How to Setup HTTPS/SSL/TLS on Google Cloud Platform

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
okay guys this video is a part two of how to easily set up SSL on your website your API without having to install a SSL certificate there was some confusion on my last video I think if you're trying to set this up and you haven't seen either video go back watch that first video give that a shot if you have an issue with that video come back to this video and we're gonna go into more detail here we're gonna walk through the whole process step-by-step I'm actually going to set up a website this time I'm actually going to put the the DNS records in place to point the domain registrar to the to the cloud service and go through that entire step so hopefully this will eliminate any ambiguity that might have come up in the last video so let's get right into it I think before we dive into the actual technical steps to to put this in place I want to go over just a high level of how all these different moving pieces interact because if you don't have an understanding of how all these pieces playing together then when you're trying to troubleshoot this sort of thing it's not going to make a whole lot of sense to you so let's actually first go through what are each of the end points in this system and how do they talk to each other how do they connect and let's go into that detail here so again what are we trying to do we're trying to set up a website that supports SSL and so there's a bunch of different pieces to that and I will just draw that out here to make that very clear so let's start with let's start with the client so the client can be the client is any machine that actually wants to access the web site data so it could be your desktop computer it could be your iPhone or it could even be an IOT device these are all clients for the sake of this example here let's say it's your iPhone so say you're on your iPhone and you know maybe you pull up you know your browser so you pull up Chrome and you want to make a request to a particular website so we want to make a request to google.com so what actually happens when I type the domain name dub-dub-dub google.com into Chrome well there is what we call a local cached DNS on the on on your device which basically is a mapping of domain names to likely IP addresses and this is based on websites that you visited and I think also like common web sites and it's a you know it's a dynamic document it changes over time and that's that's one way that your device is able to connect the domain name to an actual IP address that IP address is called the origin IP it's the remote server that we want actually retrieve some content from so you have local DNS that may know what IP address to proxy that request to but you also have something called global or cloud DNS and this is maintained by a bunch of different companies and different services and again what does global cloud DNS do is it knows how to point a domain name to an actual IP addresses IP address the reason we use domain names is because they're they're phonetically or mnemonic devices to easily to easily target a particular server so it's just a ease of use sort of thing but there needs to be that mapping stored somewhere and so there's also a global cloud DNS and so when is you the request for dub-dub-dub google.com it goes - it may go - if there's no local DNS in place it may go to a cloud DNS and the cloud DNS might say ok you want dub dub dub Google com well this maps to to a set of name servers so the way you send a domain to an origin is usually through name servers that's just the most common way you can also do it through a records or sea names so alias names or canonical names and but but for the websites that you'd be setting up is you're just going to use name servers so the domain registrar that that that has this Google com registered points to a set of name servers there's usually three but there could be four there could be one the name servers are the location of the hosting provider so the name servers could be put in place by digitalocean or by AWS or GCP whoever is hosting the actual the actual web service the origin web service and so we might say here okay we want to proxy this to the Google name servers and I forget if I forget what those are but it might be something like you know cloud.google.com servers the name servers will know where to proxy that request because when you set up a domain on the host environment you've thought you've you've authenticated that domain so it knows that you are the owner and when those requests come in it's able to handle those requests but you have to set up that mapping because you need to take this name server and actually point it to something right it could be your website it could be your your virtual machine you need to point it to something and so this is done for the Google set up this is done using load balancers so we would set up a load balancer that has these records in place has our domain set up in these records and then it gives you the opportunity to point it somewhere so when that request comes in it gives you the opportunity to point it somewhere and what we're gonna do is we're gonna point it to our VM our VM is just a Linux box that has our nginx web server software running it will respond to 127.0.0.1 or the local host so anyone who makes a request to that web server will get a response and so let me just draw this out here so we will have the load balancer here now the load balancer there's all sorts of awesome cool things you can do with the load balancer you know you can put algorithms in place to distribute load over multiple instance groups and that sort of thing and there's different