Modify ZS8.5 Instance that is Deployed by AWS Cloudformation

General discussion forum for the Zend Server
Post Reply
tim2688
Posts: 7
Joined: Tue Apr 21, 2015 7:35 pm

Modify ZS8.5 Instance that is Deployed by AWS Cloudformation

Post by tim2688 » Wed Nov 11, 2015 5:00 pm

I've got an application that is running Zend Server 8.5 in an AWS cloud formation to allow us to auto-scale the number of EC2 instances when necessary. There are currently only 2 instances running in the cluster, but we might have as many as 5 deployed during peak usage.

I had to manually log into the the EC2 instances to enable mod_ssl and install the SSL certificates for the domain the app lives on. What is the appropriate way to set this up so that all the newly deployed instances have this configuration on deployment? Is there a way to script this behavior using the Zend Server API or is there a way to create an instance from one of the already configured servers that will be used to deploy instead of the default configuration?

Any insight on the appropriate way to automate this will be greatly appreciated!

dima_z_zend
Posts: 15
Joined: Sun Jul 17, 2011 3:17 pm
Location: Ramat Gan, Israel

Re: Modify ZS8.5 Instance that is Deployed by AWS Cloudforma

Post by dima_z_zend » Thu Nov 12, 2015 9:36 am

On AWS recommended way of setting up SSL is to modify configuration of Elastic Load Balancer.
ELB can terminate HTTPS traffic. This means that ELB will accept HTTPS connections, but will forward connections using regular HTTP.
This way you can offload SSL related computations and hold certificate only in one place (ELB).
To configure HTTPS listener on ELB consult documentation here.

Another option is to configure SSL enabled Virtual Host in Zend Server Cluster. To learn more about working with Virtual Hosts in Zend Server, read here
But I should warn you that in this case you will have to configure additional ELB listener for TCP protocol. The problem in such configuration is that on cluster nodes you won't have option to see real IP address of client. When ELB terminates HTTPS connection, it can inject HTTP header with client real IP (read more here). But when ELB distributes only TCP connections, it has no way to inject information about real client.
Dmitry Zbarski
Cloud Integration Engineer
Zend Technologies, Ltd.

Post Reply