Although the Django site can now be accessed publicly with a custom domain name, one may notice a "Not Secure" warning as shown below. This issue stems from the Hypertext Transfer Protocol (HTTP) used between the browser and the application for exchanging information, also known as the client-server communication.
In HTTP, the messages transferred are plaintext, so unauthorized parties can intercept any data sent over the network, which poses a serious security risk especially if users need to submit sensitive data like credit card details. On the contrary, Hypertext Transfer Protocol Secure (HTTPS) combines HTTP requests and responses with SSL and TLS technology. HTTPS websites share an SSL/TLS certificate which contains cryptographic information, so that the data exchanged are encrypted.
AWS Certificate Manager (ACM) helps provision, manage and deploy public and private SSL/TLS certificates. ACM supports a wide range of AWS services including Elastic Beanstalk. ACM also simplifies security management by automating the renewal of expiring certificates.
Requesting a SSL/TLS certificate
In the ACM console, click Request.
Keep the default certificate type and click Next.
-
Enter the fully qualified domain name, keep other values default, and click Request.
Note: If you intend to use one single certificate for the entire domain, you may enter the root domain (i.e.
elasticbeanstalkapp.com) and all subdomains (i.e.*.elasticbeanstalkapp.com) as the fully qualified domain names. Note down the certificate ARN and click Create records in Route 53.
Keep the default selection and click Create records.
The certificate status should be changed to "Issued" by refreshing the page after a minute or two.
Configuring a secure listener
-
Create a configuration file named
alb-secure-listener.configin the.ebextensionsdirectory with the following contents, and set the value ofSSLCertificateArnsto the ARN noted in the previous step.
option_settings: aws:elbv2:listener:443: ListenerEnabled: 'true' Protocol: HTTPS SSLCertificateArns: arn:aws:acm:us-east-1:123456789012:certificate/add3a42c-fe19-42ec-9fa5-8bd00b9082e0 -
Re-deploy the Django site.
eb deploy
After the environment update completes, navigating to the Route 53 domain name with HTTPS (i.e. https://www.elasticbeanstalkapp.com) gets the Django site with a secure connection.
Note: The above configuration terminates secure connections at the load balancer and uses HTTP on the backend. If you are required to secure all network connections, follow Configuring end-to-end encryption in a load-balanced Elastic Beanstalk environment to update the configuration of the load balancer.
Having provided a secure connection does not guarantee all users will navigate to the Django site through HTTPS, and hence there is still a potential security loophole when the site is accessed with HTTP. An effective solution would be to set up a redirection rule, ensuring the site is only served under HTTPS.
Redirecting HTTP traffic to HTTPS traffic
-
Create a configuration file named
alb-http-to-https-redirection.configin the.ebextensionsdirectory with the following contents.
Resources: AWSEBV2LoadBalancerListener: Type: AWS::ElasticLoadBalancingV2::Listener Properties: LoadBalancerArn: Ref: AWSEBV2LoadBalancer Port: 80 Protocol: HTTP DefaultActions: - Type: redirect RedirectConfig: Host: "#{host}" Path: "/#{path}" Port: "443" Protocol: "HTTPS" Query: "#{query}" StatusCode: "HTTP_301" -
Re-deploy the Django site.
eb deploy
After the environment update completes, navigating to the Route 53 domain name with HTTP (i.e. http://www.elasticbeanstalkapp.com) results in a redirection to HTTPS (i.e. https://www.elasticbeanstalkapp.com).
It is worth to note the Django site is still accessible by navigating to the Elastic Beanstalk domain name (i.e. https://djangoproj-dev.eba-ttkddb9r.us-east-1.elasticbeanstalk.com). Depending on your requirements, you may want to deny such public access by removing the corresponding domain name from the ALLOWED_HOSTS list in the file named settings.py in the ebdjango directory, or to only allow conditional access by setting up additional listener rules in the load balancer.
Top comments (0)