algorithms like round robin or CPU based algorithms and things like that and but we don't need to get into that complexity but what we're gonna leverage the load balancer for the GCP load balancer is we're gonna have the load balancer take care of our ssl handling because from a from the clients perspective the client only is able to understand where the request is getting proxy to up until the load balancer because this is your front this is your front end IP address so if I work was on my my laptop here and I did a command called dig di G space and then I threw the domain in there it will show me all this chain of proxying but it will only show me up till the front end IP because the front end IP is the last public access point for this particular request and so it's the front end IP that needs to have our SSL and that's where we're gonna set up we're gonna say Google enabled SSL and it's just gonna take care of it and then what we're gonna do is we still need to handle this request because we have we've we've we've handled the domain we pointed it to GCP and GCP points it to our load balancer but ok then what happens after the load balancer well the answer is we need to proxy it to our virtual machine so in GCP we have a virtual machine a single machine that's running nginx I think there's an eye on their nginx is like Apache or node it's a it's a server software and this is actually going to return our HTML website but what's really cool about this is in the past you'd have to set up SSL on your server so you'd have to you'd have to add the certificate into the nginx config or the Apache HTS file or even node you have to set up the SSL what we're gonna do which is really slick is we're gonna do SSL termination at the front end IP at the load balancer because again this is the last public endpoint meaning everything else is private everything else is in our internal network so when the request gets here we terminate SSL and we proxy to nginx using HTTP and that just makes our life a whole lot easier and also is actually more performant anytime you do an SSL handshake yeah there's there's time associated with that on the device on the servers and so you want to potentially you want to limit that is there a security concern in this case no I mean it's an internal network so you know no one should have access to that but if someone did have access to it could they intercept the HTTP and read and plan texture so you do want to think about that but I mean as far as agility goes this is this is the ideal setup here so the request comes to the load balancer the load balancer is just going to proxy to our nginx our nginx is represented by an internal IP and we just say when the request comes in let's proxy it - we actually don't even point it to an IP we point it to a VM group in GCP they're called vm groups they expect you to have multiple servers you can have a VM group with a single server which is what we're gonna do but you just point it to your VM group by name and then the VM group will pick a server and if there's only one it'll pick this server here and and this will return this will return our website there is so here's one thing that trips people up is when you're setting this up it's not all instant the reason it's not instant is because when we set up our DNS records with our domain registrar whether it be GoDaddy or Namecheap or whatever it is there's something called DNS propagation and it's related to TTL time to live when you set these up you can put in place a TTL it could be 60 seconds could be five minutes could be 24 hours so you put these rules in place and they have to propagate out to the clients right first off the cloud DNS has to update but then the the devices local DNS has to update so sometimes people make these changes they don't see their website working immediately and I think something's wrong well it's just propagation happening one thing you could do to try to expedite the process is on your desktop or your laptop you can run flush DNS flush DNS should should take care of this issue and allow you to validate that that your website is working properly yes oh I think I think that's basically all of the different points here but I guess my point is like there's a number of different end points that this request gets proxy to and with with more popular websites like large-scale websites there's even more devices in here you usually have another layer tip of the complexity - called CDN which is content delivery network so actually usually what happens is the domain registrar can point to a CDN like Akamai or CloudFlare and the idea there is if I'm in China and our request google.com you know might my my request better not get proxy through Australia or you know the US or something like that it should be geographically efficient and that's typically what CD ends do CD ends also offer caching at the edge they call it so you know if I have my website and I'm in Boston my local server are my the closest server in proximity to me might actually cache like an image or cache the actual website so it doesn't even have to hit the the origin server and then that cache just gets updated at some interval so there's there's usually a lot more complexity involved here but for our set up this is going to be how it works and you know just the benefit of this is we don't have to buy an SSL certificate we don't have to worry about it expiring we just unable it on the load balancer and Google takes care of it which is awesome just saves us a bunch of time we can stop using it whenever we want and we can just not have to worry about that headache we don't have to set it up on the server level so tons of advantages to that anyways I just want to give you a