Lab 6 - Web Server (Part 3)
Table of Contents
Concerns from “The Boss”
- You don’t expect me to remember an IP address or ec2-AA-BB-CC-DD.compute-1.amazonaws.com URL, do you?
- Why does Chrome say our website is “Not Secure” in the address bar?
Objectives:
- Configure Amazon Route 53 (DNS) so that the load balancer can be reached via human-friendly name
- Obtain a certificate to allow the load balancer to answer requests via encrypted HTTPS
- Configure the load balancer to redirect all HTTP traffic to HTTPS
Installation Process
Fall 2021 AWS Academy Workarounds (Route53 Access)
The student AWS Academy accounts do not have any access to Route53 - the DNS service - this year. #Annoying. To complete any actions requiring Route53 access, check your Canvas announcements. The instructor has created an IAM (Identity and Access Management) login for you that delegates limited permissions related to Route53 from the instructor's full AWS account, sufficient to perform the necessary actions. Open that link in an Incognito/Private Browsing tab, perform the Route53 actions you need to do in Part 1 and Part 2 below, and close that tab afterwards.
For those who are interested, here is the JSON policy that has been applied to that user account. You have a variety of permissions related to Route53 Hosted Zones, but those permissions specifically exclude any control over the main zone for tigerenterprises.org. Only student-created zones can be controlled by students.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:ListHostedZonesByVPC",
"route53:CreateHostedZone",
"ec2:DescribeVpcs",
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets",
"route53:DeleteHostedZone",
"route53:GetHostedZoneCount",
"route53:GetHostedZoneLimit",
"route53:ListHostedZonesByName"
],
"Sid": "ThisPolicyExludesAccessToTheMainTigerEnterprisesHostedZone",
"NotResource": "arn:aws:route53:::hostedzone/Z05671742MAUBSH0KZXLY"
}
]
}
Part 1 - Create DNS Zone
Log into your AWS Management Console, and enter the “Route 53” service. Route 53 is Amazon’s scalable Domain Name System (DNS) service.
- Select “Hosted Zones" on the left column
- Select “Create Hosted Zone” - A hosted zone tells AWS how to respond to requests for a specific domain and subdomains
- Domain name:
STUDENT-NAME.tigerenterprises.org
- Type: “Public hosted zone” - A public hosted zone will respond to requests across the public Internet. (In contrast, a private Zone is only used within an Amazon VPC)
- Select “Create hosted zone"
At this point, your Public Hosted Zone for “tigerenterprises.org” should be created. Note, however, that just because you have this zone for “tigerenterprises.org” does not mean that you suddenly control the domain. Your instructor has the domain registered ($), and the registration is pointing to a Public Hosted Zone in the instructor’s AWS Route 53 account. That said, you need your own public hosted zone to accomplish this goal:
The instructor, in their AWS account, will enter a NS (nameserver record), instructing all requests to STUDENT-NAME.tigerenterprises.org
to be forwarded to your public hosted zone. And then you can create entries in your zone (e.g. www.STUDENT-NAME.tigerenterprises.com
or vpn.STUDENT-NAME.tigerenterprises.com
) that you have full control over.
This must be configured manually. Send the instructor a DM on Slack with the following two pieces of information:
- The subdomain you want to use for all of your servers (i.e. the
STUDENT-NAME
part). - The 4 name server entries in your public hosted zone
You can find the 4 entries in the “Hosted zones” panel. Look for the line with a record name of “STUDENT-NAME.tigerenterprises.org” and a type of “NS”. Copy the entries out of the “Value/Route traffic to” column. It will be different for each student, but will look something like this:
ns-651.awsdns-17.net.
ns-1534.awsdns-63.org.
ns-1718.awsdns-22.co.uk.
ns-88.awsdns-11.com.
Resources:
Deliverables:
- Screenshot of Route 53 public hosted zone in the AWS Console
You can continue with the lab, but your DNS name will not be accessible until the instructor adds in an NS record with your information.
Part 2 - Configure DNS “A” Record for Load Balancer
Create a type “A” (IPv4 address) record in DNS so that www.STUDENT-NAME.tigerenterprises.org is functional and points to the load balancer.
- Go into the Route 53 management console, and open the “STUDENT-NAME.tigerenterprises.org” hosted zone
- Select “Create Record” in the zone
- Record name:
www
(.STUDENT-NAME.tigerenterprises.org) - Record type:
A - Routes traffic to an IPv4 address
- Value: Enter the public IP address of your load balancer as shown in the EC2 console. Note that the load balancer must be running to have a public IP.
