dev-jonghoonpark/01_AWS_Single_LetsEncrypt.config

## 01_AWS_Single_LetsEncrypt.config
# .ebextensions/01_AWS_Single_LetsEncrypt.config

# [reference]
# https://blog.microideation.com/2016/09/23/zero-cost-verified-https-using-letsencrypt-and-nginx-for-tomcat-8/
# https://gist.github.com/tony-gutierrez/198988c34e020af0192bab543d35a62a

# please edit 'yourdomain' and 'youremail'

# At first, you will encounter, nginx error. because there is no 'fullchain.pem' and 'privkey.pem' files
# I resolved that manually by using 'eb ssh'
# If you have better idea. please comment that. (I think change file extensions(like referenced gist did) will work, but I didn't try it yet)

Resources:
  sslSecurityGroupIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

container_commands:
  10_installcertbot:
    command: "wget https://dl.eff.org/certbot-auto;chmod a+x certbot-auto"
  20_mkdir:
    command: "sudo mkdir -p /var/www/challenge"
  30_getcert:
    command: "sudo ./certbot-auto certonly --debug --non-interactive --email youremail --agree-tos --standalone --domains yourdomain --keep-until-expiring -w /var/www/challenge"
  40_restartnginx:
    command: "sudo service nginx restart"

## http_redirect_custom.cof
# .ebextensions/nginx/conf.d/http_redirect_custom.cof
server {
  listen 80;
  server_name yourdomain;

  location / {
    return 301 https://$host$request_uri;
  }

  location /.well-known {
    alias /var/www/challenge/.well-known;
  }
}

## https_custom.conf
# .ebextensions/nginx/conf.d/https_custom.conf
server {
  listen       443 default ssl;
  server_name  localhost;
  error_page   497 https://$host$request_uri;

  ssl_certificate      /etc/letsencrypt/live/yourdomain/fullchain.pem;
  ssl_certificate_key  /etc/letsencrypt/live/yourdomain/privkey.pem;
  ssl_session_timeout  5m;
  ssl_protocols  TLSv1.1 TLSv1.2;
  ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
  ssl_prefer_server_ciphers   on;
  if ($ssl_protocol = "") {
    rewrite ^ https://$host$request_uri? permanent;
  }

  location / {
      proxy_pass  http://127.0.0.1:8080;
      proxy_set_header   Connection "";
      proxy_http_version 1.1;
      proxy_set_header        Host            $host;
      proxy_set_header        X-Real-IP       $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        Upgrade         $http_upgrade;
      proxy_set_header        Connection      "upgrade";
  }

  location /.well-known {
      alias /var/www/challenge/.well-known;
  }
}
	# .ebextensions/01_AWS_Single_LetsEncrypt.config

	# [reference]
	# https://blog.microideation.com/2016/09/23/zero-cost-verified-https-using-letsencrypt-and-nginx-for-tomcat-8/
	# https://gist.github.com/tony-gutierrez/198988c34e020af0192bab543d35a62a

	# please edit 'yourdomain' and 'youremail'

	# At first, you will encounter, nginx error. because there is no 'fullchain.pem' and 'privkey.pem' files
	# I resolved that manually by using 'eb ssh'
	# If you have better idea. please comment that. (I think change file extensions(like referenced gist did) will work, but I didn't try it yet)

	Resources:
	sslSecurityGroupIngress:
	Type: AWS::EC2::SecurityGroupIngress
	Properties:
	GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
	IpProtocol: tcp
	ToPort: 443
	FromPort: 443
	CidrIp: 0.0.0.0/0

	container_commands:
	10_installcertbot:
	command: "wget https://dl.eff.org/certbot-auto;chmod a+x certbot-auto"
	20_mkdir:
	command: "sudo mkdir -p /var/www/challenge"
	30_getcert:
	command: "sudo ./certbot-auto certonly --debug --non-interactive --email youremail --agree-tos --standalone --domains yourdomain --keep-until-expiring -w /var/www/challenge"
	40_restartnginx:
	command: "sudo service nginx restart"
	# .ebextensions/nginx/conf.d/http_redirect_custom.cof
	server {
	listen 80;
	server_name yourdomain;

	location / {
	return 301 https://$host$request_uri;
	}

	location /.well-known {
	alias /var/www/challenge/.well-known;
	}
	}
	# .ebextensions/nginx/conf.d/https_custom.conf
	server {
	listen 443 default ssl;
	server_name localhost;
	error_page 497 https://$host$request_uri;

	ssl_certificate /etc/letsencrypt/live/yourdomain/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/yourdomain/privkey.pem;
	ssl_session_timeout 5m;
	ssl_protocols TLSv1.1 TLSv1.2;
	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
	ssl_prefer_server_ciphers on;
	if ($ssl_protocol = "") {
	rewrite ^ https://$host$request_uri? permanent;
	}

	location / {
	proxy_pass http://127.0.0.1:8080;
	proxy_set_header Connection "";
	proxy_http_version 1.1;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
	}

	location /.well-known {
	alias /var/www/challenge/.well-known;
	}
	}