stackoom
  简体   繁体   中英

HTTPS for each EC2 instance in an Auto Scaling group

 原文  2019-04-24 06:03:27       amazon-web-services/ amazon-ec2/ https/ ssl-certificate

Question

How can you setup HTTPS for each individual EC2 instance in an Auto Scaling group?

Usually a load balancer in front of the group would handle this by holding an SSL/TLS certificate, but in my architecture there is no load balancer; instead clients query a directory service which provides them the IP address of an instance (instances notify the directory of their existence via a redis server's pub/sub functionality). Consequently the EC2 instances themselves have to carry SSL/TLS certificates. Since this is an Auto Scaling group, instances could pop in/out of existence at any time so certificates cannot be assigned manually. I know AWS can assign each instance a default public IP address from their pool, as well as a generic DNS name like ec2-203-0-113-25.compute-1.amazonaws.com, but they don't come with a certificate.

So, how do I get these instances to have certificates given that their default DNS name is as good as random? I'm thinking maybe I could somehow set them up under a custom parent domain and have each instance claim a unique subdomain at will, thereby allowing them to use a wildcard certificate that covers the parent domain, but I'm not quite sure how that's done.

2 answers

solution1
 1 ACCPTED  2019-04-24 06:50:20

You can't use Amazons ACM certificates on EC2 instances. You'll have to provide your own certificate. eg a wildcard certificate which is valid for *.example.com. Then you assign subdomains to your instances in Route53 and save those in your Redis database.

I don't recommend to use custom machine images which will cause a huge maintenance overhead on the long run.

Setup machines at launch time using launch scripts or more professional with Opsworks where you can utilize the power of chef or puppet to setup and run your service. https://aws.amazon.com/opsworks/

edit, clarifying route53 usage

Either in the instance registration routine or when using opsworks in the configure or deploy event receipe you can utilize the AWS Route53 API to create a subdomain, eg the instance name. The number of subdomains is not limited as far as I know.

More details about opsworks events https://docs.aws.amazon.com/opsworks/latest/userguide/workingcookbook-events.html

More details about Route53 https://docs.aws.amazon.com/Route53/latest/APIReference/Welcome.html

solution2
 0  2019-04-24 06:31:26

  1. You need to create custom AMI for your launch configuration.
  2. In that you have to configured your SSL certificate .
  3. Whenever your instance will launch that will come up with SSL.
  4. and which ever application are you running for that you have to write rewrite rule. for example Nginx http to https redirection. 
 server { listen 80; server_name www.example.org; rewrite ^ https://$server_name$request_uri? permanent; } server { listen 1443; server_name www.example.org; }

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Auto Scaling group EC2 instance launch failure Is there a way to find out if a EC2 instance is associated with Auto scaling group When a AWS Auto Scaling Group is scaling out which ec2 instance is considered to be Primary EC2 Auto scaling Check the EC2 instance in auto scaling group before shut downing as whether any user working on it or not How to always keep one EC2 instance in an auto-scaling group? Can i stop EC2 instance which is using auto scaling group? Old data still coming from EC2 instance in Auto Scaling group In an auto scaling group make sure atleast one ec2 instance is always available in a given availability zone Can we stop EC2 instance from Auto Scaling Group from AWS
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM