README.md

description
Instructions to deploy HTTPD server on EC2

HTTPD Server Deployment

An HTTPD server deployed on an EC2 instance is used as a proxy to route network requests to relevant blackened services such as Management Console, JupyterHub and other HTTPD servers. The EC2 based deployment was selected to enable rapid experimenting and troubleshooting compared to the ECS version of HTTPD. Once we have a solid set of configurations, the venue level HTTPD server will be migrated from EC2 to ECS.

The steps to deploy HTTPD on EC2

1. Launch a new EC2 that will house HTTPD:
   • Create EC2 instance with the following configuration:
     • Name of instance:
       • Use shared-services-httpd
     • AMI / instance type:
       • Get the AMI ID to use, by opening another tab, and copying the AMI specified in the /mcp/amis/ubuntu2004-cset SSM param
       • Go to "My AMIs" --> "Shared With Me" --> enter AMI ID in the drop-down text box
       • use a t3.large instance.
     • Key Pair:
       • If a key pair doesn't already exist, create one in the format shared-services-httpd-pem (do this in another tab first)
       • select keypair (use "Select Existing Keypair") to use (create a new one and save it for future use)
     • Networking:
       • Make sure to select a private subnet (under the VPC setting)
     • Security Group:
       • If an existing shared-services-httpd-sg security doesn't already exist, then create one. It should have:
         • INCOMING CONNECTIONS:
           • 443 -- from the security group of the Shared services ALB (should be called ucs-httpd-alb-sec-group)
         • OUTGOING CONNECTIONS:
           • open All Traffic to anywhere
       • Select the shared-services-httpd-sg security group.
     • Under "Advanced Details", select an IAM Instance Profile of MCP-SSM-CloudWatch
     • launch instance
       • NOTE: if this is the first time deploying to this AWS account, you may need to click on the error link and subscript/accept the Ubuntu Pro FIPS 20.04 LTS agreement, then click re-try on the launch instance.
2. Connect to the EC2 instance with Session Manager.
3. Install Apache 2 (The new Ubuntu version of HTTPD) on Ubuntu as follows:

sudo su - ubuntu
sudo apt update
sudo apt install apache2
sudo apt-get install libapache2-mod-auth-openidc

3. Enable Apache2 modules with the following commands:

sudo a2enmod  http2
sudo a2enmod  headers
sudo a2enmod  proxy
sudo a2enmod  proxy_html
sudo a2enmod  proxy_http
sudo a2enmod  proxy_wstunnel
sudo a2enmod  ssl
sudo a2enmod  rewrite
sudo a2enmod  auth_openidc

6. Generate self-signed SSL certificates with the following command:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt

Provide appropriate values as shown in the following example to generate the certificates (feel free to change the values such as email address and common name as required).

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:LA
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Unity
Organizational Unit Name (eg, section) []:CS
Common Name (e.g. server FQDN or YOUR name) []:shared-services-httpd-unity-test
Email Address []:[email protected]

7. Restart Apache2 (httpd)

sudo systemctl restart apache2

Steps to setup a load balancer to httpd server

Detailed instructions on creating an Application Load Balancer available at: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-application-load-balancer.html. The following instructions provides a summary of steps.

1. Create a load balancer target group (E.g.: ucs-httpd-server-tg) which the ability to access instances on HTTPS port 443 (https://us-west-2.console.aws.amazon.com/ec2/home?region=us-west-2#TargetGroups:).
   • Add the EC2 instance created above to the target group.
   • Setup health check for HTTPS and path /
2. Create a security group for an Application Load Balancer (E.g.: ucs-httpd-alb-sec-group).

- Allow traffic to TCP port 443 from required sources.

2. Create an Application Load Balancer and (E.g.: ucs-httpd-alb) and use the security group created above.
   • Associate the target group created above to the load balancer.
   • Request a certificate (from ACM)
   • Note the DNS URL of the Application Load balancer.
3. Update the security group of EC2 instance created above (E.g.: httpd-sec-group) to allow traffic to port 443 only from Application Load Balancer security group (E.g.: ucs-httpd-alb-sec-group) created above.
4. Access the DNS URL of the Application Load balancer and see if it shows the default page of Apache 2 (httpd) server.

Steps to create a new site and setup

1. Connect to the EC2 instance hosting httpd with Session Manager.
2. Change directory to /etc/apache2/

cd /etc/apache2/

3. List the sites enabled as follows:

ls sites-enabled/

4. The above command will show the list of sites enabled by default (E.g.: 000-default.conf).
5. Disable the sites enabled by default with the following command.

sudo a2dissite <site name>

E.g.:

sudo a2dissite 000-default.conf

6. Create a new site file at sites-available/ directory.

sudo vi sites-available/unity-cs.conf

7. Add the following content to the sites-available/unity-cs.conf file.

<VirtualHost *:443>
    ServerName unity.httpd.server
    ServerAlias unity.httpd.server
    ServerAdmin [email protected]

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    SSLProxyEngine On
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerExpire on
    SSLProxyCheckPeerName off
</VirtualHost>

8. Enable the newly created site as follows.

sudo a2ensite unity-cs.conf

How to proxy a website through httpd server?

The official documentation available at https://httpd.apache.org/docs/2.4/en/howto/reverse_proxy.html shows how to setup a reverse proxy with httpd server .

There are many configurations related with this topic. However, if it required to setup a basic proxy, the following syntax can be used.

ProxyPass /example http://www.example.com/
ProxyPassReverse /example http://www.example.com/

A detailed example is provided in the following section.

If the application/website hidden behind the proxy does not have sone of the paths defined as absolute paths, then it is required to rewrite paths using the rewrite module as follows.

https://httpd.apache.org/docs/2.4/rewrite/intro.html

Example mod_auth_openidc Configuration\

The following HTTPD site configuration shows an example showing how to use mod_auth_openidc with Cognito (Also, the Shared Services HTTPD Site Configurations shows the exact configuration template used in Unity with Cognito specific variables).\

<VirtualHost *:443>
    ServerName httpd-experimeantal-alb-************.us-west-2.elb.amazonaws.com
    ServerAdmin [email protected]
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    SSLProxyEngine On
    SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
    SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerExpire on
    SSLProxyCheckPeerName off

    RewriteEngine On
    RewriteCond %{HTTP:Connection} Upgrade [NC]
    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteRule /unity/dev/(.*) wss://ucs-httpd-alb-********.us-west-2.elb.amazonaws.com:4443/$1 [P,L] [END]

    ProxyRequests Off
    
    OIDCScope "openid email profile"
    OIDCProviderMetadataURL https://cognito-idp.us-west-2.amazonaws.com/<COGNITO_USER_POOL_ID>/.well-known/openid-configuration
    OIDCClientID <COGNITO_CLIENT_ID>
    OIDCClientSecret <COGNITO_CLIENT_SECRET>

    # OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
    OIDCRedirectURI https://httpd-experimeantal-alb-************.us-west-2.elb.amazonaws.com:4443/redirect-url
    OIDCCryptoPassphrase *******************


   <Location / >
      ProxyPreserveHost on
       AuthType openid-connect
       Require valid-user
    </Location>

    <Location /path1 >
      ProxyPreserveHost on
       AuthType openid-connect
       Require valid-user

       ProxyPass https://www.site1.com
       ProxyPassReverse https://www.site1.com
    </Location>

    <Location /path2 >
       ProxyPreserveHost on
       AuthType openid-connect
       Require valid-user

       ProxyPass https://www.site2.com
       ProxyPassReverse https://www.site2.com
    </Location>

    <Location /unity/dev>
       ProxyPreserveHost on
       AuthType openid-connect
       Require valid-user

       # Added to point to httpd within the unity-venue-dev account
       ProxyPass  https://ucs-httpd-alb-*********.us-west-2.elb.amazonaws.com:4443
       ProxyPassReverse  https://ucs-httpd-alb-**********.us-west-2.elb.amazonaws.com:4443
    </Location>     
 </VirtualHost>                        

More deatils on mod_auth_openidc can be found on https://github.com/OpenIDC/mod_auth_openidc