Menu
We are trying to set up HTTPS access to our website that is being deployed using Elastic Beanstalk.
Here are the steps that we have taken:
Obtained a certificate from Amazon Certificate Manager.
In our EB application environment, under Configuration, we have added another listener to the Classic Load Balancer. The setting for this new listener is this:
Port: 443
Protocol: HTTPS
Instance Port: 443
Instance Protocol: HTTPS
SSL certificate: (certificate that we created in step 1)
Since adding this new listener created another Security Group that has an Inbound rule for 443, that security group was added to the instance.
Finally, we went to the Load Balancers page, and for the load balancer for this app, we added another listener with these settings:
Load Balancer Protocol: HTTPS
Load Balancer Port: 443
Instance Protocol: HTTPS
Instance Port: 443
Cipher: ELBSecurityPolicy-2016-08 (default)
SSL Certificate: (certificate that we created in step 1)
But we are still unable to access our website through https. Any idea what else needs to be done?
Another point. In Step #4, if only 443 load balancer port is present with these settings:
HTTPS 443 HTTP 80 (cert)
then, the website is accessible through only https and not http.
So this tweak indicates that there is no problem with the certificate.
What are we missing in our configuration?
274
In order to use a SSL certificate for your Elastic Beanstalk App, you'll need to change the configuration of your app to use Load Balancers as opposed to a single instance.
If you assign a certificate to the listener in your EB setup, by default it is assigned to the Load Balancer. The Load Balancer terminates the HTTPS connection from the internet, and communicates with the instances using HTTP (no encryption). Therefore you would need to open up port 80 unencrypted to the instances from the load balancer.
If you must have end-to-end encryption to your instances, you need to configure your EB environment to pass HTTPS straight through the Load Balancer:
.ebextensions/https-reencrypt-clb.config
Use this configuration file with a Classic Load Balancer. In addition to configuring the load balancer, the configuration file also changes the default health check to use port 443 and HTTPS, to ensure that the load balancer can connect securely.
option_settings:
aws:elb:listener:443:
InstancePort: 443
InstanceProtocol: HTTPS
aws:elasticbeanstalk:application:
Application Healthcheck URL: HTTPS:443/
Update your Security Group config for your instances:
.ebextensions/https-instance-securitygroup.config
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
And configure the certificate on the instances, which can be a self signed cert:
.ebextensions/https-backendauth.config
option_settings:
# Backend Encryption Policy
aws:elb:policies:backendencryption:
PublicKeyPolicyNames: backendkey
InstancePorts: 443
# Public Key Policy
aws:elb:policies:backendkey:
PublicKey: |
-----BEGIN CERTIFICATE-----
################################################################
################################################################
################################################################
################################################################
################################################
-----END CERTIFICATE-----
See a more detailed rundown with options for different types of load balancers here.
55
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
