From b6ec49bedbec0699d10af9b210dda95bf1b9cff7 Mon Sep 17 00:00:00 2001 From: santini-cyber Date: Thu, 19 Oct 2023 20:21:46 -0400 Subject: [PATCH 1/3] Instructions for https configuration on an AWS EC2 instance running Amazon Linux 2023. --- .../cloudformation/aws_https_instructions.md | 92 +++++++++++++++++++ 1 file changed, 92 insertions(+) create mode 100644 cloud-deployments/aws/cloudformation/aws_https_instructions.md diff --git a/cloud-deployments/aws/cloudformation/aws_https_instructions.md b/cloud-deployments/aws/cloudformation/aws_https_instructions.md new file mode 100644 index 00000000000..c6157be4e65 --- /dev/null +++ b/cloud-deployments/aws/cloudformation/aws_https_instructions.md @@ -0,0 +1,92 @@ +# How to Configure HTTPS for Anything LLM AWS private deployment +Instructions for manual https configuration after generating and running the aws cloudformation template (aws_build_from_source_no_credentials.json). Tested on following browsers: Firefox version 119, Chrome version 118, Edge 118. + +**Requirements** +- Successful deployment of Amazon Linux 2023 EC2 instance with Docker container running Anything LLM +- Admin priv to configure Elastic IP for EC2 instance via AWS Management Console UI +- Admin priv to configure DNS services (i.e. AWS Route 53) via AWS Management Console UI +- Admin priv to configure EC2 Security Group rules via AWS Management Console UI + +## Step 1: Allocate and assign Elastic IP Address to your deployed EC2 instance +1. Follow AWS instructions on allocating EIP here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html#using-instance-addressing-eips-allocating +2. Follow AWS instructions on assigning EIP to EC2 instance here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html#using-instance-addressing-eips-associating + +## Step 2: Configure DNS A record to resolve to the previously assigned EC2 instance via EIP +These instructions assume that you already have a top-level domain configured and are using a subdomain +to access AnythingLLM. +1. Follow AWS instructions on routing traffic to EC2 instance here: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-ec2-instance.html + +## Step 3: Install and enable nginx +These instructions are for CLI configuration and assume you are logged in to EC2 instance as the ec2-user. +1. $sudo yum install nginx -y +2. $sudo systemctl enable nginx && sudo systemctl start nginx + +## Step 4: Install certbot +These instructions are for CLI configuration and assume you are logged in to EC2 instance as the ec2-user. +1. $sudo yum install -y augeas-libs +2. $sudo python3 -m venv /opt/certbot/ +3. $sudo /opt/certbot/bin/pip install --upgrade pip +4. $sudo /opt/certbot/bin/pip install certbot certbot-nginx +5. $sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot + +## Step 5: Configure temporary Inbound Traffic Rule for Security Group to certbot DNS verification +1. Follow AWS instructions on creating inbound rule (http port 80 0.0.0.0/0) for EC2 security group here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html#adding-security-group-rule + +## Step 6: Comment out default http NGINX proxy configuration +These instructions are for CLI configuration and assume you are logged in to EC2 instance as the ec2-user. +1. $sudo vi /etc/nginx/nginx.conf +2. In the nginx.conf file, comment out the default server block configuration for http/port 80. It should look something like the following: +# server { +# listen 80; +# listen [::]:80; +# server_name _; +# root /usr/share/nginx/html; +# +# # Load configuration files for the default server block. +# include /etc/nginx/default.d/*.conf; +# +# error_page 404 /404.html; +# location = /404.html { +# } +# +# error_page 500 502 503 504 /50x.html; +# location = /50x.html { +# } +# } +3. Enter ':wq' to save the changes to the nginx default config + +## Step 7: Create simple http proxy configuration for AnythingLLM +These instructions are for CLI configuration and assume you are logged in to EC2 instance as the ec2-user. +1. $sudo vi /etc/nginx/conf.d/anything.conf +2. Add the