How to enable SSL for a web application and HTTP API running in AWS?

Question

I've held off on writing this question because I'm not sure if it belongs on ServerFault or StackOverflow.

I have a React web application hosted in an AWS S3 bucket and using CloudFront. I have a REST API written as a Java Spring Boot application running on an AWS EC2 instance. I am trying to enable SSL on both of these to secure my traffic.

So far I have used an AWS generated SSL certificate to secure the web application. I tried to use the same AWS generated SSL certificate to secure the Java Spring Boot application and I have come to understand that this will not be possible with this certificate. All attempts to get the Java Spring Boot application to support SSL with this certificate have failed when the application starts.

I have been experimenting locally with self-signed certificates which, after accepting the browser warning, works for the web application but not for the Java Spring Boot application. The Java Spring Boot application starts up fine and I can use Postman to access the API (after configuring Postman to skip certificate validation). I believe the JavaScript library I am using (Axios) to call the Java Spring Boot application can't cope with a self-signed certificate and I have not been able to configure it to accept/ignore a self-signed certificate. Ultimately I won't be using self-signed certificates so this is a dead end anyway.

My deployment of a web application hosted in S3 with an HTTP API on an EC2 instance doesn't seem unusual. Is it? Should I be doing it differently?

Before I go further down the rabbit hole with purchasing certificates and using more AWS services I'm hoping somebody here can give me a little guidance.

Answer 1

Firstly, I don't believe AWS charges for certificates applied to their infrastructure. I would put a load balancer between CloudFront and the EC2 instance, and use the certificate on the load balancer, and just use unencrypted traffic between the load balancer and the EC2 instance. Hopefully this solves your problem with the application. You can use security rules to lock the instance solely to the load balancer.

There are a couple of ways to lock the load balancer to CloudFront - one commonly documented way is to put a small and infrequently run Lambda function to restrict access to just CloudFront IP addresses as documented here.

I also have CloudFront add a custom header with a magic string as its value and have apache on EC2 filter out any traffic without the magic string. These two measures appear to be completely effective in blocking non-cloudfront access to the server, and you can focus further WAF measures on the CloudFront distribution itself.