- TTL:
300
seconds - Routing policy:
Simple Routing
- Select "Create Records" to add the record
On your personal computer, launch a web browser and try to access http://www.STUDENT-NAME.tigerenterprises.org. Note that the load balancer and private web server must both be running in order for your website to be functional.
Deliverables:
- Screenshot of your type “A” record in the Route 53 web console showing the record name and the target IP address
- Screenshot of your website as accessed via the URL http://www.STUDENT-NAME.tigerenterprises.org
Part 3 - Obtain and Configure Let’s Encrypt Certificate
Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG). With this certificate authority, you can obtain the digital certificate needed in order to enable HTTPS (SSL/TLS) for websites.
The key principles behind Let’s Encrypt are:
- Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
- Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
- Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
- Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
- Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
- Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.
Resources:
Install Certbot on your load balancer system
$ sudo snap install --classic certbot
Choose how you'd like to run Certbot. This command will both (a) get a certificate, and (b) have Certbot edit your Nginx configuration file to serve it, thus turning on HTTPS access in a single step.
$ sudo certbot --nginx
# Enter your email address (only used for urgent renewal and security notices)
# Agree to terms of service
# When prompted to choose a site to activate HTTPS for, you SHOULD see your
# www.STUDENT-NAME.tigerenterprises.org site as the only option.
# The certbot tool has parsed your nginx configuration file automatically.
# If this is not correct, you have something configured incorrectly!
# Choose that site to activate for HTTPS: 1
# Certbot will try to authenticate your site via DNS
You should expect to see output from the certbot tool that looks like this:
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.STUDENT-NAME.tigerenterprises.org
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/load-balancer
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/load-balancer
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled
https://www.STUDENT-NAME.tigerenterprises.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.STUDENT-NAME.tigerenterprises.org/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.STUDENT-NAME.tigerenterprises.org/privkey.pem
Your cert will expire on 2020-12-11. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Test if you can access the website via HTTPS in your web browser. Is the LOCK ICON present? (or however your web browser indicates secure web sites): https://www.STUDENT-NAME.tigerenterprises.org
After you are able to access your site via HTTPS, confirm that the certbot tool, and your certificate in general, is all configured correctly.
Test automatic certificate renewal - does this test succeed?
$ sudo certbot renew --dry-run
Verify that auto-renew is scheduled automatically - do you see certbot in the list of scheduled tasks?
$ systemctl list-timers
Run a security check on your SSL certificate via a tool provided by Qualys. Does your server get an "A" security score?
Deliverables:
- Screenshot of
systemctl
showing the active timers (scripts). Circle the line showing where certbot is scheduled to automatically run again and attempt to renew your certificate. - Text Content of your NGINX load-balancer configuration file, highlighting the lines that certbot has modified automatically from what you originally entered.
- Screenshot of the SSL Labs security report for your HTTPS website. Just the first screen showing the overall rating and your URL is sufficient. You don't need to put the entire multi-page report in your submission.
- Screenshot of your web browser loading the website again, but this time showing that, even if you TRY to load the HTTP version, you’re automatically redirected to the HTTPS (secure) version.
Lab Deliverables
After submitting the Canvas assignment, you should STOP your virtual machines, not terminate them. We'll use them again in future labs, and thus want to save the configuration and OS data.
Upload to the Lab 6 Canvas assignment all the lab deliverables to demonstrate your work:
- Part 1 - DNS Zone
- Screenshot of your Route53 public hosted zone in the AWS Console
- Part 2 - DNS “A” Record
- Screenshot of your type “A” record in the Route 53 web console showing the record name and the target IP address
- Screenshot of your website as accessed via the URL http://www.STUDENT-NAME.tigerenterprises.org
- Part 3 - Let’s Encrypt certificate
- Screenshot of systemctl showing the active timers (scripts). Circle the line showing where certbot is scheduled to automatically run again and attempt to renew your certificate.
- Text Content of your NGINX load-balancer configuration file, highlighting the lines that certbot has modified automatically from what you originally entered.
- Screenshot of the SSL Labs security report for your HTTPS website (just the first screen showing the overall rating and the URL is sufficient for credit)
- Screenshot of your web browser loading the website again, but this time showing that, even if you TRY to load the HTTP version, you’re automatically redirected to the HTTPS (secure) version.