that with an unsecured site as well.

Ideally, once configured, the user will type in our new registered URL (that we need for SSL) and it will default to https, and not http. I'm guessing that's a server config that says something like "don't accept port 80, route to 443 by default" or something. Or maybe the browser defaults to 443 and fails over to 80 when not available?

[thibodeaux]

so...heh. can you actually SSH onto the box and from the console do something like:

curl https://localhost:443

That would tell you if the server program is working. And then you can diagnose outward from there.

[Cakedaddy]

I probably could (I have logged into the console via SSH). Not going to open that can of worms yet as I don't want to take the app down during working hours. Might try this weekend.

[Leisher]

Catt, you'll be happy to know that I'll soon have data on AWS servers.

[TheCatt]

Catt, you'll be happy to know that I'll soon have data on AWS servers.

Welcome to 2015!

[Leisher]

Welcome to 2015!

What's wrong with pens and paper?

[Cakedaddy]

You can't fax your AWS documents.