quick background on like how what's actually going on here that we're creating and this is what's going on here so that's all I have on that front well let's dive right into it okay so let's get this party started so step one is let's create a website we're gonna do so using GCP this whole example is how to set up SSL easily using GCP so the way we do that is we go over to compute engine we go out to V we go over to VM instances and we go create instance this instance could be an API it could be no js' flask tomcat apache nginx whatever other server software you're familiar with it could be any of those so let's call this demo website and let's keep it pretty lean here so I'm just gonna enable traffic on both HTTP HTTPS and [Music] yeah I think this is all good it's gonna give us a linux server but it's it doesn't really matter here so let's just go ahead and create this that's just gonna take a second to spin up okay looks like it's ready to go note how it gives us an external IP so if we want to see you know what what what the server is responding to local host with we can see that by just opening this up in the in a tab here and you can see it's gonna put it in HTTP let's put it in HTTP and nothing's coming back why because we have nothing set up let's go set something up an SSH right into it so what I like to do is I like to run sudo su - see how it says Timothy it has my name there well if I do sudo su - it elevates me to root and that's just better because root can do everything and so I just don't want to have to deal with anything so the first thing we do is this is a new linux instance we're gonna run apt-get update this will update all the packages and we're gonna use packages to set up our server we're gonna use the nginx package so I should be able to do apt I think it's apt-get install nginx apt - get and I forget what it is all right apt - get install nginx do you want to continue sure do okay so in theory we just installed nginx nginx is server software high-performance load balancer web service software I'm actually a fan of nginx I like the the syntax for the server configuration as opposed to like Apache it's also very good for if you if you need like a reverse proxy it's pretty good with that oh look our web site just rendered why did it render because we downloaded and you're next and when we downloaded nginx one of the things that does is it actually stands up your server so like if I do curl localhost I get my HTML page and this is the same thing we're seeing over here it just knows to respond to localhost you could put configs in to respond to like a particular path we're not gonna get into any of that but just to prove that you know this is our website and all that let's make a small edit so if I go into VAR dub dub dub this is usually where nginx puts all its HTML yeah there's this index file so I'm just gonna do well I need a text editor so I'm going to go back to apt-get install and I like them so I installed them and then I'm gonna do them index now I can edit this so let me just go into our h1 tag here and I'm gonna say SS tutorial and I will save that and exit and now when i refresh my page so this is my HTML page there could be you know a whole hierarchy of static pages or whatever the point is we have a server set up and you can see it's not secure because we haven't gotten that far but we have our set of server set up it responds all looks good so let's move on to setting up SSL for the macht server here okay so we're gonna create our instance group so let's go over to instance groups create instance group all right we want unmanaged instance group if we do manage you have to create this template and then every VM has to abide by that template we're gonna do unmanaged I call it SSL tutorial instance group and we're gonna add our VM to it it's a demo website I'm gonna do create so now we can point our load balancer to it so let's go to network services alright so now let's set the load balancer SSL tutorial load balancer alright now we have to set up all the various aspects of it backend configuration so when the request comes in hits the load balancer Google needs to know what to do with it well we point it to our VM group our instance group and it's pretty easy here we just go we do have to create a back-end service so create back in service we're gonna call this SSL tutorial backend service and then we just point it to our our instance group here SSL tutorial instance group pretty easy now we could keep HTTP but as I mentioned we want to terminate HTTPS once it gets to a load balancer so when the request comes in the load balancer it's gonna terminate SSL proxy it to our nginx server which is more performant and easier to manage and we should be good to go I don't think we need to adjust any of these other aspects oh I'm sorry we do need to set up a health check a health check is just a route that responds that Google will call intermittently to determine that the backend service is up and running so we can keep this really really basic so like let's do create another health check let's call it SSL tutorial health check so like you might want to designated route like forward slash heartbeat or something but we could also do is just ping the ping the homepage so we're gonna do an HTTP health check the path is just gonna be forward slash and and then we select the time in the interval here so it'd be like a machine making a curl request to this every you know whatever it is five seconds or something and it just it just wants to make sure that it gets a response back and it just runs that you could you could you know modify the logic so like it needs a particular response code or needs a particular response body all that stuff we