AWS Auto Scaling: Where to obtain Nginx Cert & Key?

[Ir0nOx]

To whom it may concern,

I have created a Kasm multi-server architecture and would like to take advantage of the cloud auto-scaling capabilities (I already have the license). However, when trying to establish auto-scaling within Kasm, I'm not sure where to obtain the Nginx Cert and Key. The website is hosted by AWS's Route 53 and the SSL/TLS certs were created by AWS Certificate Manager (ACM).

As stated in the AWS Certificate Manager User Guide: "You cannot use ACM to install a public certificate directly on your AWS based website or application. You must use one of the services integrated with ACM."

AWS does not provide the ability to obtain PEM certs in ACM.

I could obtain the PEM hosted within the Kasm Database; however, I am not sure that would be a solution.

Your assistance is greatly appreciated. Thank you!

[wmkuipers]

Why not use a self signed certificate on the Kasm web instance, and add an ALB (as reverse proxy) in front of that, using the ACM issues certificate?

[mmcclaskey]

Kasm allows for two different architectures, one where all traffic flows through the API servers and one where the iframe for the desktop connection goes directly to the agent. In the 'direct to agent' architecture, a wild card cert for the domain is needed on the agent. In the default architecture, where all traffic flows through the API servers, you can just use any self signed cert. If you don't want to generate one yourself, just SSH to one of the agents and look under /opt/kasm/current/certs and you can copy the content of the nginx cert and key respectively.

[Ir0nOx]

@mmcclaskey

Thank you for the quick response. I'll give that try!

[Ir0nOx]

Hi @mmcclaskey,

Does a launch template and auto scaling group need to be created? Also, I have yet to test, but any reported issues using Elastic File Storage (EFS) with Kasm Auto scaling? I'm guessing inputting a bootstrap script in the "Startup Script" should suffice.

[mmcclaskey]

If you are referring to AWS EC2 auto scaling there is no need to configure anything, Kasm handles auto scaling itself.

We do have clients that use EFS for persistent profile storage and it works fine. You will need to modify the startup script to install and configure that on the host. I believe you will also need to ensure the EC2 IAM profile has the proper policy to access EFS.

[Ir0nOx]

Yes. I'm sorry for not clarifying that I was referring to AWS EC2 auto scaling. Thank you @mmcclaskey.

Any future implementations regarding not having to assign Kasm an AWS Access and Secret keys for auto scaling? AWS roles avoid having to hardcode access keys for applications.

[mmcclaskey]

Nothing in our pipeline at this moment. We commonly will put the API/Manager servers in AWS and compute in Digital ocean or Oracle, just for example. So we can't assume that everyone auto scaling agents in AWS is running their API/Managers in AWS. Also there are lots of people with hybrid architectures, running baseline demand on-premise and auto-scaling to AWS to support peak demand. Correct me if I'm wrong, but I believe programmatic access is the only way to universally support this across any deployment configuration.

[Ir0nOx]

Hello @mmcclaskey & @j-travis,

Kasm's auto-scaling capabilities worked well. It was a bit of a pain to generate a proper and secure IAM policy to assign; there was a lot of error reading in Kasm to discover the hindrances. Anyways, it is functional. However, I am unable to discard the cloud auto scaling agents that errored (shown below):

It has been in "delete_pending" status for 29 days. (UPDATE)