manuelzi/https_instance_new.yaml

## https_instance_new.yaml
packages:
  yum:
    mod24_ssl : []

files:
  "/etc/httpd/conf.d/ssl_rewrite.conf":
    mode: "000644"
    owner: root
    group: root
    content: |
        RewriteEngine On
        RewriteCond %{HTTP:X-Forwarded-Proto} !https
        RewriteRule . https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]

  /etc/httpd/conf.d/ssl.conf:
    mode: "000644"
    owner: root
    group: root
    content: |
      ServerName LETSENCRYPT_DOMAIN
      LoadModule ssl_module modules/mod_ssl.so
      Listen 443
      <VirtualHost *:443>
        <Proxy *>
          Order deny,allow
          Allow from all
        </Proxy>

        ServerAlias www.LETSENCRYPT_DOMAIN
        SSLEngine             on
        SSLCertificateFile "/etc/letsencrypt/live/LETSENCRYPT_DOMAIN/fullchain.pem"
        SSLCertificateKeyFile "/etc/letsencrypt/live/LETSENCRYPT_DOMAIN/privkey.pem"
        SSLCipherSuite        EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
        SSLProtocol           All -SSLv2 -SSLv3
        SSLHonorCipherOrder   On
        SSLSessionTickets     Off

        Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
        Header always set X-Frame-Options DENY
        Header always set X-Content-Type-Options nosniff

        ProxyPass / http://localhost:80/ retry=0
        ProxyPassReverse / http://localhost:80/
        ProxyPreserveHost on
        RequestHeader set X-Forwarded-Proto "https" early

      </VirtualHost>
  "/opt/elasticbeanstalk/tasks/taillogs.d/letsencrypt.conf":
    mode: "000755"
    owner: root
    group: root
    content: |
      /var/log/letsencrypt/letsencrypt.log
container_commands:
  # installs certbot
  10_stop_apache:
    command: "sudo service httpd stop; sleep 3"
  12_replace_placeholders:
    command: |
      source /opt/elasticbeanstalk/support/envvars
      SED_EXPRESSION='s/LETSENCRYPT_DOMAIN/'$LETSENCRYPT_DOMAIN'/g'
      echo $SED_EXPRESSION
      sed -i -e $SED_EXPRESSION /etc/httpd/conf.d/ssl.conf
  20_install_certbot:
    command: |
      sudo rm -rf /opt/eff.org/*
      sudo yum -q -y install python36 python36-pip python36-libs python36-tools python36-virtualenv
      sudo /usr/bin/pip-3.6 install certbot
  30_install_certificate:
    command: |
      source /opt/elasticbeanstalk/support/envvars
      sudo /usr/local/bin/certbot certonly --non-interactive --email ${LETSENCRYPT_EMAIL} --agree-tos --standalone --domains ${LETSENCRYPT_DOMAIN} --keep-until-expiring
  40_start_apache:
    command: |
      source /opt/elasticbeanstalk/support/envvars
      sudo service httpd start
	packages:
	yum:
	mod24_ssl : []

	files:
	"/etc/httpd/conf.d/ssl_rewrite.conf":
	mode: "000644"
	owner: root
	group: root
	content: \|
	RewriteEngine On
	RewriteCond %{HTTP:X-Forwarded-Proto} !https
	RewriteRule . https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]

	/etc/httpd/conf.d/ssl.conf:
	mode: "000644"
	owner: root
	group: root
	content: \|
	ServerName LETSENCRYPT_DOMAIN
	LoadModule ssl_module modules/mod_ssl.so
	Listen 443
	<VirtualHost *:443>
	<Proxy *>
	Order deny,allow
	Allow from all
	</Proxy>

	ServerAlias www.LETSENCRYPT_DOMAIN
	SSLEngine on
	SSLCertificateFile "/etc/letsencrypt/live/LETSENCRYPT_DOMAIN/fullchain.pem"
	SSLCertificateKeyFile "/etc/letsencrypt/live/LETSENCRYPT_DOMAIN/privkey.pem"
	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
	SSLProtocol All -SSLv2 -SSLv3
	SSLHonorCipherOrder On
	SSLSessionTickets Off

	Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
	Header always set X-Frame-Options DENY
	Header always set X-Content-Type-Options nosniff

	ProxyPass / http://localhost:80/ retry=0
	ProxyPassReverse / http://localhost:80/
	ProxyPreserveHost on
	RequestHeader set X-Forwarded-Proto "https" early

	</VirtualHost>
	"/opt/elasticbeanstalk/tasks/taillogs.d/letsencrypt.conf":
	mode: "000755"
	owner: root
	group: root
	content: \|
	/var/log/letsencrypt/letsencrypt.log
	container_commands:
	# installs certbot
	10_stop_apache:
	command: "sudo service httpd stop; sleep 3"
	12_replace_placeholders:
	command: \|
	source /opt/elasticbeanstalk/support/envvars
	SED_EXPRESSION='s/LETSENCRYPT_DOMAIN/'$LETSENCRYPT_DOMAIN'/g'
	echo $SED_EXPRESSION
	sed -i -e $SED_EXPRESSION /etc/httpd/conf.d/ssl.conf
	20_install_certbot:
	command: \|
	sudo rm -rf /opt/eff.org/*
	sudo yum -q -y install python36 python36-pip python36-libs python36-tools python36-virtualenv
	sudo /usr/bin/pip-3.6 install certbot
	30_install_certificate:
	command: \|
	source /opt/elasticbeanstalk/support/envvars
	sudo /usr/local/bin/certbot certonly --non-interactive --email ${LETSENCRYPT_EMAIL} --agree-tos --standalone --domains ${LETSENCRYPT_DOMAIN} --keep-until-expiring
	40_start_apache:
	command: \|
	source /opt/elasticbeanstalk/support/envvars
	sudo service httpd start