It took me some time but it turns out that setting up a Plack/Mojolicious stack to serve https on Amazon's web services is straightforward if not easy. There are a few pitfalls (keeping ports open, mostly) so I wrote it up for my own future memory
setting up
This is based on mojo listening on port 3001
- open ports 80 and 443 on AWS
- create a minimal Mojo::ACME
application - let's say it's called cert.pl:
mojo generate lite_app cert.pl - reroute port 80 to 3001:
sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3001 - launch the app to listen on port 3001:
morbo -l http://[::]:3001 cert.pl - set your DNS records to point at the instance (this depends on what your domainname setup is
- check that the app is really available at the desired address and on port 80
creating keys
This is described at Mojo::ACME docs page
- register an account key if necessary
- make sure port 5000 is free (
netstat -tulpn | grep :5000gives you the list of processes using port 5000) - generate your domain cert
running starman
- reroute 443, 80 and 8080 to 5000 (same as command above)
- check your iptables
sudo iptables -t nat --list --line-numbers - launch starman
starman --enable-ssl --ssl-cert cert.crt --ssl-key cert.key
caveats
I haven't figured out yet how to deal with the fact that apps think they're running under http, so protocols on url_for are (often? mostly? always?) wrong. I'll write up once I figure it out.
No comments:
Post a Comment