avatarSupratim Samanta

Summary

The provided web content outlines the process of deploying an application using AWS Elastic Beanstalk with an Nginx proxy server, implementing SSL encryption through custom certificates stored in S3, rather than relying on AWS Certificate Manager (ACM).

Abstract

The article "Deploy an application in Elastic Beanstalk with Nginx and with SSL, without ACM" details a method for enhancing application security on AWS Elastic Beanstalk by configuring SSL encryption from the load balancer to the backend servers using Nginx as a proxy. It involves three key steps: deploying a sample application, configuring Nginx to handle SSL by downloading certificates from an S3 bucket, and adjusting the Elastic Beanstalk environment and load balancer settings to accept and forward HTTPS traffic. The guide emphasizes the importance of SSL beyond the load balancer and provides a practical example with code snippets and configuration files hosted on GitHub by the user susamn.

Opinions

  • The author expresses a strong preference for Elastic Beanstalk, highlighting its ease of use, scalability, and robustness as a PaaS solution.
  • They acknowledge the need for full-path SSL encryption due to scenarios where encryption from the load balancer to the end servers is necessary for business security requirements.
  • The use of self-signed certificates is presented as a practical alternative when ACM is not an option, with the caveat that clients or employers should ideally provide the certificates for a production environment.
  • The author suggests that the process of setting up SSL in Nginx alongside Elastic Beanstalk is straightforward and within reach for users willing to follow the provided steps and configure the necessary AWS components accordingly.
  • It is implied that the configuration changes detailed in the post may require additional permissions, as evidenced by the instruction to add S3ReadOnlyAccess policy to the Elastic Beanstalk environment's instance profile.
  • The author advises readers to check logs in CloudWatch through log streaming if the environment fails to start, indicating a troubleshooting approach for when things do not work as expected.

Deploy an application in Elastic Beanstalk with Nginx and with SSL, without ACM

I love Elastic Beanstalk. It’s an awesome PaaS solution which makes application deployment a breeze with automatic scaling. Being under the umbrella of AWS, it is also really robust and has so many features.

Photo by freestocks on Unsplash

In typical scenarios, the load balancer should handle the HTTPS traffic and send the plaintext traffic to the backend servers via TCP 80. But I have seen a lot of scenarios where there is need to encrypt the traffic from load balancer to the end servers also, so that the business can have SSL implemented throughout the way. In these cases, we have to configure SSL in the webserver ( Apache/Nginx) also.

In this post let’s deploy an application in Elastic Beanstalk with Nginx to proxy the requests. We will also configure SSL in Nginx with certificates available in the S3( Not using ACM)

The code is hosted here:

I have used the plain sample application provided by AWS and added the necessary files for SSL.

We need only 3 files.

  1. nginx-proxy.config This file enables the nginx features so that Elastic Beanstalk knows that it needs to use Nginx as a proxy server.

Place this file in the .ebextensions folder when bundling the application code.

2. copycerts.sh This file is used to download the cert files from S3 to the application servers before the app is started.

I have my self signed certificates here:

Some things to keep in mind here.

  • The this file execute permission (+x) before bundling with the application. Otherwise we will get Permission Denied from the EC2 servers.
  • This script needs to know where the cert files are. To specify these data, we need to setup env variables. The PRIVATE_BUCKET specifies the bucket name and the CERT_PATH specifies the location.
  • Set another environment variable called PORT to control which port will be used by the app to run locally. Make the necessary change in the app and in the next file in Nginx configuration in line no 16. It tells Nginx where to route the traffic for the application.
  • If you have a certificate chain in the bucket, make necessary change in this script to copy them also.
  • Make sure to give the S3 access rights to the elastic beanstalk environment, so that any server started by it will have that policy attached. Go to Elastic Beanstalk env -> Configuration -> Security and note the instance profile name. Then go to IAM and add S3ReadOnlyAccess policy to this instance profile.

Save this file in the .platform/hooks/predeploy in the root of the bundled application code, so that it is executed before the main application runs and Nginx can find the certificates in the correct place.

3. https-listener.conf This is the Nginx config file which replaces the origin config files used by the Nginx.

This file is pretty simple Nginx configuration. It is used to configure the Nginx server behavior in the running server.

  • In line 6 and 7 we are pointing the certificate locations in the application server. We copied the certificate files from S3 in the previous script.
  • From line 15 to 21, we are specifying the location. When Nginx receives traffic, it will forward those traffic to this location based on the path.

Place this file in the .platform/nginx/conf.d/ folder in the bundled application. This is the path AWS recommends for the Nginx configuration.

That’s it, if everything works well, the nginx server will have proper configuartion and when the app starts, we will get a 443 port exposed to get HTTPS traffic.

Verify it via going to the server:

As have a self signed certificate, I am getting the issue with curl. But in ideal scenario, your client or employer will provide the certificate to configure, so you should be good.

When things do not work

If for any reason, the environment fails to start, please enable log streaming from Elastic Beanstalk env and see the logs in CloudWatch.

See the eb-engine.log to find any elastic beanstalk environment setup related issues.

Now it’s time to configure the load balancer to forward HTTPS traffic to the elastic beanatalk servers.

Add a listener in the load balancer

Here we only have a HTTP port forwarding. Click on Add listenter and add a HTTPS listener and forward the traffic to the eb servers.

So there are 2 things to do, which is pretty straight forward.

  1. Add an inbound rule in the eb server’s security group to accept HTTPs traffic.
  2. Add listener in load balancer to forward HTTPs traffic to the aforementioned security group.
AWS
Security
Elastic Beanstalk
Cloud Computing
Application Development
Recommended from ReadMedium
avatarHariharan
Enable cors origin — Nginx

1. Open NGINX Server Configuration

2 min read
avatarUriel Bitton
How I Built A Serverless Web App To Help Teams Work Remotely

My story of building a super fun and valuable web app for development teams.

7 min read
avatarKarthick Dk
How to Automate EC2 Backups to S3 with a Bash Script and AWS CLI

Learn how to automate EC2 backups to Amazon S3 using a simple bash script and AWS CLI. Follow this step-by-step guide to secure your cloud…

3 min read
avatarHarendra
Top 10 Most Used Open Source SaaS Products

Start using top open-source products for your daily tasks and save money

5 min read
avatarShehroz Khan
Mapping a Domain to an EC2 Instance IP and Port using Route 53 or Cloudflare

Let’s say you have an application deployed (and working) on your EC2 instance on a specific port and you want to map it to a custom domain…

6 min read
avataraneesh kumar
Ansible Tutorial: Master Automation in 10 Minutes

7 min read