I am doing a code based load balancing i.e. on first request to the main server, it returns an address, to which the browser will open a persistent conncection using (wss) websocket. But, due to compatability with my mobile app, i'm returning a public DNS of aws instance, Ex: ec2-35-154-101-63.ap-south-1.compute.amazonaws.com which works fine in the mobile app. The browser however is refusing the connection because the address of websocket is not matching the parent domain. Are there any options to fix this other than using a Wesocket address from the same domain.
Edit: I had no choice rather than return a subdomain address for the websocket connection.
You are connecting to a URL that does not match the name in the SSL certificate.
You have two choices, either map the domain name to the instance or (not recommended) issue a certificate that matches the URL that you are using (ec2-35-154-101-63.ap-south-1.compute.amazonaws.com)
The correct approach is to specify the A address (IP address) in your DNS server for the EC2 instance so that requests for your_domain_name resolve correctly and then USE that URL and not the EC2 instance DNS name. You cannot specify the AWS URL for https as the SSL certificate was not issued to that identity.
Related
I have a simple html page with video element that plays a video file of mp4 extension. I hosted the page in IIS 8. The MIME Type is configured correctly by default. If I browse using the server name it works fine but when I use the hostname the video does not play. The domain is from Godaddy and it is pointing to our public IP and then we have a load balancer that directs the requests to the two nodes servers.
Any ideas what could be the problem?
If you are able to resolve and access the server by server name then you must be calling the server from the internal network and are likely resolving to the internal IP address.
When you are calling the domain name then this will likely be resolving the public IP address from the DNS server where the A record is being hosted - GoDaddy.
ping <server name>
ping <dns name>
In order to test, please update your hosts file with the DNS name resolving to the internal IP address.
%WinDir%\System32\Drivers\Etc
<internal IP address> fqdns.com
If you try to call an external IP address being provided by a DNS server (GoDaddy) it is probably located on your firewall. Your connection will likely be dropped by the firewall due to anti-spoofing rules.
I created successfully a apache server but I dont want to connect to it by typing 192.168.0.102, I want a normal url like www.google.com. How can I do that? I went to httpd.conf and found the ServerName line but setting it to something like www.mysite.com doesnt seem to work. I also tried to use my external ip(https://www.whatismyip.com) as server name but it doesnt connect. It only works if I try to connect to 192.168.0.102 or localhost. How do i solve this? Thanks
There are three basic things you need to know.
Virtual name hosting
HTTP allows multiple websites to be hosted on the same IP address and port. The client uses the Host request header to tell the server which site it wants to get data for.
ServerName is used as part of this.
… but the client needs to know how to send a request to the server first.
DNS
When a client makes a request to a server, it uses the IP address of the server in order to allow it to be passed over the network (or networks) to it. It is the address.
IP addresses are sequence so of numbers, which aren't very friendly for humans to work with.
DNS translates friendly names (like www.example.com) into IP addresses.
The client has to look up the name to find the IP address. It normally does this through the main DNS system, and in order to get your name linked to your IP address you will need to find a domain name registrar and pay them.
It is also possible to set up DNS at a local level on a private network, and on a computer-by-computer level using a hosts file.
Routing
The IP address of the server has to be routable from the computer the client is running on.
192.168.0.102 is a private address, accessibly only on the same LAN. To make it accessible to clients on the Internet you need to either:
Set up your router to use port forwarding and then use the Internet facing IP address of the router (which https://www.whatismyip.com tells you) or
Give your computer a public IP address and configure your router to route traffic to it (this generally isn't possible on consumer grade routers).
In short, you can't. 192.168.0.102 is not accessible from the Internet it is internal IP.
But you have some alternatives, like if you like to access your computer from a hostname you can use dynamic DNS servers.
Or you want to test your code on a spectacular domain, you can add 192.168.0.102 with a domain to your hosts file, then only you can use this domain with your local computer.
But, If you really want to serve some content to the Internet from your local computer you have to find a DNS server service (like cloudflare) to point your domain to your public Internet ip not to 192.168.0.102.
