Elastic Beanstalk force https
Solution 1:
It is also possible to do that somewhat more easily, without touching the load balancer, by using the X-Forwarded-Proto header set by ELB. Here is what I ended up doing :
files:
"/etc/nginx/sites-available/elasticbeanstalk-nginx-docker-proxy.conf":
mode: "00644"
owner: root
group: root
content: |
map $http_upgrade $connection_upgrade {
default "upgrade";
"" "";
}
server {
listen 80;
gzip on;
gzip_comp_level 4;
gzip_types text/html text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
access_log /var/log/nginx/access.log;
location / {
proxy_pass http://docker;
proxy_http_version 1.1;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
if ($http_x_forwarded_proto = 'http') {
return 301 https://$host$request_uri;
}
}
Solution 2:
I think you need to specify what Elastic Beanstalk environment that you use (see: Supported Platforms), because different environment has different configuration.
Basically, you need to customize:
- Elastic Load Balancer:
- Listen on port 80 and proxy it to EC2 instance port 80.
- Listen on port 443 and proxy it to EC2 instance port 443.
- EC2 Web Server/Proxy:
- Listen on port 80 and response with redirect to HTTPS.
- Listen on port 443 and serve the request.
To customized it, you can use CLI or .ebextensions.
You can check on Enable HTTPS and HTTP-Redirect on AWS Elastic Beanstalk. It tells you how to configure Elastic Beanstalk Single Docker Container serve HTTPS and HTTP (redirect to HTTPS). You can adjust the config as your need.
Solution 3:
Elastic Beanstalk doesn't support multiple ports from a Single Docker Container, so you need to handle this at the proxy level as suggested. However, your EC2 instance doesn't need to know about your certificate, because you can terminate the SSL connection at the load balancer.
In your .ebextensions directory, create a configuration for the nginx proxy that contains two server configs; one that proxies http://docker (the default configuration, port 80), and one that redirects to https (I chose port 8080).
.ebextensions/01-nginx-proxy.config:
files:
"/etc/nginx/sites-available/000-default.conf":
mode: "000644"
owner: root
group: root
content: |
map $http_upgrade $connection_upgrade {
default "upgrade";
"" "";
}
server {
listen 80;
gzip on;
gzip_comp_level 4;
gzip_types text/html text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
access_log /var/log/nginx/access.log;
location / {
proxy_pass http://docker;
proxy_http_version 1.1;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
listen 8080;
location / {
return 301 https://$host$request_uri;
}
}
commands:
00_enable_site:
command: 'rm -f /etc/nginx/sites-enabled/* && ln -s /etc/nginx/sites-available/000-default.conf /etc/nginx/sites-enabled/000-default.conf'
Create a second configuration for the EB load-balancer and security groups that sets them up as follows:
- EC2 instance:
- Allow traffic on ports 80/8080 from load balancer
- Allow traffic on port 22 from anywhere (for ssh access, optional)
- Load balancer:
- Forward port 443 HTTPS to port 80 HTTP
- Forward port 80 HTTP to port 8080 HTTP
.ebextensions/02-load-balancer.config:
"Resources" : {
"AWSEBSecurityGroup": {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Instance security group (22/80/8080 in)",
"SecurityGroupIngress" : [ {
"IpProtocol" : "tcp",
"FromPort" : "80",
"ToPort" : "80",
"SourceSecurityGroupId" : { "Ref" : "AWSEBLoadBalancerSecurityGroup" }
}, {
"IpProtocol" : "tcp",
"FromPort" : "8080",
"ToPort" : "8080",
"SourceSecurityGroupId" : { "Ref" : "AWSEBLoadBalancerSecurityGroup" }
}, {
"IpProtocol" : "tcp",
"FromPort" : "22",
"ToPort" : "22",
"CidrIp" : "0.0.0.0/0"
} ]
}
},
"AWSEBLoadBalancerSecurityGroup": {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Load balancer security group (80/443 in, 80/8080 out)",
"VpcId" : "<vpc_id>",
"SecurityGroupIngress" : [ {
"IpProtocol" : "tcp",
"FromPort" : "80",
"ToPort" : "80",
"CidrIp" : "0.0.0.0/0"
}, {
"IpProtocol" : "tcp",
"FromPort" : "443",
"ToPort" : "443",
"CidrIp" : "0.0.0.0/0"
} ],
"SecurityGroupEgress": [ {
"IpProtocol" : "tcp",
"FromPort" : "80",
"ToPort" : "80",
"CidrIp" : "0.0.0.0/0"
}, {
"IpProtocol" : "tcp",
"FromPort" : "8080",
"ToPort" : "8080",
"CidrIp" : "0.0.0.0/0"
} ]
}
},
"AWSEBLoadBalancer" : {
"Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties" : {
"Listeners" : [ {
"LoadBalancerPort" : "80",
"InstancePort" : "8080",
"Protocol" : "HTTP"
}, {
"LoadBalancerPort" : "443",
"InstancePort" : "80",
"Protocol" : "HTTPS",
"SSLCertificateId" : "arn:aws:iam::<certificate_id>:<certificate_path>"
} ]
}
}
}
(Note: don't forget to replace the SSLCertificateId and VpcId with your values).
Any traffic on port 80 of the load balancer (HTTP) will hit port 8080 on the EC2 instance, which redirects to HTTPS. Traffic on port 443 on the load balancer (HTTPS) will end up being served by port 80 on the EC2 instance, which is the docker proxy.