For this and all other source bundles uploaded to this instance, make sure to include the following 3 customized configuration files in the indicated locations (1 in “.ebextensions” and 2 in “.platform/nginx/conf.d”). Make sure the domain-specific configuration files are copied from the folder “___HTTPS_additions” before git-update, zipping and uploading.

IMPORTANT: {FullDomain} in the 2 configuration files in “.platform/nginx/conf.d” needs to be substituted for the actual full domain name first (e.g., adminidc8206.iterandis.com), which should have been done previously in the “___HTTPS_additions” folder.

  1. The first configuration file in “.ebextensions” configures the https port 443.

    .ebextensions/01_https-port.config

    Resources:
      sslSecurityGroupIngress:
        Type: AWS::EC2::SecurityGroupIngress
        Properties:
          GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
          IpProtocol: tcp
          ToPort: 443
          FromPort: 443
          CidrIp: 0.0.0.0/0

  2. The first configuration file in “.platform/nginx/conf.d” redirects all http traffic to https, except for the Certbot challenge required for automatic renewal.

    .platform/nginx/conf.d/https_redirect_from_http.conf

    # HTTPS redirect from HTTP
    server {
      listen 80;
      server_name {FullDomain};

      location / {
        return 301 https://$server_name$request_uri;
      }

      location /.well-known/acme-challenge {
        root /var/www/html;
      }
    }

  3. The second configuration file in “.platform/nginx/conf.d” establishes the https server, which requires the correct paths to the SSL certificate and key. Note: EC2 server was set up with basic health monitoring, so leave the section for enhanced health monitoring commented out.

    .platform/nginx/conf.d/https.conf

    # HTTPS server
    server {
      listen 443 ssl;
      server_name localhost;

      # Direct SSL Certificate Installation on EC2 with Auto Renewal
      ssl_certificate /etc/letsencrypt/live/{FullDomain}/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/{FullDomain}/privkey.pem;

      ssl_session_timeout 5m;
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      ssl_prefer_server_ciphers on;

      # For enhanced health reporting support, uncomment this block:
      #if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})T(\d{2})") {
      #  set $year $1;
      #  set $month $2;
      #  set $day $3;
      #  set $hour $4;
      #}
      #access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd;
      #access_log /var/log/nginx/access.log main;

      location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Connection "";
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
      }
    }

      4. Please note that only basic health monitoring was specified when the webserver was created in Elastic Beanstalk, so the middle section for enhanced health monitoring is commented out.

      Actual spaces in files have been replaced with   in the HTML version.

      Show hidden folders on Mac with Command + Shift + . (the period key). Ensure correct indentations for YAML.