/AWS_Single_LetsEncrypt.yaml
Forked from tony-gutierrez/AWS_Single_LetsEncrypt.yaml
Last active Dec 20, 2020
AWS Elastic Beanstalk .ebextensions config for single instance free SSL using letsencrypt certbot and Apache.
# Dont forget to set the env variable "CERT_DOMAIN", and either fill in your email below or use an env variable for that too. | |
# Also note that this config is using the LetsEncrypt staging server, remove the flag when ready! | |
# @source https://gist.github.com/tony-gutierrez/198988c34e020af0192bab543d35a62a#file-aws_single_letsencrypt-yaml-L2 | |
Resources: | |
sslSecurityGroupIngress: | |
Type: AWS::EC2::SecurityGroupIngress | |
Properties: | |
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]} | |
IpProtocol: tcp | |
ToPort: 443 | |
FromPort: 443 | |
CidrIp: 0.0.0.0/0 | |
files: | |
# The Apache config forces https, and is meant as an example only. | |
/etc/httpd/conf.d/000_http_redirect_custom.conf: | |
mode: "000644" | |
owner: root | |
group: root | |
content: | | |
<VirtualHost *:80> | |
ServerName ${CERT_DOMAIN} | |
ServerAlias www.${CERT_DOMAIN} | |
DocumentRoot "/var/www/html/public" | |
RewriteEngine on | |
RewriteCond %{SERVER_NAME} =${CERT_DOMAIN} [OR] | |
RewriteCond %{SERVER_NAME} =www.${CERT_DOMAIN} | |
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] | |
</VirtualHost> | |
# The Apache config forces https, and is meant as an example only. | |
/etc/httpd/conf.d/https_custom.pre: | |
mode: "000644" | |
owner: root | |
group: root | |
content: | | |
# HTTPS server | |
<IfModule mod_ssl.c> | |
<VirtualHost *:443> | |
ServerName ${CERT_DOMAIN} | |
ServerAlias www.${CERT_DOMAIN} | |
DocumentRoot "/var/www/html/public" | |
RewriteEngine on | |
SSLCertificateFile /etc/letsencrypt/live/${CERT_DOMAIN}/fullchain.pem | |
SSLCertificateKeyFile /etc/letsencrypt/live/${CERT_DOMAIN}/privkey.pem | |
Include /etc/letsencrypt/options-ssl-apache.conf | |
</VirtualHost> | |
</IfModule> | |
/tmp/letsencrypt/options-ssl-apache.conf: | |
mode: "000644" | |
owner: root | |
group: root | |
content: | | |
SSLEngine on | |
# Intermediate configuration, tweak to your needs | |
SSLProtocol all -SSLv2 -SSLv3 | |
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA | |
SSLHonorCipherOrder on | |
SSLOptions +StrictRequire | |
# Add vhost name to log entries: | |
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined | |
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common | |
#CustomLog /var/log/apache2/access.log vhost_combined | |
#LogLevel warn | |
#ErrorLog /var/log/apache2/error.log | |
# Always ensure Cookies have "Secure" set (JAH 2012/1) | |
#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4" | |
packages: | |
yum: | |
epel-release: [] | |
mod24_ssl: [] | |
container_commands: | |
210_installcertbot: | |
command: "wget https://dl.eff.org/certbot-auto;chmod a+x certbot-auto" | |
220_stop_httpd: | |
command: "sudo stop httpd" | |
ignoreErrors: true | |
230_getcert: | |
command: "sudo ./certbot-auto certonly --debug --non-interactive --email ${EMAIL} --agree-tos --standalone --domains ${CERT_DOMAIN} --keep-until-expiring" | |
240_config: | |
command: "sudo mv /etc/httpd/conf.d/https_custom.pre /etc/httpd/conf.d/https_custom.conf" | |
250_move_options_ssl_le: | |
command: "sudo mv /tmp/letsencrypt/options-ssl-apache.conf /etc/letsencrypt/options-ssl-apache.conf" | |
260_start_httpd: | |
command: "sudo start httpd;sudo restart httpd" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment