Self-signed SSL Certificate for EC2 Load Balancer

Good tutorial for getting SSL going on an Amazon Web Services Elastic Load Balancer. Generating a self-signed certificate, saves time and money from having to purchase a certificate with your CSR from a certificate authority. Ideally though, in a production environment you will want to have a valid certificate from a well known authority:

 

Originally posted here: http://almostalldigital.wordpress.com/2013/03/07/self-signed-ssl-certificate-for-ec2-load-balancer/ 

 

1: Generate private key

openssl genrsa -des3 -out my_domain.key 1024
[Enter and confirm pass phrase]

2: Generate CSR

openssl req -nodes -newkey rsa:2048 -keyout my_domain.key -out my_domain.csr

3: Remove pass phrase from key

Make sure key only readable by root!

cp my_domain.key my_domain.key.org
openssl rsa -in my_domain.key.org -out my_domain.key

4: Generate certificate

openssl x509 -req -days 365 -in my_domain.csr -signkey my_domain.key -out my_domain.crt

5: Get Elastic IP for Load Balancer

…And the rest is kind of based on http://www.nczonline.net/blog/2012/08/15/setting-up-ssl-on-an-amazon-elastic-load-balancer/

6: Create Load Balancer

  • Go to AWS Control Panel -> EC2 Management Console -> Load Balancers
  • Create Instance
  • Set it to HTTPS (left-hand dropdown)
  • Leave it talking to EC2 instances on Port 80
  • Continue…
  • Choose Upload SSL Certificate
  • Display key text in terminal window:

openssl rsa -in my_domain.key -text

  • Copy that (Mac copy from terminal), including “Begin…End” sections; paste into text field in AWS console
  • Do the same with the certificate:

openssl x509 -inform PEM -in my_domain.crt

  • Several layers of saving…

7: Tidy up

  • Assign EC2 instances to ELB
  • Remove any elastic IPs from instances (so users can’t hit them directly)
  • Look at this AWS page – it’ll tell you how to set up a CNAME record in your DNS settings, to alias your domain subdomain to the ELB.
    • ELB doesn’t work with Elastic IPs – that’s because Amazon dynamically distribute the service over any number of machines.
    • So you set up a CNAME alias from sub.domain.com to my-loadbalancername-123456789.eu-west-1.elb.amazonaws.com
Posted in Amazon Web Services, Servers

ArrayCalc

Two apps on the iTunes App Store within 24 hours…

ArrayCalc is now live.

Array Calculator that works offline and calculates the following:

-Sum
-Mean
-Median
-Max
-Min
-Standard Deviation
-Variance
-Z inverse normal distribution value

Posted in Ideas

CheckIn!

Today, CheckIn! launched on the itunes app store.

Business have a need for better tracking and security. This provides a digital footprint for all non-employees entering the building. This is an application for the iPad only that integrates with the CheckIn! service.

Bradge Printing Integration with Dymo Label Printers

**CheckIn Account Required.

 

To get an account, contact me directly and become part of the the beta before the official go live.

 

Posted in Ideas

MySQLi and Heroku – Round 2

Read Previous Article

Well after a comment from a reader on a previous post regarding heroku and mysqli, I set out to figure it out.  After doing some digging, the cedar stack that Heroku is currently on is really great.  You can run virtually any environment from node to emacs and beyond.  Turns out, it all revolves around buildpacks, the secret behind cedar.

The secret behind getting mysqli on heroku is actually fairly straight forward.

  1. Start with the canned php buildpack on cedar
  2. Remove unwanted things like mcrypt
  3. Build and Compile binaries with dependencies and libraries
  4. Host the files on S3
  5. Create the buildpack
  6. Finished Product: https://github.com/travstoll/heroku-buildpack-php

1.  I cloned the default buildpack for php from github: https://github.com/heroku/heroku-buildpack-php

2. Edit the binary build script to remove things like mcrypt which I didn’t need for this project.  The bash commands that I ran can be found in the readme.md file of the repo: https://github.com/travstoll/heroku-buildpack-php

3. When you create a heroku app

heroku create

there is the option of getting into the one off dyno and playing around a bit.  This tends to be very useful when creating a buildpack.  Using

heroku run bash

you can access the dyno and run the bash commands to get and compile apache and php.  Alternatively this can be done on your local machine, or on another server.  Its just as easy to use the heroku shell though.

**After this is done, you will have apache and php tarballed and ready in the /app directory of the server.  Simply scp them to somewhere for the next step (scp /app/apache username@server.com:/path/to/store)

4.  Now you need a place to host your compiled binaries that heroku can access.  I would recommend s3 since heroku is alreay hosted on amazon.  This makes it easy, cheap, and of course HA.

5.  The next step is creating the actual buildpack.

A buildpack consists of three scripts:

  • bin/detect: Determines whether to apply this buildpack to an app.
  • bin/compile: Used to perform the transformation steps on the app.
  • bin/release: Provides metadata back to the runtime.

How I did this can be found in the github repo I forked.  Essentially you point the heroku slug compiler to the pre-compiled environment, in our case, php and apache.

All you need to do at that point then is config your app to use the custom buildpack:

heroku config:set BUILDPACK_URL=https://github.com/travstoll/heroku-buildpack-php

You can then create an empty commit and push your app again to force heroku to recompile the runtime:


git commit --allow-empty -m "empty commit"

git push heroku master

Thats it.  After some playing around it really wasn’t all that hard.  A couple hours of reading documentation and playing with the one off dyno’s and here we are.  You can read more in the dev center about the buildpack api: https://devcenter.heroku.com/articles/buildpack-api

Video soon to come.

Posted in Heroku