Enabling HTTPS and HTTP with Elastic Beanstalk application

Question

We are trying to set up HTTPS access to our website that is being deployed using Elastic Beanstalk.

Here are the steps that we have taken:

1. Obtained a certificate from Amazon Certificate Manager.

2. In our EB application environment, under Configuration, we have added another listener to the Classic Load Balancer. The setting for this new listener is this:

   Port: 443  
   Protocol: HTTPS  
   Instance Port: 443  
   Instance Protocol: HTTPS  
   SSL certificate: (certificate that we created in step 1)  
   

3. Since adding this new listener created another Security Group that has an Inbound rule for 443, that security group was added to the instance.

4. Finally, we went to the Load Balancers page, and for the load balancer for this app, we added another listener with these settings:

   Load Balancer Protocol: HTTPS  
   Load Balancer Port: 443  
   Instance Protocol: HTTPS  
   Instance Port: 443  
   Cipher: ELBSecurityPolicy-2016-08 (default)  
   SSL Certificate: (certificate that we created in step 1)  
   

But we are still unable to access our website through https. Any idea what else needs to be done?

Another point. In Step #4, if only 443 load balancer port is present with these settings:

HTTPS 443 HTTP 80 (cert)

then, the website is accessible through only https and not http.

So this tweak indicates that there is no problem with the certificate.

What are we missing in our configuration?

Answer 1

If you assign a certificate to the listener in your EB setup, by default it is assigned to the Load Balancer. The Load Balancer terminates the HTTPS connection from the internet, and communicates with the instances using HTTP (no encryption). Therefore you would need to open up port 80 unencrypted to the instances from the load balancer.

If you must have end-to-end encryption to your instances, you need to configure your EB environment to pass HTTPS straight through the Load Balancer:

.ebextensions/https-reencrypt-clb.config

Use this configuration file with a Classic Load Balancer. In addition to configuring the load balancer, the configuration file also changes the default health check to use port 443 and HTTPS, to ensure that the load balancer can connect securely.

option_settings:
  aws:elb:listener:443:
    InstancePort: 443
    InstanceProtocol: HTTPS
  aws:elasticbeanstalk:application:
    Application Healthcheck URL: HTTPS:443/

Update your Security Group config for your instances:

.ebextensions/https-instance-securitygroup.config

Resources:
  sslSecurityGroupIngress: 
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

And configure the certificate on the instances, which can be a self signed cert:

.ebextensions/https-backendauth.config

option_settings:
  # Backend Encryption Policy
  aws:elb:policies:backendencryption:
    PublicKeyPolicyNames: backendkey
    InstancePorts:  443
  # Public Key Policy
  aws:elb:policies:backendkey:
    PublicKey: |
      -----BEGIN CERTIFICATE-----
      ################################################################
      ################################################################
      ################################################################
      ################################################################
      ################################################
      -----END CERTIFICATE-----

See a more detailed rundown with options for different types of load balancers here.