Configuring HTTPS for Elastic Beanstalk environment

MSP Medium
7 min readSep 20, 2023

Elastic Beanstalk is helpful in quickly deploying and managing applications without the users knowing about the infrastructure underneath. One can simply upload their application and Elastic Beanstalk handles capacity provisioning, load balancing, scaling, and application health monitoring.

HTTPS is a secure protocol for the secure transfer of data between the application and browser. An SSL certificate is a digital certificate that authenticates a website’s identity and enables an encrypted connection between a web server and a web browser.

In this particular task, we are going to set up an Elastic Beanstalk environment, run our Python application and set up an SSL certificate and configuration within that environment. In addition to that, we will be adding a custom domain for our Beanstalk environment. Thus, we will be able to host our application in an Elastic Beanstalk environment and access it securely from our custom domain. I used Cloudflare for DNS management.

Step 1: Set up the AWS Elastic Beanstalk environment

In the first step, we need to set up an Elastic Beanstalk environment. I chose to host a Python app within the Amazon Linux 2023 instance. So, log into the AWS account, search for Elastic Beanstalk service and choose to create the environment. A thing to take note of is that I used previously created IAM roles because I had them. You can choose to create new ones which the Elastic Beanstalk can handle by itself adhering to your choices from the available options. You also need to create a key pair to finish creating the Elastic Beanstalk environment which can be done within EC2 sevice.

Step 2: SSH into the Environment

Next, go to EC2 services from the AWS management console and search for the instance created by Elastic Beanstalk as the environment. Then, connect to the EC2 instance via SSH from the local machine.

Step 3: Install Certbot within the environment

As you connect to the instance, run the commands to install Certbot within the instance. I had set up Amazon Linux 2023 as my environment so I used the commands accordingly. I have also provided one for Amazon Linux 2.

For Amazon Linux 2

sudo yum update
sudo amazon-linux-extras install epel
sudo yum install certbot
certbot --version

For Amazon Linux 2023

sudo dnf install -y augeas-libs
sudo python3 -m venv /opt/certbot/
sudo /opt/certbot/bin/pip install --upgrade pip
sudo /opt/certbot/bin/pip install certbot
sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot

Step 4: Configure Certbot for the custom domain

Subsequently, we need to configure Certbot certificates for our custom domain. For that, run the following command regardless of the environment.

sudo certbot certonly --manual --preferred-challenges dns

While the command is running, steps will be required to be taken such as adding DNS records in Cloudflare. A TXT record will be required to complete the command to verify the domain and an A record pointing to the IP of the environment.

We can see that the custom domain is pointing to the instance successfully and we can see the output of our Python application. However, the connection is not secure yet as we have not completed our setup. So first we need to open port 443 for our environment for communication via HTTPS.

ALSO, PROXY STATUS IN CLOUDFLARE NEEDS TO BE OFF.

In the below configuration, where we have set up a listener for HTTPS in the 443 port, the URL used in the proxy_pass option. I have put in port 80 for my Python application. Had it been a Nodejs application I would have put in port 8080.

sudo nano /etc/nginx/conf.d/eb.conf

The configuration:

server {
listen 443 ssl;
server_name sanjeebnepal.com.np;
ssl_certificate /etc/letsencrypt/live/sanjeebnepal.com.np/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sanjeebnepal.com.np/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://127.0.0.1:80;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}

Then restart the nginx server:

sudo systemctl restart nginx

Ctrl+S to save and Ctrl+X to exit the nano editor.

Another important point to note is the SSL/TLS encryption mode in Cloudflare. It needs to be set to Full and here is why:

  • Off is for HTTP protocol only and everything is redirected to HTTP
  • The Flexible option only requires encryption between Browser and Cloudflare which Cloudflare provides by itself so our SSL certificate is useless here.
  • The Full option requires encryption to be set up in the origin server too which in our case is our environment(ec2 instance).

Step 5: Enjoy the output

Now, we just enjoy the output.

Author: Sanjeeb Nepal

https://www.linkedin.com/in/sanjeebnepal/

--

--