I'm trying to put a simple Wordpress site on Google Cloud with SSL.
I set up a load balancer using an instance group, as described here: https://docs.bitnami.com/google-templates/how-to/configure-lb-ssl-google-templates/
except I used one-click deployment instead of bitnami.
unmanaged instance group with the vm as a member
load balancer with the instance group on the backend, port 80
front end HTTPS, port 443
The front end works, this is my test site: https://thescanclub.com
However, insecure access is still possible to the backend I.P. and also the database! I must have left out a firewall or something. How would you fix this?
Back end IP to the vm: 34.150.136.72
PS... this is a small test site and may get a new vm if I have to redo it.
The Google Managed Certificate that you created resides within the Front End of the Load Balancer. This means that it will only use the Google's SSL certificate, and redirect from HTTP to HTTPS when you access your Wordpress site through the Load Balancer's front end IP address or through the domain (thescanclub.com).
Digging the A record of your domain, you'll see that it is not pointed to the VM's public IP but rather to a different one which I presume is the HTTPS Load Balancer's front end IP.
If you wish to access the website directly from the VM's public IP, then it will be best to set up a letsencrypt SSL certificate within the Bitnami instance and set up the HTTP to HTTPS redirection through it. Hope you find this documentation helpful.
Related
My setup:
Bitnami Wordpress
GCP VM
GCP HTTPs Load Balancer
Load Balancer has http to https redirection, www to non-www redirection
Cloud CDN
Main Problem:
The VM's external IP (22.22.22.22) is indexed by Google Search. I'm unable to remove it from Google Search because it is not recognized as a property that belongs to me and the indexed page (http://22.22.22.22/home) is live. http://22.22.22.22/home is resolved to example.com which is a live page.
what I have checked
The domain name and Load Balancer's IP is properly resolved
No new mod_rewrite rules other than those from the default installation
The site does not have any reference to VM's external IP, including database
No cache plugins installed
Wordpress's site address and home address is pointing to http://example.com
what I have done to rectify
I've added 301 redirects which I'm not sure if that helps. It will take some time to check if that works.
My questions
Is there a way to prevent Google from indexing IPs(Any IPs in general)?
How to prevent VM's ext. IP from being indexed by Google especially when load balancer is in use?
There is a simple solution but it takes time. Configure the Apache web server to redirect IP-based queries to your domain or return an error. Google Search will eventually notice the redirect and remove the IP address from search queries.
For redirects, use a permanent redirect (301).
301 Moved Permanently
How To Create Temporary and Permanent Redirects with Apache and Nginx
There are WordPress plugins to do the same, but I prefer to configure Apache directly and not add another plugin to a site.
Is there a way to prevent Google from indexing IPs(Any IPs in
general)?
No, Google can index any site, IP or Hostname based, that is public unless restricted via robots.txt.
Introduction to robots.txt
How to prevent VM's ext. IP from being indexed by Google especially
when load balancer is in use?
You can create a VPC Firewall rule that only allows traffic from the load balancer and blocks Internet ingress traffic.
Load Balancer Firewall Rules
Additional information:
Remove a page hosted on your site from Google
I have a website and users create their own app. But i can't embed these apps on my website via iframe, because my website has SSL certificate and got this error:
Mixed Content: The page at 'https://domain' was loaded over HTTPS, but requested an insecure resource 'http://IP_ADDR'. This request has been blocked; the content must be served over HTTPS.
My workflow is like that:
Click create button
Deploy EC2 instance from AWS
Get IP EC2 address from AWS
Embed this app via iframe
I want to embed these IPs to my website, IP addresses are dynamic. Anyone can create machine anytime.
What is best practice solution for this issue?
Best practice (and also the only I can think of) solution IMHO would be to use proper HTTPS for the iframe content also. You'd need a possibility to automatically create DNS records though (you can do so with AWS Route 53). Regarding SSL you could use a wildcard certificate (e.g. Let's Encrypt). Nginx could be configured to proxy_pass by DNS name as opposed to IP. Then your workflow would become this:
Click create button
Deploy EC2 instance from AWS
Get IP EC2 address from AWS
Create DNS record
Embed this app via iframe
Backend: "Bitnami WordPress with NGINX and SSL Stack for Google Cloud Platform" from marketplace.
I used this guide: https://www.am22tech.com/google-cloud-cdn-wordpress/
I ended up with a somewhat working system as follows:
My Domain ->(google managed cert)-> CDN + Load Balancer -> Instance Group ->(http)-> VM with bitnami stack.
All works well and seems very fast. The biggest gap in my understanding is how the VM can be told it needs to behave as if it's the original domain.
For example, in the nginx server config, any kind of reference to $host seems to return the VM's IP address or something like that.
Also, in wordpress, in a lot of places the domain is replaced by an IP address, even though the site URL and wordpress address show up correctly. This isn't a wordpress question though, as I'm quite sure there is a more general solution I'm missing to do perhaps with NGINX or the load balancer configuration. I think PHP detects the host and passed it along to wordpress but I'm not clear how.
