So, I recently found out that the Google API used on the website hosted on AWS kept resetting. Turns out, it was running in test mode. After checking the Google Cloud Platform, yup, it was indeed in test mode. To switch to production mode, the site needed HTTPS support. And that’s how I ended up on this journey of upgrading from HTTP to secure HTTPS. ๐
Like before, I won’t dive deep into the technical jungle. Instead, I’ll just sketch out the skeleton of what needs to be done and why. Once you get the structure, you can search the keywords from this article to successfully complete your task without much hassle. ๐ช
HTTPS is a protocol for encrypting data sent between your browser and the server. While HTTP is fine for non-sensitive data, as the importance of data protection grows, browsers like Google Chrome label HTTP sites as ‘Not Secure’ in the address bar. (Kinda annoying, right?) HTTPS uses public key encryption, where the server needs both a public and a private key. The private key stays with the server, and the public key is distributed to users. The server, to boost its credibility, gets the public key certified by a Certificate Authority (CA) along with its organizational info. (This is known as a certificate, encrypted with the CA’s private key. Your browser decrypts it using the CA’s public key. If you’re curious about the detailed process, just search for ‘handshake’). ๐
Once the certificate is ready, configure the server tools to support HTTPS, store the certificate at a specific location, and set up the web server to use it. You’ll also need to redirect HTTP to HTTPS, use relative paths for internal and external site URLs, or omit protocols in paths (e.g., //192.168.1.56:8081/something.js) to avoid issues like missing images when accessing via HTTPS.
That’s the general gist of it. For my website, which is hosted on AWS, I decided to leverage Amazon’s services. It’s quite convenient, especially since it’s during the free tier period, so no extra costs. However, remember that besides the traffic-based charges, there might be basic fees, but this method shines if you’re already using a load balancer to handle traffic issues.
Certificate Setup
Get your SSL/TLS certification for free using AWS Certificate Manager. It’s way cheaper and more convenient than paying annually and renewing through a CA. AWS Certification Manager automates the issuance and renewal of certificates via a CA. During certificate issuance, add both name.com and *.name.com to the domain name, and opt for email verification. Once you agree via the email, the certificate is issued. ๐
Load Balancer Setup for Certificate Installation
You can use ELB Elastic Load Balancing, a traffic distribution service, to install the certificate at the distribution point. Create a load balancer by selecting Application Load Balancer, naming it in Basic configuration, and choosing Scheme = Internet-facing, IP address type = IPv4.
In Network mapping, select the VPC (virtual private cloud) for your web service, choose two or more Availability Zones (AZs), and specify a subnet for each.
For Security groups, don’t stick with the default. Check the security group in the EC2 dashboard’s instance security tab and set it the same. (If not set correctly, connections won’t work.) In Listeners and routing, specify HTTP and HTTPS, create a suitable target group, and connect it. By adding an HTTPS listener, Secure listener settings pop up, allowing you to select the certificate generated in Certificate Manager. (To create a target group, specify Instances in Basic configuration, name it, use HTTP for protocol/port 80, leave the rest default, proceed, select instances in Available instances, and click include as pending below to add to Review Targets). ๐
Assign Load Balancer to A Record at Name Server
Once the load balancer with the defined certificate is ready, ensure external traffic is directed to it. Previously, I used a name server from the domain provider. Now, since you need to specify the load balancer instead of an IP, use Amazon’s DNS web service, Amazon Route 53. Note there’s a $0.5/month fee per domain. Change the name server to Amazon in your domain management site (I used Hosting KR), and migrate DNS record management to Route 53. Just move everything as is, and for the A record, select an alias for traffic routing and choose your prepared load balancer.
And that’s it! You can now see the little padlock icon in Chrome’s address bar! ๐
Leave a Reply