I have a nodejs/express app running on ec2 with nginx and mongodb. I am running on a 8 core ec2 instance, and I have 8 seperate instances of my nodejs app running fronted by nginx. For now, I have only 1 server.
We are going to go live soon and want to make sure that our server responds to only SSL requests. I would like to know how and where do I configure the SSL connection. I will list out the questions in a ordered list and would highly appreciate if you can refer to the question number when you answer whole or part of the question. This will be not only easy for me but also for anyone else who reads this thread.
Here they are:
I will have to go to a CA like verisign to get a cert, correct? My domain is registered thru godaddy, can I get a ssl cert from them?
Do I need to install the cert on the ec2 instance? if yes, what happens if i have to add another server for HA and I want to use elastic load balancing? In that case, do I need to buy a separate cert for each ec2 instance? Can someone point me to some doc or tutorial as to how to configure nginx for ssl?
Once ssl is turned on, how do i ensure all non ssl connections are automatically redirected to ssl endpoints? Can I do this easily thru a config entry in nginx?
Any help or pointers in the right direction is much appreciated.
--su
1. I will have to go to a CA like verisign to get a cert, correct? My domain is registered thru godaddy, can I get a ssl cert from them?
Yes, you can buy an SSL certificate directly through GoDaddy.
2. Do I need to install the cert on the ec2 instance?
Yes, each server that you want to serve HTTPS content on will require the certificate be installed. Be careful to purchase a certificate that can be installed on multiple servers - some certificates can only be installed on one. It appears that GoDaddy allows unlimited certificate installations so this isn't an issue if you use them, but if you go with someone else it might be.
Another consideration is that if you want the ability to have subdomains use SSL (ie https://*.mydomain.com won't throw a browser warning), you're going to need to buy either a wildcard certificate (to allow unlimited subdomains) or a certificate that supports a specific number of subdomains that you want to use.
Also note that if you're going to need to support sticky sessions behind a load balancer on AWS, you're going to need to install the certificate on the Elastic Load Balancer (ELB) as well as all your servers.
But I wouldn't worry about this until everything else works since you have only one server right now, but be aware that the certificate must be X.509 (which it appears GoDaddy's are) to be installed on your ELB. Just make sure when purchasing so it isn't an issue in the future.
Can someone point me to some doc or tutorial as to how to configure nginx for ssl?
SSL Certificate Installation in Nginx.
3. how do i ensure all non ssl connections are automatically redirected to ssl endpoints?
See this answer here on ServerFault, it's pretty straightforward to configure:
server {
listen 80;
server_name signup.mysite.com;
rewrite ^ https://$server_name$request_uri? permanent;
}
Best of luck.
You can terminate SSL connections at the ELB and then just pass back plain HTTP to the application servers. Then setup the security groups on your instances to disallow any direct connections from clients (forcing them to go through the ELB). This approach solves pretty much all your problems.