I found a reference somewhere in the google documentation how to manually assign a domain to a VM but not sure that's what's needed here.
Further to this, I'm totally unclear how I would set up https between the vm and the load balancer, yet only have one domain/ip address for the global forward rule. Maybe a separate question.
Bitnami Engineer here. If you already have the domain, certificates and the Load Balancer in place, you will need to configure WordPress to use that domain name as default domain of the application. You will need to edit the wp-config.php file and configure these lines
define('WP_SITEURL', 'http://DOMAIN/');
define('WP_HOME', 'http://DOMAIN/');
More info: https://docs.bitnami.com/google/apps/wordpress-pro/administration/configure-domain/
In case you also want NGINX to redirect you your domain, no matter how you access your app's information, you can add this configuration line
return 301 https://DOMAIN$request_uri;
in the /opt/bitnami/nginx/conf/bitnami/bitnami.conf file
More info: https://docs.bitnami.com/google/apps/wordpress-pro/administration/force-https-nginx/
I had better luck having the load balancer talk to my VM with https. Once I got that working, I didn't have to make any changes to wp-config.php. In this case I didn't bother with varnish because I think it only supports http. I'm hoping google's CDN will be sufficient regarding caching, and I may try a helper plugin in wordpress.
To redirect http to https, I followed the bitnami instructions to set up to front ends to the load balancer pointing to the same static ip address, then in my nginx server blocks, I added a redirect line in the https block (not the http block), since the google load balancer communicates with my backend via https. Google sets the http_x_fowward_proto to http so I check that and redirect if necessary.
if ($http_x_forwarded_proto = "http") { return 301 https://$host$request_uri; }
The bitnami stack is amazing, everything seems extremely fast!
Currently, I am working on a Wordpress application and I am using AWS hosting. My domain is in GoDaddy.com and I have deployed the application in elastic beanstalk. I have created load balancer and also I need to run the application through HTTPS.
I have done my research and I think I found the right way, but it's not working for HTTPS. when I browse on HTTP on port 80, it runs well. Now I am helpless.
Here's what I have done so far:
1) I created a hosted zone on AWS Route 53 for the domain named "example.com". There are two records are created, NS and SOA.
2) Then, in GoDaddy, I added NS records from AWS as Custom Nameservers.
3) After that, I created A record for the domain in the AWS hosted zone, set ALIAS targeted to the Load Balancer of the Elastic Beanstalk environment.
4) Then, I changed the SITE URL from the wp_options table the wordpress application database.
After doing up to this, my application was running in HTTP. But as I want to change it to HTTPS. So,
1) I requested a certificate from AWS Certificate Manager and created CNAME (provided by ACM after requesting certificate) record in the hosted zone.
2) After the certificate is issued, I edited the listener from EC2 >> Load Balancer >> Listener and changed the protocol from HTTP to HTTPS and also allowed port on Security groups.
3) Also, I changed, the SITE URL from WordPress database and changed it from "http://example.com" to "https://example.com" but it was not working.
4) So I went to Elastic Beanstalk >> Configuration >> Load Balancer and added listener. After the environment is saved and restarted, still, the site was not running on HTTPS [ HTTP 408 ERROR IS SHOWN ]. But if I change SITE URL to "http://example.com", it works
I have found a solution, which says to use RedirectURL and set it to server config but I don't want to do that.
I also found this solution which suggest to Export Zone File and import it to AWS hosted zone. But whenever I click Export Zone File(Unix), the file downloaded is shown empty. I tried this for other accounts, still, this problem exists. So I did not do that.
Sorry for the long story, but I really need this help.
I have solved the issue.
In my load balancer port configuration, I previously set load Balancer port 443 and instance 443. here what I need to do is to call the load balancer on port 443 and backend make the backend call on port 80 and enable https on WordPress.
So I kept load balancer port 443 and changed the instance port to 80. After that, on the browser, there was too many redirects error shown. So then what I needed to do is that add $_SERVER['HTTPS'] = 'on' on wp-config. And then everything was running smoothly.
I hope this will help if some
I've developed a web app, which uses HTTPS and which works fine when I access is it (live). Yet some customers, who use proxy servers, can't access the site. I already tried to use a real certificate (a cheap one and only a trial, but yet valid), but that didn't help.
Everytime one of these users tries to access the site the browser tries to load it until a timeout occurs. One user even was shown an authentication (but I'm not 100% sure if this was due to a proxy, still waiting for response from the customer)
For which reasons can this happen and what can I do about it?
I'm using IIS, ASP.NET (C#) and JS. Sideinfo: The URL contains a port, the internal structure of the network the IIS is running in (not mine) doesn't allow it otherwise.
443 is dedicated port for HTTPS connectivity. Add type 'HTTPS' with default port 443 in Site bindings of hosted site directory. Check after whether SSL is enabled or not? in IE(browser)->Tools->Internet options->Advanced->Security.
If the HTTPS port in your web app's URL isn't port 443, you'll have a problem with corporate proxies that don't like non-standard HTTPS ports.
i.e. I hope your URL looks something like this: http://example.com:443/...