following configuration ensuring that you add your FQDN:. +server { + + listen 80; + server_name [insert FQDN here]]; + location / { + proxy_pass http://0.0.0.0:3001; + } +} +3. Enter ':wq' to save the changes to the anything config file + +## Step 8: Test nginx http proxy config and restart nginx service +These instructions are for CLI configuration and assume you are logged in to EC2 instance as the ec2-user. +1. $sudo nginx -t +2. $sudo systemctl restart nginx +3. Navigate to http://FQDN in a browser and you should be proxied to the AnythingLLM web UI. + +## Step 9: Generate/install cert +These instructions are for CLI configuration and assume you are logged in to EC2 instance as the ec2-user. +1. $sudo certbot --nginx -d [Insert FQDN here] + Example command: $sudo certbot --nginx -d anythingllm.exampleorganization.org +2. Enter the email address you would like to use for updates. +3. Accept the terms of service. +4. Accept or decline to recieve communication from letsencrypt. + +## Step 10: Test Cert installation +1. $sudo cat /etc/nginx/conf.d/anything.conf +Your should see a completely updated configuration that includes https/443 and a redirect configuration for http/80. +2. Navigate to https://FQDN in a browser and you should be proxied to the AnythingLLM web UI. + +## Step 11: (Optional) Remove temporary Inbound Traffic Rule for Security Group to certbot DNS verification +1. Follow AWS instructions on deleting inbound rule (http port 80 0.0.0.0/0) for EC2 security group here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html#deleting-security-group-rule From 452e12068a70dade9fb2c02007505eb2d6e8b314 Mon Sep 17 00:00:00 2001 From: santini-cyber <98556065+santini-cyber@users.noreply.github.com> Date: Fri, 20 Oct 2023 11:40:38 -0400 Subject: [PATCH 2/3] Update aws_https_instructions.md --- cloud-deployments/aws/cloudformation/aws_https_instructions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloud-deployments/aws/cloudformation/aws_https_instructions.md b/cloud-deployments/aws/cloudformation/aws_https_instructions.md index c6157be4e65..0a2e1825b98 100644 --- a/cloud-deployments/aws/cloudformation/aws_https_instructions.md +++ b/cloud-deployments/aws/cloudformation/aws_https_instructions.md @@ -62,7 +62,7 @@ These instructions are for CLI configuration and assume you are logged in to EC2 server { listen 80; - server_name [insert FQDN here]]; + server_name [insert FQDN here]; location / { proxy_pass http://0.0.0.0:3001; } From 6de21ca17f204c8682465471acae55e71dc7da80 Mon Sep 17 00:00:00 2001 From: santini-cyber <98556065+santini-cyber@users.noreply.github.com> Date: Fri, 20 Oct 2023 11:46:31 -0400 Subject: [PATCH 3/3] Update aws_https_instructions.md --- .../aws/cloudformation/aws_https_instructions.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/cloud-deployments/aws/cloudformation/aws_https_instructions.md b/cloud-deployments/aws/cloudformation/aws_https_instructions.md index 0a2e1825b98..16c80488807 100644 --- a/cloud-deployments/aws/cloudformation/aws_https_instructions.md +++ b/cloud-deployments/aws/cloudformation/aws_https_instructions.md @@ -79,9 +79,11 @@ These instructions are for CLI configuration and assume you are logged in to EC2 These instructions are for CLI configuration and assume you are logged in to EC2 instance as the ec2-user. 1. $sudo certbot --nginx -d [Insert FQDN here] Example command: $sudo certbot --nginx -d anythingllm.exampleorganization.org -2. Enter the email address you would like to use for updates. -3. Accept the terms of service. -4. Accept or decline to recieve communication from letsencrypt. + This command will generate the appropriate certificate files, write the files to /etc/letsencrypt/live/yourFQDN, and make updates to the nginx + configuration file for anythingllm locdated at /etc/nginx/conf.d/anything.llm +3. Enter the email address you would like to use for updates. +4. Accept the terms of service. +5. Accept or decline to recieve communication from letsencrypt. ## Step 10: Test Cert installation 1. $sudo cat /etc/nginx/conf.d/anything.conf