Skip to main content

routing - Amazon AWS: SSL in our testing environment



My company has a running business web service on AWS which uses a wildcard SSL certificate (works for *.example.com). Multiple partners have subdomains and need SSL (https://partner1.example.com, https://partner2.example.com, etc.) and we serve either HTML or JSON responses to them.



Our production site has a web-facing ELB that has our SSL certificate installed. THe ELB balances and terminates SSL to a cluster of production server instances within our VPC. Our web app knows how to serve the correct partner HTML/JSON based on the sub-domain name.




I want to replicate this for our test environments (e.g. QA, Staging, Demo) as simply as possible. But test and production environments can't be the same server instances; I need to know that I won't kill production if I mess up on our test environment.



Ideally, the same ELB that handles production traffic could somehow route traffic to my test servers, perhaps if they used a known IP address or DNS subdomain? Am I correct that this isn't possible?



I suppose I could set up an ELB with the SSL cert for each test environment, each "balancing" to one server, but this seems overly complicated, and I would guess expensive too.



All instances, production and test, run within our VPC. But currently only the production cluster has SSL set up on the ELB (which terminates SSL) and passes along straight HTTP requests to the instances themselves.



The test servers accept HTTP. I have public elastic IPs and DNS names set up (staging.example.com, qa.example.com, demo.example.com) ... but they are not protected by SSL.




There's almost no critical or customer data on test server instances, and they are secured and patched properly as any web-facing server should be (I hope!!). Still, I would like SSL not only for additional security, but also to have my test environment match my production environment as closely as possible.



In all but the case of our staging server, the other environments are supported by a single instance (e.g. demo and qa both on the same server) with Apache named virtual host configurations. So, for test, lots of sites, but only a few servers.



Is there a way that I can still have my wildcard SSL certificate installed only on my load balancer (or perhaps one more), or some other configuration that allows me to detect and route the HTTP request to the right test server, based on IP or domain name (or even an HTTP header)?



I know this is a complicated question. I understand AWS, security, and networking pretty well, but I am still trying to figure out routing and even internal DNS within the VPC environment, so may be ignorant of my options.


Answer



Honestly? I'd say you're overthinking this. Just use multiple ELBs and put the *.example.com certs on all of them. This isn't really cost prohibitive. In your entire stack, the ELB is probably going to be one of the cheapest components. This also allows you to spin up stacks from the same CloudFormation template or provisioning system. You can use the cert on as many ELBs as you'd like.




We faced a problem very similar to yours and decided to do exactly what I describe above. We ended up saving money because the ELB just isn't a significant predictor of our monthly cost, and it'd have taken far more time in salary to hack up a solution, even if one was possible. With ELBs you only pay for what you use traffic-wise, so QA and demo environments just aren't going to be anywhere near the cost of production load. In the example described in that link, 100GB of traffic in a month is $18. That's like three Starbucks coffees.



One added benefit: It's also way easier to debug. No need to worry about weird trafficking rules or the like.


Comments

Post a Comment

Popular posts from this blog

iLO 3 Firmware Update (HP Proliant DL380 G7)

The iLO web interface allows me to upload a .bin file ( Obtain the firmware image (.bin) file from the Online ROM Flash Component for HP Integrated Lights-Out. ) The iLO web interface redirects me to a page in the HP support website ( http://www.hp.com/go/iLO ) where I am supposed to find this .bin firmware, but no luck for me. The support website is a mess and very slow, badly categorized and generally unusable. Where can I find this .bin file? The only related link I am able to find asks me about my server operating system (what does this have to do with the iLO?!) and lets me download an .iso with no .bin file And also a related question: what is the latest iLO 3 version? (for Proliant DL380 G7, not sure if the iLO is tied to the server model)
Post a Comment
Read more

linux - Awstats - outputting stats for merged Access_logs only producing stats for one server's log

I've been attempting this for two weeks and I've accessed countless number of sites on this issue and it seems there is something I'm not getting here and I'm at a lost. I manged to figure out how to merge logs from two servers together. (Taking care to only merge the matching domains together) The logs from the first server span from 15 Dec 2012 to 8 April 2014 The logs from the second server span from 2 Mar 2014 to 9 April 2014 I was able to successfully merge them using the logresolvemerge.pl script simply enermerating each log and > out_putting_it_to_file Looking at the two logs from each server the format seems exactly the same. The problem I'm having is producing the stats page for the logs. The command I've boiled it down to is /usr/share/awstats/tools/awstats_buildstaticpages.pl -configdir=/home/User/Documents/conf/ -config=example.com awstatsprog=/usr/share/awstats/wwwroot/cgi-bin/awstats.pl dir=/home/User/Documents/parced -month=all -year=all...
Post a Comment
Read more

linux - How can I get my mediawiki to stop thinking I have cookies disabled?

I've searched half a day for how to resolve this issue, and can't figure it out. Shortly after I made my wiki a simple private wiki according to the instructions at Mediawiki's website, it started giving me this weird login error message: Wiki uses cookies to log in users. You have cookies disabled. Please enable them and try again. If I remove those private wiki settings, the error disappears, even if I try logging in. But I need it to be a private wiki for only my team. So what do I do? Here's what I've done so far. Just to be safe, after ever change, I try rebooting Apache using: sudo /etc/init.d/apache2 restart In my php.ini file, I have the following set: session.save_path = "/var/lib/php5" session.cookie_secure = secure session.cookie_path = /tmp session.cookie_domain = my server's internal URL (should I even set this? this field was blank before, but not commented out) session.referer_check = Off I ran the following to ensure that the fold...
Post a Comment
Read more