Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Config file to add https to beanstalk instance without load balancer using letsencrypt - Apache
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
packages:
yum:
epel-release: []
mod24_ssl : []
files:
"/root/.aws/credentials":
mode: "000644"
owner: root
group: root
encoding: plain
content: |
[default]
aws_access_key_id = VALID_AWS_ACCESS_KEY
aws_secret_access_key = VALID_AWS_SECRET
"/tmp/getvars.sh":
mode: "00555"
owner: root
group: root
encoding: plain
content: |
#!/bin/bash
# get the vars from the env
# Needed because vars are not set for commands, only container_commands
CLEAN=0
logMsg()
{
INITPID=$$
PROG="getvars"
logger -t ${PROG}[$INITPID] $1
echo $1
}
VARS_TO_GET=("NEWRELIC_JAVA_PLUGIN_URL" \
"NEWRELIC_LICENSE_KEY" \
"NEWRELIC_ENABLE" \
"NEWRELIC_CIRCUIT_BREAKER" \
)
# get the region we are deployed in
AVAILABILITY_ZONE=`wget -qO- http://169.254.169.254/latest/meta-data/placement/availability-zone`
REGION_ID=${AVAILABILITY_ZONE:0:${#AVAILABILITY_ZONE} - 1}
# get our EB env name
BEANSTALKENV=`{ "Ref" : "AWSEBEnvironmentName" }`
# get our beanstalk app name
BEANSTALKAPP=$(/usr/bin/aws elasticbeanstalk describe-environments --environment-names ${BEANSTALKENV} --region ${REGION_ID} |grep "ApplicationName" |cut -f 2 -d ":"|tr -d ","|xargs)
ENV_CNAME=$(/usr/bin/aws elasticbeanstalk describe-environments --environment-names ${BEANSTALKENV} --region ${REGION_ID} |grep "CNAME" |cut -f 2 -d ":"|tr -d ","|xargs)
logMsg "Getting vars from env ${BEANSTALKENV} in ${BEANSTALKAPP} (${REGION_ID}) (${ENV_CNAME})"
rm -f /tmp/envvars
echo "ENV_CNAME=${ENV_CNAME}" >> /tmp/envvars
if [ $CLEAN -eq 1 ]; then
rm -f /tmp/vars.$$
fi
"/etc/httpd/conf.d/ssl_rewrite.conf":
mode: "000644"
owner: root
group: root
content: |
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule . https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]
/etc/httpd/conf.d/ssl.conf:
mode: "000644"
owner: root
group: root
content: |
LoadModule ssl_module modules/mod_ssl.so
LoadModule wsgi_module modules/mod_wsgi.so
WSGIPythonHome /opt/python/run/baselinenv
WSGISocketPrefix run/wsgi
WSGIRestrictEmbedded On
Listen 443
<VirtualHost *:443>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLEngine on
SSLCertificateFile "/etc/letsencrypt/live/ebcert/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/ebcert/privkey.pem"
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLSessionTickets Off
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
RequestHeader set X-Forwarded-Proto "https" early
Alias /static/ /opt/python/current/app/staticfiles/
<Directory /opt/python/current/app/staticfiles/>
Order allow,deny
Allow from all
</Directory>
Alias /static /opt/python/current/app/staticfiles
<Directory /opt/python/current/app/staticfiles>
Order allow,deny
Allow from all
</Directory>
WSGIScriptAlias / /opt/python/current/app/ctq/wsgi.py
<Directory /opt/python/current/app/>
Require all granted
</Directory>
WSGIDaemonProcess wsgi-ssl processes=1 threads=15 display-name=%{GROUP} \
python-home=/opt/python/run/venv/ \
python-path=/opt/python/current/app user=wsgi group=wsgi \
home=/opt/python/current/app
WSGIProcessGroup wsgi-ssl
</VirtualHost>
"/opt/elasticbeanstalk/tasks/taillogs.d/letsencrypt.conf":
mode: "000755"
owner: root
group: root
content: |
/var/log/letsencrypt/letsencrypt.log
commands:
command block:
command: |
/tmp/getvars.sh
. /tmp/envvars
wget https://dl.eff.org/certbot-auto -O /tmp/certbot-auto;
chmod a+x /tmp/certbot-auto;
logMsg()
{
INITPID=$$
PROG="getvars"
logger -t ${PROG}[$INITPID] $1
echo $1
}
logMsg "CNAME ${ENV_CNAME}"
/tmp/certbot-auto certonly --debug --non-interactive --email YOUR_EMAIL --agree-tos --standalone --domains ${ENV_CNAME} --keep-until-expiring --pre-hook "service httpd stop" --post-hook "service httpd start"
ln -sf /etc/letsencrypt/live/${ENV_CNAME} /etc/letsencrypt/live/ebcert
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment