kmsheng/https-instance-securitygroup.config

## https-instance-securitygroup.config
Resources:
  sslSecurityGroupIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

files:
  /etc/nginx/conf.d/http-redirect-custom.conf:
    mode: "000644"
    owner: root
    group: root
    content: |
      server {
        listen 80;
        return 301 https://$host$request_uri;
      }

  /etc/nginx/conf.d/https.conf:
    mode: "000644"
    owner: root
    group: root
    content: |
      # HTTPS Server

      server {
        listen 443;
        server_name localhost;

        ssl on;
        ssl_certificate /etc/letsencrypt/live/ebcert/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/ebcert/privkey.pem;

        ssl_session_timeout 5m;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
        ssl_prefer_server_ciphers on;

        location / {
          proxy_pass http://docker;
          proxy_http_version 1.1;

          proxy_set_header Connection "";
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
      }

packages:
  yum:
    epel-release: []

container_commands:
  00_createdir:
    command: "mkdir /opt/certbot || true"
  01_installcertbot:
    command: "wget https://dl.eff.org/certbot-auto -O /opt/certbot/certbot-auto"
  02_permission:
    command: "chmod a+x /opt/certbot/certbot-auto"
  03_getcert:
    command: "sudo /opt/certbot/certbot-auto certonly --debug --non-interactive --email YOUR_EMAIL@XXX --agree-tos --standalone --domains ${CERT_DOMAIN} --keep-until-expiring"
  04_link:
    command: "ln -sf /etc/letsencrypt/live/${CERT_DOMAIN} /etc/letsencrypt/live/ebcert"
  05_cronjob_renew:
    command: "cat .ebextensions/certificate_renew.txt > /etc/cron.d/certificate_renew && chmod 644 /etc/cron.d/certificate_renew"
	Resources:
	sslSecurityGroupIngress:
	Type: AWS::EC2::SecurityGroupIngress
	Properties:
	GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
	IpProtocol: tcp
	ToPort: 443
	FromPort: 443
	CidrIp: 0.0.0.0/0

	files:
	/etc/nginx/conf.d/http-redirect-custom.conf:
	mode: "000644"
	owner: root
	group: root
	content: \|
	server {
	listen 80;
	return 301 https://$host$request_uri;
	}

	/etc/nginx/conf.d/https.conf:
	mode: "000644"
	owner: root
	group: root
	content: \|
	# HTTPS Server

	server {
	listen 443;
	server_name localhost;

	ssl on;
	ssl_certificate /etc/letsencrypt/live/ebcert/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/ebcert/privkey.pem;

	ssl_session_timeout 5m;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
	ssl_prefer_server_ciphers on;

	location / {
	proxy_pass http://docker;
	proxy_http_version 1.1;

	proxy_set_header Connection "";
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}
	}

	packages:
	yum:
	epel-release: []

	container_commands:
	00_createdir:
	command: "mkdir /opt/certbot \|\| true"
	01_installcertbot:
	command: "wget https://dl.eff.org/certbot-auto -O /opt/certbot/certbot-auto"
	02_permission:
	command: "chmod a+x /opt/certbot/certbot-auto"
	03_getcert:
	command: "sudo /opt/certbot/certbot-auto certonly --debug --non-interactive --email YOUR_EMAIL@XXX --agree-tos --standalone --domains ${CERT_DOMAIN} --keep-until-expiring"
	04_link:
	command: "ln -sf /etc/letsencrypt/live/${CERT_DOMAIN} /etc/letsencrypt/live/ebcert"
	05_cronjob_renew:
	command: "cat .ebextensions/certificate_renew.txt > /etc/cron.d/certificate_renew && chmod 644 /etc/cron.d/certificate_renew"