Terminating HTTPS on EC2 instances running Java SE
For Java SE container types, you enable HTTPS with an .ebextensions configuration file, and an nginx configuration file that configures the nginx server to use HTTPS.
All AL2023/AL2 platforms support a uniform proxy configuration feature. For more information about configuring the proxy server on your platform versions running AL2023/AL2, see Reverse proxy configuration.
Add the following snippet to your configuration file, replacing the certificate and private
key placeholders as instructed, and save it in the .ebextensions
directory.
The configuration file performs the following tasks:
-
The
files
key creates the following files on the instance:/etc/pki/tls/certs/server.crt
-
Creates the certificate file on the instance. Replace
certificate file contents
with the contents of your certificate.Note
YAML relies on consistent indentation. Match the indentation level when replacing content in an example configuration file and ensure that your text editor uses spaces, not tab characters, to indent.
If you have intermediate certificates, include them in
server.crt
after your site certificate.-----BEGIN CERTIFICATE-----
certificate file contents
-----END CERTIFICATE----------BEGIN CERTIFICATE-----
first intermediate certificate
-----END CERTIFICATE----- -----BEGIN CERTIFICATE-----second intermediate certificate
-----END CERTIFICATE----- /etc/pki/tls/certs/server.key
-
Creates the private key file on the instance. Replace
private key contents
with the contents of the private key used to create the certificate request or self-signed certificate.
-
The
container_commands
key restarts the nginx server after everything is configured so that the server loads the nginx configuration file.
Example .ebextensions/https-instance.config
files:
/etc/pki/tls/certs/server.crt:
content: |
-----BEGIN CERTIFICATE-----
certificate file contents
-----END CERTIFICATE-----
/etc/pki/tls/certs/server.key:
content: |
-----BEGIN RSA PRIVATE KEY-----
private key contents
# See note below.
-----END RSA PRIVATE KEY-----
container_commands:
01restart_nginx:
command: "service nginx restart"
Note
Avoid committing a configuration file that contains your private key to source control. After you have tested the configuration and confirmed that it works, store your private key in Amazon S3 and modify the configuration to download it during deployment. For instructions, see Storing private keys securely in Amazon S3.
Place the following in a file with the .conf
extension in the
.ebextensions/nginx/conf.d/
directory of your source bundle (e.g.,
.ebextensions/nginx/conf.d/https.conf
). Replace
app_port
with the port number that your application listens on.
This example configures the nginx server to listen on port 443 using SSL. For more information
about these configuration files on the Java SE platform, see Configuring the proxy server.
Example .ebextensions/nginx/conf.d/https.conf
# HTTPS server
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /etc/pki/tls/certs/server.crt;
ssl_certificate_key /etc/pki/tls/certs/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://localhost:app_port
;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
In a single instance environment, you must also modify the instance's security group to allow traffic on port 443. The following configuration file retrieves the security group's ID using an AWS CloudFormation function and adds a rule to it.
Example .ebextensions/https-instance-single.config
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
For a load-balanced environment, you configure the load balancer to either pass secure traffic through untouched, or decrypt and re-encrypt for end-to-end encryption.