rooty/.ebextensions\https-instance-securitygroup.config

## .ebextensions\https-instance-securitygroup.config
######
## See https://github.com/awsdocs/elastic-beanstalk-samples/tree/main/configuration-files/aws-provided/security-configuration for refrence.
# .ebextensions/https-instance-securitygroup.config
Resources:
  sslSecurityGroupIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

# Optional, for SSH
  sshSecurityGroupIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {"Fn::GetAtt": ["AWSEBSecurityGroup", "GroupId"]}
      IpProtocol: tcp
      ToPort: 22
      FromPort: 22
      CidrIp: 0.0.0.0/0


## .ebextensions\https-instance.config
######
## See https://github.com/awsdocs/elastic-beanstalk-samples/tree/main/configuration-files/aws-provided/security-configuration
# for refrence.
# .ebextensions/https-instance.config
files:
  /etc/pki/tls/certs/server.crt:
    mode: "000400"
    owner: root
    group: root
    content: |
      -----BEGIN CERTIFICATE-----
      **Paste  your certificate here**
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      **If chained cirtificate, paste your chain here**
      -----END CERTIFICATE-----

  /etc/pki/tls/certs/server.key:
    mode: "000400"
    owner: root
    group: root
    content: |
      -----BEGIN PRIVATE KEY-----
      **Paste your key here**
      -----END PRIVATE KEY-----


container_commands:
  01restart_nginx:
    command: "service nginx restart"

## .platform\hooks\postdeploy\script.sh
#!/bin/bash
# .platform/hooks/postdeploy/script.sh
echo 'server {
              listen       443;
              server_name  localhost;
              ssl                  on;
              ssl_certificate      /etc/pki/tls/certs/server.crt;
              ssl_certificate_key  /etc/pki/tls/certs/server.key;

              ssl_session_timeout  5m;

              ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
              ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
              ssl_prefer_server_ciphers   on;
              location / {
              proxy_pass          http://localhost:5000;
              proxy_http_version  1.1;
              proxy_set_header    Connection          $connection_upgrade;
              proxy_set_header    Upgrade             $http_upgrade;
              proxy_set_header    Host                $host;
              proxy_set_header    X-Forwarded-SSL     on;
              proxy_set_header    X-Real-IP           $remote_addr;
              proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
              }
            }' > '/etc/nginx/conf.d/https.conf'
echo 'location / {
            return 301 https://$host$request_uri;
          }' > '/etc/nginx/conf.d/elasticbeanstalk/00_application.conf'
service nginx restart

## Buildfile
build: mvn clean help:active-profiles package -Pprod
# I am using spring-boot project but you might need to change the build commant required to make the fat jar.

## etc\nginx\nginx.conf
#Elastic Beanstalk Nginx Configuration File
######### This is a sample /etc/nginx/nginx.conf file.
###### Only for refrence.
#### This file is supposed to be already present as it is in the EC2 instance to make the get the desired outcome (https).
usernginx;
error_log/var/log/nginx/error.log warn;
pid/var/run/nginx.pid;
worker_processesauto;
worker_rlimit_nofile    32137;

events {
  worker_connections  1024;
}
http {
  include/etc/nginx/mime.types;
  default_type  application/octet-stream;

  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
  ########
  ### Here our generated https.conf will be included
  include conf.d/*.conf;

  map $http_upgrade $connection_upgrade {
      default     "upgrade";
  }
  server {
    listen80 default_server;
    access_log    /var/log/nginx/access.log main;

    client_header_timeout 60;
    client_body_timeout   60;
    keepalive_timeout     60;
    gzipoff;
    gzip_comp_level4;
    gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/
    xml application/xml+rss text/javascript;

    # Include the Elastic Beanstalk generated locations
    #########
    ### The above script.sh will replce the generated 00_application.conf and included here.
    include conf.d/elasticbeanstalk/*.conf;
  }
}

