Skip to content

Instantly share code, notes, and snippets.

@Guneetgstar

Guneetgstar/.ebextensions\https-instance-securitygroup.config

Last active August 14, 2023 09:57
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save Guneetgstar/4daae13081fb72a62eba5538e22a8cb0 to your computer and use it in GitHub Desktop.
Save Guneetgstar/4daae13081fb72a62eba5538e22a8cb0 to your computer and use it in GitHub Desktop.
Download ZIP
Amazon Elastic Beanstalk with SSL (HTTPS) without a Load Balancer on Single Instanced EC2 Amazon Linux 2 Image (Java)
Raw
.ebextensions\https-instance-securitygroup.config
######
## See https://github.com/awsdocs/elastic-beanstalk-samples/tree/main/configuration-files/aws-provided/security-configuration for refrence.
# .ebextensions/https-instance-securitygroup.config
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
# Optional, for SSH
sshSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt": ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 22
FromPort: 22
CidrIp: 0.0.0.0/0
Raw
.ebextensions\https-instance.config
######
## See https://github.com/awsdocs/elastic-beanstalk-samples/tree/main/configuration-files/aws-provided/security-configuration
# for refrence.
# .ebextensions/https-instance.config
files:
/etc/pki/tls/certs/server.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
**Paste your certificate here**
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
**If chained cirtificate, paste your chain here**
-----END CERTIFICATE-----
/etc/pki/tls/certs/server.key:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN PRIVATE KEY-----
**Paste your key here**
-----END PRIVATE KEY-----
container_commands:
01restart_nginx:
command: "service nginx restart"
Raw
.platform\hooks\postdeploy\script.sh
#!/bin/bash
# .platform/hooks/postdeploy/script.sh
echo 'server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /etc/pki/tls/certs/server.crt;
ssl_certificate_key /etc/pki/tls/certs/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://localhost:5000;
proxy_http_version 1.1;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}' > '/etc/nginx/conf.d/https.conf'
echo 'location / {
return 301 https://$host$request_uri;
}' > '/etc/nginx/conf.d/elasticbeanstalk/00_application.conf'
service nginx restart
Raw
Buildfile
build: mvn clean help:active-profiles package -Pprod
# I am using spring-boot project but you might need to change the build commant required to make the fat jar.
Raw
etc\nginx\nginx.conf
#Elastic Beanstalk Nginx Configuration File
######### This is a sample /etc/nginx/nginx.conf file.
###### Only for refrence.
#### This file is supposed to be already present as it is in the EC2 instance to make the get the desired outcome (https).
usernginx;
error_log/var/log/nginx/error.log warn;
pid/var/run/nginx.pid;
worker_processesauto;
worker_rlimit_nofile 32137;
events {
worker_connections 1024;
}
http {
include/etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
########
### Here our generated https.conf will be included
include conf.d/*.conf;
map $http_upgrade $connection_upgrade {
default "upgrade";
}
server {
listen80 default_server;
access_log /var/log/nginx/access.log main;
client_header_timeout 60;
client_body_timeout 60;
keepalive_timeout 60;
gzipoff;
gzip_comp_level4;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/
xml application/xml+rss text/javascript;
# Include the Elastic Beanstalk generated locations
#########
### The above script.sh will replce the generated 00_application.conf and included here.
include conf.d/elasticbeanstalk/*.conf;
}
}
Raw
Procfile
web: java -jar target/demo-0.0.1-SNAPSHOT.jar
# You can costomize this line to anything that runs your application e.g. include env variables or you have mutiple jars to run from.
@tvogel8570
Copy link

It would be helpful if you add a sample pom.xml that will include the directories/files in the proper location of a Fat jar?

@Guneetgstar
Copy link
Author

It would be helpful if you add a sample pom.xml that will include the directories/files in the proper location of a Fat jar?

  1. While using .ebextensions and .platform hooks you don't make a fat jar by yourself as Elastic Beanstalk does it for you so you only put the relevant files with the source code in a zip file and deploy it to the application (I myself haven't tried the other way of deploying the app using a fat jar though so I am not sure if that would work). Now for Elastic Beanstalk to understand how to build the fat jar out of your source code and how to run the app you need to put two more files inside the zip, Buildfile and Procfile respectively (which I will add next thanks to you for letting me know).
  2. Surely I can also include a pom.xml but that would be like any other pom.xml as Elastic Beanstalk doesn't require any additional dependency.

More on it here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment