My company is trying to put our in-house ignition application on AWS. We have the server already, a copy of our prod database, and ignition installed on the EC2 instance. I am able to run our application on it no problem when I remote in.
How do I go from here, to allowing other external users to easily remote in and use the application as intended? The Ignition documentation on this seems sorely lacking. If anyone could point me in the right direction, I’d greatly appreciate it.
As far as I know you won’t need to remote in a such.
Set up the AWS firewall to allow port 8088 then using the external ip:8088 you will get to the admin pages to download the client launchers.
Some extra stuff will be needed if your using SSL or a ddns Incase the AWS isn’t a fixed IP address but in a nutshell that’s it. If your server is windows it may have additional firewall.
I installed ignition on AWS a while back doing some testing during their trial period with no issues.
Ok so I think I was misunderstanding the architechture. Basically my AWS EC2 will run the gateway server, I download the client launchers that I want to be able to connect to said gateway on other computers, and once the firewall is set up correctly I should be able to then launch.
You really don’t want to expose unencrypted Ignition on a public IP address. Any man-in-the middle who captures your traffic will get all usernames and passwords in the clear.
Setting up SSL would correct that ?
Yes. You still have to leave the unencrypted port open, as Ignition uses it for static resources even when SSL is turned on, but all of the critical traffic is encrypted.
The client launcher then points to the SSL port?
So its more or less the same steps as above with the addition of installing the SSL on the server and opening 2 ports.
I have it running now. I’m going to be following the Ignition Security Hardening Guide. Thanks for the information.
Last question -
https://www.geocerts.com/geotrust-ssl-certificates
Here, the GeoTrust QuickSSL Basic DV or QuickSSL Premium DV should work for my needs? We will not be accessing Gateway on a domain through the browser, we are only going to be installing native client launchers on the computers that will be using our application if that makes a differnece.