SSL on Elastic Beanstalk

SSL on Elastic Beanstalk

We’re big fans of Amazon’s Elastic Beanstalk offering. It allows us to quickly deploy our Node.js applications onto a reliable, auto-scaling cloud platform. After committing our code into git, we can quickly launch a cloud environment, and depend on EB to bring up new server instances as demand requires.

This however presents a small problem when dealing with secure sites that use SSL.

  1. We want end to end encryption, so installing the SSL certificate at the load balancer is not an option.
  2. While we need our certificates installed on each server in the auto-scaling group, we don’t want to check them into git (possibly compromising the private key).

One of EB’s more powerful features is the ability to commit configuration files into git that configure the instances as they are created. We use this feature to install our ssl certificates in each instances Nginx config. In your project, create a ‘.ebextensions’ directory, containing the file ‘ssl.config’:


Resources:  
  AWSEBAutoScalingGroup:
    Metadata:
      AWS::CloudFormation::Authentication:
        S3Access:
          type: S3
          roleName: aws-elasticbeanstalk-ec2-role
          buckets: elasticbeanstalk-us-east-1-<your S3 bucket>
      
files:
  /etc/nginx/conf.d/ssl.conf:
    mode: "000755"
    owner: root
    group: root
    content: |
      # HTTPS server

      upstream sslnodejs {
      server 127.0.0.1:8443;
      keepalive 256;
      }
      


      
      server {
          listen       443;
          server_name  server.example.com;
                    
          ssl                  on;
          ssl_certificate      /etc/pki/tls/certs/server.crt;
          ssl_certificate_key  /etc/pki/tls/certs/server.key;
          
          ssl_session_timeout  5m;
          
          ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
          ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
          ssl_prefer_server_ciphers   on;
          
          location / {
          
              proxy_pass  http://sslnodejs;
              proxy_set_header   Connection "";
              proxy_http_version 1.1;

          }
          

      }
  /etc/pki/tls/certs/server.crt:
    mode: "000400"
    owner: root
    group: root
    source: https://s3.amazonaws.com/elasticbeanstalk-us-east-1-<your S3 bucket>/ssl/server.pem

  /etc/pki/tls/certs/server.key:
    mode: "000400"
    owner: root
    group: root
    source: https://s3.amazonaws.com/elasticbeanstalk-us-east-1-<your S3 bucket>/ssl/server.key.pem

When the server instance launches, it will add the ssl.conf file to your Nginx configuration and copy the certs from your secure S3 bucket to the appropriate directory on the server. Every server in the auto-scaling group will automatically be deployed with the same ssl certificate without compromising security by committing your ssl private key with your project source code.

Nginx will now listen for https connection on port 443 and forward the traffic to your application listening for http on port 8443 (or whatever port you define in ssl.conf).

Submit a Comment

Your email address will not be published. Required fields are marked *