## Procfile
web: java -jar target/demo-0.0.1-SNAPSHOT.jar
# You can costomize this line to anything that runs your application e.g. include env variables or you have mutiple jars to run from.
	######
	## See https://github.com/awsdocs/elastic-beanstalk-samples/tree/main/configuration-files/aws-provided/security-configuration for refrence.
	# .ebextensions/https-instance-securitygroup.config
	Resources:
	sslSecurityGroupIngress:
	Type: AWS::EC2::SecurityGroupIngress
	Properties:
	GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
	IpProtocol: tcp
	ToPort: 443
	FromPort: 443
	CidrIp: 0.0.0.0/0

	# Optional, for SSH
	sshSecurityGroupIngress:
	Type: AWS::EC2::SecurityGroupIngress
	Properties:
	GroupId: {"Fn::GetAtt": ["AWSEBSecurityGroup", "GroupId"]}
	IpProtocol: tcp
	ToPort: 22
	FromPort: 22
	CidrIp: 0.0.0.0/0
	######
	## See https://github.com/awsdocs/elastic-beanstalk-samples/tree/main/configuration-files/aws-provided/security-configuration
	# for refrence.
	# .ebextensions/https-instance.config
	files:
	/etc/pki/tls/certs/server.crt:
	mode: "000400"
	owner: root
	group: root
	content: \|
	-----BEGIN CERTIFICATE-----
	Paste your certificate here
	-----END CERTIFICATE-----
	-----BEGIN CERTIFICATE-----
	If chained cirtificate, paste your chain here
	-----END CERTIFICATE-----

	/etc/pki/tls/certs/server.key:
	mode: "000400"
	owner: root
	group: root
	content: \|
	-----BEGIN PRIVATE KEY-----
	Paste your key here
	-----END PRIVATE KEY-----


	container_commands:
	01restart_nginx:
	command: "service nginx restart"
	#!/bin/bash
	# .platform/hooks/postdeploy/script.sh
	echo 'server {
	listen 443;
	server_name localhost;
	ssl on;
	ssl_certificate /etc/pki/tls/certs/server.crt;
	ssl_certificate_key /etc/pki/tls/certs/server.key;

	ssl_session_timeout 5m;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
	ssl_prefer_server_ciphers on;
	location / {
	proxy_pass http://localhost:5000;
	proxy_http_version 1.1;
	proxy_set_header Connection $connection_upgrade;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Host $host;
	proxy_set_header X-Forwarded-SSL on;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}
	}' > '/etc/nginx/conf.d/https.conf'
	echo 'location / {
	return 301 https://$host$request_uri;
	}' > '/etc/nginx/conf.d/elasticbeanstalk/00_application.conf'
	service nginx restart
	build: mvn clean help:active-profiles package -Pprod
	# I am using spring-boot project but you might need to change the build commant required to make the fat jar.
	#Elastic Beanstalk Nginx Configuration File
	######### This is a sample /etc/nginx/nginx.conf file.
	###### Only for refrence.
	#### This file is supposed to be already present as it is in the EC2 instance to make the get the desired outcome (https).
	usernginx;
	error_log/var/log/nginx/error.log warn;
	pid/var/run/nginx.pid;
	worker_processesauto;
	worker_rlimit_nofile 32137;

	events {
	worker_connections 1024;
	}
	http {
	include/etc/nginx/mime.types;
	default_type application/octet-stream;

	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
	'$status $body_bytes_sent "$http_referer" '
	'"$http_user_agent" "$http_x_forwarded_for"';
	########
	### Here our generated https.conf will be included
	include conf.d/*.conf;

	map $http_upgrade $connection_upgrade {
	default "upgrade";
	}
	server {
	listen80 default_server;
	access_log /var/log/nginx/access.log main;

	client_header_timeout 60;
	client_body_timeout 60;
	keepalive_timeout 60;
	gzipoff;
	gzip_comp_level4;
	gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/
	xml application/xml+rss text/javascript;

	# Include the Elastic Beanstalk generated locations
	#########
	### The above script.sh will replce the generated 00_application.conf and included here.
	include conf.d/elasticbeanstalk/*.conf;
	}
	}
	web: java -jar target/demo-0.0.1-SNAPSHOT.jar
	# You can costomize this line to anything that runs your application e.g. include env variables or you have mutiple jars to run from.