don't need to get that complicated so that's our health check now if it doesn't respond if it runs curl and it gets you know some sort of 404 or something well in this case that would be okay but if it didn't get a response then the the load balancer will flag it as unhealthy and it will actually will display a front-end google error so just make sure that health check route the forward slash or whatever you use is is valid okay so that's our back-end service let's click create okay so let's move on to host rules and paths yeah there's nothing fancy here I don't think we even need to put any host rules in there yeah we don't need to get that fancy but we do need you're the front end IP so let's call this SSL toriel the front end so this is where we are gonna do our SSL magic so what do we want the front end to handle inbound requests with HTTPS how are we going to manage the certificate and by the way 443 and HTTPS same thing whereas HTTP as port 80 good to keep that in mind so to make this work the front end IP cannot be ephemeral ephemeral means it's subject to change at any point we want a static IP so we're going to create IP we'll call it SSL tutorial static IP and instead of uploading a certificate we're going to do create new certificate all right so again we're just giving it a name SSL tutorial cert and we're gonna do Google managed so it takes care of that we still need to provide our domain name the domain name that is going to be proxy and requests into the server okay so then we just put our domain in here and I do it HUS McGuyver calm and select create and then we're going to go to a review and finalize everything looks good here to me I go to create and Google's gonna put this whole thing together hopefully okay let's take a look at this guy alright so the public facing IP address is this guy here and it supports 443 if you request 80 you're not gonna get anything back and that's the way I want it set up so so you need to make a request that gets proxy through the domain for this to resolve properly so let's let's set that up here so now we just need to set up our domain and then we should be all set so let's go over to cloud DNS and we're going to create a zone okay so it gives us these records out of the box these name server records are going to be what we use to point the domain to Google Cloud but what we now need is okay so once it comes to the Google cloud CDN or where do we proxy the request where we want a proxy inbound requests from here to here we want to proxy this request to our load balancer right to our SSL tutorial load balancer what is the end point that represents this load balancer the public IP address so I'm in my load balancer I'm gonna copy the public IP address and go over to cloud DNS open the records that I just created I'm gonna create an a record alias name so that these inbound requests get pointed to the right load balancer this is that TTL I was talking about let's do five seconds just so it flushes quicker yeah and that's that's how we're gonna know to send the request to the load balancer that we set up and then the load balancer knows to set it send it to the VM group so on and so forth so now all we need to set up is our domain so what's interesting here is I already have this domain I already have this domain set up pointing to another website that's hosted actually on digitalocean so if I run MacGyver calm so see it knows the a records right and this is the final IP that that's my domain that's sorry that's my digitalocean IP address but let's change that let's point it to Google okay so I'm gonna go over to my domain registrar in this case it's Namecheap they really all function exactly the same so it should be about about the same steps to get it to work on whatever you're using alright so again Namecheap is where I bought my domain and since I'm keeping it here this is where you set up those DNS records so again here's my domain this is my domain name list and I go over to manage so currently it's it's pointing to digitalocean name servers well let's point the to our GCP name servers and those are provided here and I'm literally just gonna copy and paste these in the reason there's more than one is cuz if if one goes down it'll have some auxilary servers to try I'll put them all in there okay I click the little checkbox look DNS server update may take up to 48 hours to take effect that's true it could take some time for it to update but let's see if we can't flush everything and get it working so I just want to ask MacGyver here's our Istria so the certificate is provisioning right now and that's why it's not working so let's give it a little bit of time ok so I just waited like 30 minutes here and now you can see the cert has switched from provisioning to active so I'm thinking we're probably good to go let's go ahead and refresh and there you have it see the loc pad there that means it's SSL and this is the website we set up again just an example could be an API could be anything and so that's how you set up Google managed SSL hopefully that answers any questions people have if you still have questions feel free to leave them in the comments and that's all I got Thanks
Info
Channel: Refactored
Views: 11,029
Rating: undefined out of 5
Keywords: google cloud platform, google cloud ssl, google cloud, lets encrypt, ssl certificate, ssl, https, how to setup ssl, tutorial, nginx, google load balancer, google managed ssl, website security, port 443, decrypt, rsa, tls, comodo, 256-bit, positivessl, qualys, sha256, cipher suite, ssl labs, namecheap, apache, free ssl
Id: 245ZJLm1AV4
Channel Id: undefined
Length: 33min 3sec (1983 seconds)
Published: Sun Jun 21 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.