Cloudfront SSL SETUP 27Dec, 2017

If you are hosting your website on Amazon EC2, it is very easy to integrate the SSL certificate in it and make it secure. The most interesting thing with Amazon is, its SSL certificate is free. And if we use SSL certificate from any other provider like Godaddy, it costs us around $60-70 per year. But with Amazon we don’t have to pay a single penny for SSL.

But Hold on, take a breath and read out further as well 😉 To integrate the SSL, Amazon provides us two services:

  • CloudfrontLoad
  • Elastic Load Balancer

We can’t integrate SSL directly with EC2 instance. And there is some costing involved in using these services depending upon the usage. Here, I am going to explain the process of integrating SSL using cloudfront.

  • Login to Amazon Console (Assuming you have a domain name already registered and an EC2 instance already set up)
  • Go to Certificate Manager and Click on “Get Started” button
  • Add Domain Names (example.com)
  • Add another name (*.example.com)
  • Click on “Review and Request” and on next page “Request Certificate”
  • It will send an email for verification to the registered email address with AWS
  • Now click on “Cloudfront” under Services
  • Click “Create Distribution”
  • There would be two options
    1. Web Distribution
    2. RTMP Distribution
  • Click “Get Started” button under Web Distribution
  • This page has several text boxes under three categories (Origin Settings, Default Cache Behaviour Settings and Distribution Settings) to fill. We will start with first category.
    1. Origin Name (This should be the domain name for your origin. When we click the text box, by default it searches for any S3 bucket name or any ELB name. But if we have to use EC2 instance then we have to manually mention the Public DNS name of EC2. Example: ec2-50-68-38-96.ap-south-1.compute.amazonaws.com)
    2. Origin Path: It could be left blank
    3. Origin ID: we can mention description as an ID of the CloudFront Distribution
    4. Origin SSL Protocols: We don’t need to change these values
    5. Origin Protocol Policy: We don’t need to change these values (By Default it is set as http)
    6. Rest all options need not to be changed under this category
  • Under Default Cache Behaviour Settings:
    1. Viewer Protocol Policy: Redirect HTTP to HTTPS
    2. Allowed HTTP Methods: Click on 3rd option to allow all methods
    3. Cached HTTP Methods: Nothing to be done
    4. Forward Headers: All
    5. Query String Forwarding and Caching: Forward all, cache based on all
    6. Nothing more to be done under this category
  • Under Distribution Settings
    1. Alternate Domain Names: use Alternate CNAME for your domain (Example: www.example.com or any subdomains we need to get served by https)
    2. SSL Certificate: Choose Custom SSL Certificate and then choose your SSL Certificate from DropDown list which you created in previous steps
    3. Nothing to be changed in rest of the options
  • Click on “Create Distribution” button
  • Now we have to add DNS entries for our domain name
    1. Add CNAME entry for WWW pointing to the URL of CloudFront
    2. Update A Record entry for (@) pointing to the IP of the CloudFront URL. (IP could be retrieved by nslookup of URL or simply we can ping the URL to get the IP)
  • In case the website is being served with Apache webserver at EC2 instance then add a ServerAlias in Apache Configuration file with the Public DNS of EC2. (Example: ec2-50-68-38-96.ap-south-1.compute.amazonaws.com) and another Alias in same line denoting www.example.com
Posted by: Chandan Kathuria / In: Cloud Computing, SSL and Tagged , ,
Cam

Leave a Reply

Your email address will not be published.