Hi everyone! I am Shreya Pohekar. This is yet another “how-to” category blog. In this post, I will be writing on how one can enable SSL and configure connections over HTTPS on their EC2 instances or instances hosted over any other cloud platform.
But why would I want HTTPs?
Well, there can be several reasons.
- You run a blog page that is hosted on EC2 instance. According to google search engine latest guidelines, pages running on https are more likely to be amongst the top search results.
- Just like me, you want to expoit CORs vulnerability where a custom origin is getting reflected. Just to give a gist here, I found a target where anything written after .com was getting reflected in the Access-Control-Allow-Origin header. Read more about headers here. Also the credentials were allowed.
Example: https://apps.redacted.com.shreyapohekar.com was getting reflected and credentials were allowed too, which means if the victim is logged in and clicks my cors exploit hosted on https://apps.redacted.com.shreyapohekar.com, I will be getting all of his sensitive information.
I had an EC2 instance running but it was running on HTTP. However for the exploit to work, it should run on HTTPs (as HTTP was not allowed 🙁 ).
Lets do the configurations!!
If you just want https over your subdomain you can skip this section. If you use case wants you to configure nested subdomain (abc.xyz.efg.domain.com), follow along the blog.
As you can see, the subdomain is nested here (apps.redacted.com), so it cant be directly configured from the subdomain section.
For nested subdomain configuration:-
- Go to you domain provider / Hosting provider, based on whose nameservers you are using.
- Search for dns zone editor.
- Create a A record
The points to IP address should be the one of your EC2 instance.
Setting up SSL on EC2
The very first step here is to install the apache2 package. You can do that from
# apt-get update # apt-get install apache2 To restart enable the apache2 service # service apache2 restart
It is as simple as that. Once your apache is up and running you will get an index page once you open the public IP address of the ec2 instance.
If you dont get the index page, make sure that the EC2 instance security groups are configured to address the incomming request for http
SSL for free
https://www.sslforfree.com/ is a website from where you can create SSL certificates that will be valid for 90 days from its creation date. When you get there, it will provide you a step by step guide to create the certificate.
Once the setup is complete, a zip is downloaded containing the private key, certificate.crt and the ca_bundle.crt.
Invalid CAA records
While generating the SSL key and certification, you might run into an error stating “Invalid CAA records”
This happens when you try to verify your domain with sslforfree. A fix for this is to add a new CAA record. This can be done in DNS management portal/ DNS zone editor.
The fields should look like the following
I assure that there won’t be any more issues you will face while generating the certificate.
Apache configuration for SSL
Apache configuration files can be found in /etc for Linux instances.
First of all, create a folder under /etc/apache2 by name ssl. Copy all the 3 files (private_key, certificate, ca_bundle) obtained from the zip in this folder.
Now, an entry has to be created for sites-enabled.
- Open the file with
# vim /etc/apache2/sites-enabled/000-default.conf
Do the following entry at the end.
<VirtualHost *:443> ServerAdmin webmaster@localhost ServerName shreyapohekar.com ServerAlias apps.redacted.com.shreyapohekar.com DocumentRoot /var/www/html SSLEngine on SSLCertificateFile /etc/apache2/ssl/certificate.crt SSLCertificateKeyFile /etc/apache2/ssl/private/private.key SSLCertificateChainFile /etc/apache2/ssl/ca_bundle.crt </VirtualHost>
- With VirtualHost directive, multiple domains can run on a single webserver (Ec2 in this case).
- DocumentRoot specifies the path on the webserver that will be used as the base location for the domain.
- SSLCertificateFile, SSLCertificateKeyFile, SSLCertificateChainFile are SSL related files that helps in setting up the encryption over http.
The apache service now can be restarted using
# service apache2 restart
And you are now good to go. Open https://apps.redacted.com.shreyapohekar.com in the browser. If you don’t get the index page and your site is still loading, then the problem is with security groups.
Configure the inbound connection for https from any IP in the world.
This is how an inbound security group for a ec2 instance should look like.
That’s all for the blog post. See you in the next one.
Until then, happy learning 🙂