def __init__(self, scope: Construct, id: str, *, alb: IApplicationLoadBalancer, **kwargs) -> None: super().__init__(scope, id, **kwargs) global g_listener_https Tags.of(self).add("Stack", "Common-Listener-Https") self._used_priorities = [] self._subdomains_cert = {} self._alb = alb self._listener = ApplicationListener( self, "Listener-Https", load_balancer=alb, port=443, protocol=ApplicationProtocol.HTTPS, ) # By default, only IPv4 is added to allowed connections self._listener.connections.allow_default_port_from( other=Peer.any_ipv6(), description="Allow from anyone on port 443", ) # Make sure there is always a backend picking up, even if we don't know the host self._listener.add_fixed_response( "default", status_code="404", message_body="Page not found", ) # Add a redirect; in case people go to HTTP, redirect them to HTTPS. self._http_listener = ApplicationListener( self, "Listener-Http", load_balancer=alb, port=80, protocol=ApplicationProtocol.HTTP, ) self._http_listener.connections.allow_default_port_from( other=Peer.any_ipv6(), description="Allow from anyone on port 80", ) self._http_listener.add_redirect_response( "Http-To-Https", status_code="HTTP_301", port="443", protocol="HTTPS", ) if g_listener_https is not None: raise Exception( "Only a single ListenerHTTPSStack instance can exist") g_listener_https = self
def add_nlb(self, scope: Construct, service: IEc2Service, port: Port, subdomain_name: str, description: str) -> None: port_dict = port.to_rule_json() Tags.of(service).add("NLB-protocol", port_dict["ipProtocol"]) Tags.of(service).add("NLB-port", str(port_dict["fromPort"])) self.create_alias(scope, subdomain_name) self.security_group.add_ingress_rule( peer=Peer.any_ipv6(), connection=port, description=f"{description} (IPv6)") self.security_group.add_ingress_rule( peer=Peer.any_ipv4(), connection=port, description=f"{description} (IPv4)")
def get_web_security_group(self, vpc): security_group = SecurityGroup( self._stack, 'obm_web', vpc=vpc, allow_all_outbound=True, ) for port_number in [SSH_PORT, HTTP_PORT, HTTPS_PORT]: port = Port(from_port=port_number, to_port=port_number, protocol=Protocol.TCP, string_representation=f"Port {port_number}") security_group.add_ingress_rule(peer=Peer.any_ipv4(), connection=port) security_group.add_ingress_rule(peer=Peer.any_ipv6(), connection=port) self._tag_it(security_group) return security_group