How do I configure an SSL certificate for an application running in an Elastic Beanstalk environment?

Short description

To turn on the SSL encryption for your application that runs on Elastic Beanstalk, take one of the following actions:

• Terminate HTTPS at load balancer level
• Terminate HTTPS at instance level
• Redirect HTTP to HTTPS

Resolution

Terminate HTTPS at load balancer level

To update your Elastic Beanstalk environment to use HTTPS, you must configure an HTTPS listener for the load balancer in your environment. There are two types of load balancers that support an HTTPS listener:

• Classic Load Balancer
• Application Load Balancer

For more information, see Configuring your Elastic Beanstalk environment's load balancer to terminate HTTPS.

Terminate HTTPS at instance level

To use HTTPS with a single instance environment or configure your load balancer to pass traffic through without decryption, you can use platform hooks. Use platform hooks to configure the proxy server that passes traffic to an application to terminate the HTTPS connections. The hook file is dependent on the type of Elastic Beanstalk platform. For more information, see Configuring your application to terminate HTTPS connections at the instance.

Note: Because Amazon Linux AMI (AL1) platforms are retired, it's a best practice to use platform hooks to add changes to the proxy server. Move proxy configuration files that were previously provided in the AL1 platform .ebextensions/nginx directory to the platform/nginx platform hooks directory in AL2. To extend the Elastic Beanstalk default NGINX configuration, add .conf configuration files to a folder that's named .platform/nginx/conf.d/ in your application source bundle. The Elastic Beanstalk NGINX configuration automatically includes .conf files in this folder:

~/workspace/my-app/
|-- .platform
|   `-- nginx
|       `-- conf.d
|           `-- myconf.conf
`--

To override the Elastic Beanstalk default NGINX configuration, include a configuration in your source bundle at .platform/nginx/nginx.conf:

~/workspace/my-app/
|-- .platform
|   `-- nginx
|       `-- nginx.conf
`--

If you override the Elastic Beanstalk NGINX configuration, then pull in the Elastic Beanstalk configurations. Pulling in the configurations allows for enhanced health reporting and monitoring, automatic application mappings, and static files. To pull in the configurations, add the following line to your nginx.conf:

include conf.d /elasticbeanstalk/ *.conf;

For more information on how to configure a proxy, see Reverse proxy configuration.

Note: You might get a warning in the proxy error log that reads nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive. To avoid this warning, use the following .conf file and store it in the platform hooks folder to terminate the SSL at the instance level:

listen       443 ssl;
server_name  localhost;


location / {
              proxy_pass  http://localhost:app_port;
              proxy_set_header   Connection "";
              proxy_http_version 1.1;
              proxy_set_header        Host            $host;
              proxy_set_header        X-Real-IP       $remote_addr;
              proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header        X-Forwarded-Proto https;
          }
      }

Redirect HTTP to HTTPS

HTTP to HTTPS redirection handles non-secure traffic the client initiates and redirects the traffic to HTTPS. If you're using an Application Load Balancer or single instance for redirection, then see Configuring HTTP to HTTPS redirection.

By default, Classic Load Balancers can't redirect HTTP traffic to HTTPS. Instead, configure your rewrite rules for the web server instances that are behind the Classic Load Balancer. For more information, see How do I redirect HTTP traffic to HTTPS on my Classic Load Balancer?

---