Free SSL Certificates using ACM (AWS Certificate Manager)

Posted on Tue 16 February 2016 in aws • Tagged with aws, ssl, security

2016 may be the year of free SSL, and AWS ACM (AWS Certificate Manager) is a great offering for Cloudfront & ELB users (most web apps).

Not only is it free, but it's also the simplest certificate management platform

  • request a new certificate in minutes
  • no server config needed
  • no certificate , chain or private key management
  • automatic certificate rotation

Here's how to create a certificate and then install it onto your cloudfront distribution.

Requesting a New Certificate

aws acm request-certificate --domain-name \*.mydomain.com --subject-alternative-names  mydomain.com
{
    "CertificateArn": "arn:aws:acm:us-east-1:OOOOOOOOOOOO:certificate/c3d15000-230c-4000-8000-a600000"
}

Activating the Certificate on Cloudfront

This part …

Continue reading

Creating a Varnish Load Balancer for Opsworks

Posted on Fri 15 January 2016 in aws • Tagged with scaling, infrastructure, opsworks, varnish, chef

Varnish is an amazing platform -- it can easily help you handle 100x traffic and is easy to add to your existing frontend or API layer with little to no change to your app.

Here we'll go over some neat tricks leveraging chef, the AWS Opsworks API and the opsworks configure lifecycle event to create a lighting fast load balancer & reverse proxy that automatically updates itself.

Setup

  1. Create a new varnish layer that installs the varnish and jq packages

  2. Activate custom cookbooks. It's easiest to just use s3 deployments so you don't need a separate git repo.

The varnish::backends recipe …

Continue reading

Using the AWS EC2 Container Registry with EC2 Container Service

Posted on Wed 06 January 2016 in aws • Tagged with aws, docker, ecr, ecs

AWS announced recently that it's EC2 Container Registry (ECR) is now available. ECR simplifies hosting private images. Previously, you had to manually push your docker.io credentials to each EC2 instance -- likely a deliberate pain-point encouraging you to use ECR. With ECR, EC2 container hosts can easily fetch private images using IAM authentication.

Here are some of the gotchyas and stumbling blocks to help you get your repository up quickly and painlessly.

Prerequisites

1. aws-cli should be 1.9.15 or greater.

# check Version
$ aws --version
aws-cli/1.9.15
# update via homebrew (osx) if needed
$ brew update
$ brew …
Continue reading

Securing Your Network Using Auto-Updating Security Groups

Posted on Thu 17 December 2015 in aws • Tagged with aws, security, security-groups

We all know that no ports should be open to the internet for development purposes, but for convenience it's common to find a security group with port 22 (SSH) open to 0.0.0.0/0 . Even narrower ingress rules can create backdoors.

Here we'll show you how to create an auto-updating security group that adds your active WAN IP address when you connect. This way, only your active IP is authorized.

Create the "development" security group with no ingress

aws ec2 create-security-group --group-name=development --group-description="ssh access for my dev machine"

Create a limited role …

Continue reading

Delegating Admin Credentials using IAM Roles and Cloudwatch Alerts

Posted on Sat 12 December 2015 in aws • Tagged with aws, cloudwatch, alerts, monitoring

It's hard to strike the right balance with admin rights--either the rights are too strict and people can't get work done or they're too lenient and you have security issues.

As a compromise, AWS provides the AssumeRole feature which lets admins temporarily escalate their role to perform a task.

It's important when setting this up that you alert the team when it's used. Here we'll talk about how to set up the roles, give teams access to the roles and create an alert system when the roles are assumed.

Create The Temporary Admin Role

Use the IAM console to create …

Continue reading

Using AWS Lambda for Web Video Transcoding

Posted on Thu 03 September 2015 in aws • Tagged with lambda, elastic-transcoder, video

Often your creative team will produce master videos in 4k or 1080p, but you need to downcode these videos into 720p/1080p for web broadcasting. Here we automate transcoding of masters into web-friendly formats like 720p h264 mp4 & webm.

