Skip to content

Instantly share code, notes, and snippets.

@RobertoSchneiders
Last active September 15, 2015 12:59
Show Gist options
  • Save RobertoSchneiders/92b9ccc8e4ba795bd458 to your computer and use it in GitHub Desktop.
Save RobertoSchneiders/92b9ccc8e4ba795bd458 to your computer and use it in GitHub Desktop.
How to configure a Poxa server with SSL in ElasticBeastalk.

This documentation has been moved to the this wiki page.

With HTTP

If you don't need SSL/HTTPS all you have to do is create two files and upload a zip to AWS Elastic Beanstalk configured for Docker platform, pretty straightforward.

Create the configuration files

Add a config file poxa.conf and configure the HTTP Port and credentials.

# HTTP port
poxa.port = 80

# Pusher app key
poxa.app_key = "your_key"

# Pusher secret
poxa.app_secret = "your_secret"

# Pusher app id
poxa.app_id = "your_app_id"

Add a Dockerrun.aws.json:

{
  "AWSEBDockerrunVersion": "1",
  "Image": {
    "Name": "edgurgel/poxa",
    "Update": "true"
  },
  "Ports": [
    {
      "ContainerPort": "80"
    }
  ],
  "Volumes": [
    {
      "HostDirectory": "/var/app/current/poxa.conf",
      "ContainerDirectory": "/app/releases/0.4.3/poxa.conf"
    }
  ],
  "Logging": "/var/log/nginx"
}

You may have to adjust the ContainerDirectory depending on the current version of the docker image, 0.4.3 is the most recent at this time.

Deploy

Pack this files into a zip and upload it to a Elastic Beanstalk Web Server configured for Docker platform. You can also use EB Cli to deploy.

With HTTPS/SSL

To use SSL you can use several different methods.

Using AWS Load Balancer

The best and easiest way to use SSL on Elastic Beastalk is through Elastic Load Balancer.You only have to upload de certificate and configure the load balancer to use them. In this approach, the SSL is handled by the Load Balancer and your server don't have to worry about it.

The only problem is the cost.

Using poxa docker image built-in ssl support

The poxa docker image has built-in support for SSL as stated here, but, is not so simple to use this with docker on Elastic Beanstalk. Mainly because of this limitation:

You can specify multiple container ports, but Elastic Beanstalk uses only the first one to connect your container to the host's reverse proxy and route requests from the public Internet.

More info: (documentation)

A possible workaround to this problem would be to change the nginx settings via ebextensions (not tested).

Using the EC2 nginx as SSL layer

This method allows you to have a single instance server, which is cheaper than the option with Load Balancer.

In this case, there are two instances of nginx running. One of them is running on the EC2 provided by EB and the other one is running inside the docker image. This approach will configure the nginx on EC2 to be the ssl layer.

You need to create a ebextension to configure the nginx.

Create a file ./ebextensions/ssl.config, which should look like this:

Resources:
  sslSecurityGroupIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {Ref : AWSEBSecurityGroup}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

files:
  /etc/nginx/conf.d/ssl.conf:
    content: |
      # HTTPS server

      server {
          listen       443;
          server_name  *.your_domain.com.br;

          ssl                  on;
          ssl_certificate      /etc/pki/tls/certs/STAR_your_domain_com_br.pem;
          ssl_certificate_key  /etc/pki/tls/certs/STAR_your_domain_com_br.key;

          ssl_session_timeout  5m;

          ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
          ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
          ssl_prefer_server_ciphers on;

          location / {
            proxy_pass  http://localhost:80;
            proxy_redirect off;
            proxy_buffering off; # Optional
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
          }
      }


  /etc/pki/tls/certs/STAR_your_domain_com.key:
    content: |
      -----BEGIN RSA PRIVATE KEY-----
      ***
      -----END RSA PRIVATE KEY-----

  /etc/pki/tls/certs/STAR_your_domain_com.pem:
    content: |
      -----BEGIN CERTIFICATE-----
      ***
      -----END CERTIFICATE-----

You have to replace your_domain and add your certificates. Yeah, you have to put your certificates into this file, so, you can't use this approach on a public repository. Not ideal, of course, but, is the price that you pay for not use the expensive Load Balancer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment