Custom Domain Name, CloudFront, & SSL
(Application Load Balancer)
We assume your domain name is already setup with AWS and available in Route53. Also, we have not created CloudFormation templates yet for this guide. Instead we will rely on ClickOps™ and have documented the steps you will need to perform within both the AWS Console and your SAM template.
- SSL/TLS Certificate with ACM
- Update SAM Template
- CloudFront Distribution
- Creating a Custom Domain with Route53
SSL/TLS Certificate with ACM
We are going to use AWS Certificate Manager to secure your HTTPS traffic under your custom domain under CloudFront. Again, this assumes your domain is setup in Route53 since you will need to validate the certificate and AWS makes that super easy with DNS.
- AWS Console -> Certificate Manager
- Click "Request a certificate" button.
- Select "Request a public certificate", and "Request a certificate" button.
- Domain name: *.example.com
- Click "Next"
- Select "DNS validation", and "Review".
- Click "Confirm and request" button.
- Click the tiny disclosure triangle beside your domain name.
- Click the "Create record in Route 53" button then "Create" again in modal.
- Click "Continue"
Verification will take about 3 minutes. From the Certificate Manager dashboard, you can wait and/or hit the 🔄 button and the Status will change from "Pending validation" to "Issued".
Update SAM Template
A few changes need to be made to the default
template.yaml file Lamby generates for Application Load Balancer support. First, add another inbound rule to your existing
RailsSecurityGroup Resource for port 443. Shown here at the bottom.
RailsSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow HTTP VpcId: !Ref VpcId SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: 0.0.0.0/0
Now using the ARN from certificate in the first SSL step, add this new resource to your
template.yaml file. The name is similiar but
RailsLoadBalancerHttpsListener is for HTTPS. Remember, put it in the
Resource section, next to the HTTP one is a good place.
RailsLoadBalancerHttpsListener: Type: 'AWS::ElasticLoadBalancingV2::Listener' Properties: Certificates: - CertificateArn: arn:aws:acm:us-east-1:123456789012:certificate/abcdefgh-ijkl-mnop-qrst-uvwxyzabcdef DefaultActions: - TargetGroupArn: !Ref RailsLoadBalancerTargetGroup Type: forward LoadBalancerArn: !Ref RailsLoadBalancer Port: 443 Protocol: HTTPS
Once your Application Load Balancer (ALB) Lambda is listening to HTTPS traffic with an SSL Certificate, you can setup CloudFront to point to your ALB's DNS name.
First, navigate to your ALB in the Console, click on "Description" copy/note the "DNS name". Example:
myapp-1234567890.us-east-1.elb.amazonaws.com. This will be needed when setting up your CloudFront distribution. Options below assume variations of the defaults. So you only have to focus on changing those in setup.
- AWS Console -> CloudFront -> Create Distribution -> Web -> Get Started
- Origin Domain Name:
- Minimum Origin SSL Protocol:
- Origin Protocol Policy:
- Origin Custom Headers:
- Viewer Protocol Policy:
Redirect HTTP to HTTPS
- Allowed HTTP Methods:
GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE
- Cached HTTP Methods:
- Cache Based on Selected Request Headers:
- Object Caching:
Use Origin Cache Headers
- Forward Cookies:
- Query String Forwarding and Caching:
Forward all, cached based on all
- Compress Objects Automatically:
- Alternate Domain Names (CNAMEs):
- SSL Certificate: Custom SSL Certificate (select *.example.com from step above)
Grab a ☕️ it could take up to 20 minutes to deploy this new CloudFront distribution. While you wait, you can setup your domain name in Route53 in the next step. Here is some additional reading material on this subject.
Creating a Custom Domain with Route53
Please make sure to copy the "Domain Name" of your newly created CloudFront distribution. It will be needed as a target for your new DNS entry and will look something like this
- AWS Console -> Route53 -> Hosted zones -> example.com
Create Record Setbutton.
- Alias: Target:
That's it! 🎉🎊🥳 Once your CloudFront distribution fully deploys, you can access your Rails application on Lambda and everything from forms, redirects, caching, etc will all just work!