AWS Elastic Transcoder is a cloud video transcoding service. At it's simplest it transcodes video files from one bitrate, framerate, codec, container, etc--into another. By default you trigger new jobs either manually in the aws console or via the rest API. And naturally all inputs & outputs are saved in S3.

Transcoder setup includes creating a pipeline and presets. Then for each …

Continue reading

Wordpress Cron on Opsworks

Posted on Thu 27 August 2015 in aws • Tagged with opsworks, chef

By default Wordpress uses it's own pseudo-cron which triggers with every request. Obviously this is wasteful since (a) the queue needs to be inspected with every GET and (b) jobs like publishing articles will interfere with serving content.

Some suggest calling the wp-cron.php GET request with curl in a cron like this

* * * * * curl http://www.mysite.com/wp-cron.php

but that's sub-optimal since it needlessly ties up a worker during the cron execution.

If you're using chef or Opsworks, here's a tidy way to install the system cron to execute without interfering with your webserver.

First, disable the Wordpress …

Continue reading

HTTP Redirects with Cloudfront & S3

Posted on Tue 18 August 2015 in aws • Tagged with aws, cloudfront, s3, http

Redirects can account for a significant share of direct traffic so taking a few minutes to optimize them is worthwhile.

Using Cloudfront & S3 for redirects will improve responsiveness, reduce server load and improve management (since they are managed via aws-cli or the console).

Let's say you have a typical .htaccess redirect like this.

RewriteEngine On
### re-direct to www
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Or worse, it could look like this in your index.php

$protocol = (@$_SERVER["HTTPS"] == "on") ? "https://" : "http://";

if (substr($_SERVER['HTTP_HOST'], 0, 4) !== 'www.') {
    header …
Continue reading

Opsworks -- Quickly Listing Hosts on the Command Line

Posted on Tue 11 August 2015 in aws • Tagged with aws, opsworks, cli

Here's a great example of using the aws-cli to speed up your life. Uses jq and aws-cli

  # bash / zsh function
  function opsworks-hosts-prod () {
    aws opsworks describe-instances --stack-id=fffff-fffff-ffff-fff-fffffff | jq '.Instances[].PublicDns' | grep -v null | sed s/\"//g
  }
  # usage
  $ opsworks-hosts-prod
  XXXXX.compute-1.amazonaws.com
  XXXXX.compute-1.amazonaws.com
  XXXXX.compute-1.amazonaws.com
  XXXXX.compute-1.amazonaws.com
Continue reading

On Software Scaffolding

Posted on Thu 09 July 2015 in aws • Tagged with monitoring, software

waterloo_bridge_1815 A new lightrail line is being built in my city with bridges passing over the major boulevards.  Seeing the elaborate scaffolding evoked comparisons to software engineering.  What does scaffolding look like in software? Does software need to be erected like a bridge via scaffolding?  Without a doubt: yes.

Here are some elements of software “scaffolding”:

  • Error log instrumentation with a formal error log schema (i.e. errors are uniquely identifiable in a MECE schema)
  • Operational instrumentation with reports , dashboards and alerts
  • Performance profiling on methods, database calls, rest calls, system calls and any blocking IO.
  • Client-side performance instrumentation and sampling …
Continue reading

Opsworks before-migrate.rb

Posted on Tue 09 June 2015 in aws • Tagged with chef, opsworks, aws, devops

Opsworks is a convenient, powerful and free service provided by AWS to simplify the management of EC2 nodes.  The real power of the system is exposed through customizing various stages of the instance lifecycle by creating custom-tailored chef-solo recipes.

While Amazon provides a powerful deployment layer for PHP applications, it stops short once the PHP code has been checked out of git.  For Laravel or other composer apps, you’ll have to customize your deployment.  The most elegant and straightforward method is through custom deployment hooks.  Here’s how to build a before_migration.rb script to build a Laravel …

Continue reading