You configure the virtual host and set the server name to the domain name you want. After that, Apache will check the requests and will use that virtual host if a request was made for that domain name. In order for that to work, that domain should point to your IP address where the server is running.
If you want to test if the configuration works, edit your /etc/hosts file and add that domain name to 127.0.0.1. After that you will be able to access to that virtual host if you try to access to that domain name from your browser.
More info here : https://httpd.apache.org/docs/current/vhosts/name-based.html
I have a MySQL database running on my raspberry pi.
To access it I use dynamic DNS (duckdns) when I am outside of my network, but I would like to access it with same dynamic domain name when I am inside my network. However it is not working and I always get connection refused.
I would like somehow enable it so I do not have to change in app.config MySQL server address from my dynamic domain to localhost when I am inside my local network.
You'll need a gateway router that supports NAT hairpinning. Many consumer-grade units (and some supposedly commercial-grade equipment) doesn't support this. Either yours doesn't, or you need to find an option to enable it.
When you try to connect to the public IP address from inside the network, the router probably assumes that you want to connect to the router itself.
My cable modem's built-in router at home understands how to do this. When I access my server from the laptop, and connect to the public IP from inside, the router (inside the cable modem) does a transformation on the packets so that my server sees my connection coming from the router's IP address, not my laptop's IP address.
This is what has to happen, because when the server responds, it will respond to the machine that connected to it. If it responded to the laptop's address, the laptop would reject the traffic, since it would be coming from ther server's internal IP, which is not the IP address I connected to. So, it responds to the router, which does a second transform on the packet address, replacing the server's internal IP with the external IP. Remembering the session from previous traffic, the router then sends the packet back to the laptop.
Ultimately this setup can't possibly work for you without the complicity of your router, which may not have that capability.
Some routers, however, have a DNS proxy that will allow you to create static entries. My former DSL modem could not hairpin NAT connections, but it had a way to create DNS entries that would be used to respond to internal DNS queries for a specific host... with a different IP than the one that DNS otherwise provided. That's an alternative workaround if the router supports it.
I've setup my VM to use a network only allowing a whitelist of IP addresses on the SSH protocol on port 22.
If I try to SSH into my instance via the web browser within the developer console the connection is correctly refused, as it isn't originating from one of my permitted IP addresses.
I'm curious if there is a way to have my whitelist of IP addresses and still SSH into the VM via the browser. I know I can still connect using gcutil, and it would obviously work if I had the IP address.
Looking at the documentation, it isn't listed as a known issue.
When connecting from Developer Console SSH tool the instance receives connection from Google IP range, I made a test and it was from 74.125.0.0/16 range. You could try to temporary white list this range and see if you can access.
Regards
Paolo
We have a system running on Amazon's Beanstalk.
We would like to limit access to the server to HTTPS only.
When blocking HTTP on the environment settings - it prevents accessing through the beanstalk DNS.
However, if someone knows the public IP (or name) of any of the servers - he can access them directly through HTTP. It seems that the LB forwards the requests to port 80, so we can not change the security group and remove port 80.
Is there a simple way, to limit HTTP access to be only from the LB?
Thanks
You should be able to do this through EC2 Security Groups, which is an Elastic Beanstalk environment property.
By default this allows connections to port 80 from any IP address, but you could remove that rule or replace it with your own IP address (for testing purposes).
Failing that, you could reroute all HTTP traffic to HTTPS at the application level or simply test the CGI property *server_port_secure* and refuse to answer.
Yes, you need http/80 to be open for health-check to work. The option for you is to redirect all the other requests (except the health check URL) to use https - This way though the port is open, you "dont serve any data in an insecure way".
You have at least two options:
1 - set the Security Group Policy that allows access on port 80 from the Load Balancer only. IMPORTANT!!! Do not use the Load balancer IP in the instances' security group. Use the Load balancer security group ID instead.
2 - remove the public IPs from the instances. You should be good if all your EC2 instances have a private IPs and the ELB has a public IP.