We can configure HTTPS on Elastic Beanstalk Environment to allow users to connect to the website securely.

Here, at Bobcares, we assist our customers with several AWS queries as part of our AWS Support Services.

Today, let us see how we can configure HTTPS on the Elastic Beanstalk Environment.

Configure HTTPS on Elastic Beanstalk Environment

If we have a custom domain name for an Elastic Beanstalk environment, we can use HTTPS to allow users to connect to the website securely.

Suppose we don’t own a domain name. Even then we can use HTTPS with a self-signed certificate for development and testing purposes.

Prepare the Elastic Beanstalk environment

1. Initially. to route traffic, we register a new domain using Amazon Route 53 or another provider.

2. If the environment’s URL has an AWS Region, we create an alias name. Otherwise, we create a CNAME record.

3. Then we create a certificate in ACM or upload a third-party or self-signed certificate and private key to IAM.

Add listeners to the load balancers

1. To do so, we open the Elastic Beanstalk console, then the environment.

2. We select Configuration in the navigation pane.

3. Then in the Load balancer category, we select Modify.

4. After this, we need to add the listener for port 443.

In order to do that, our Support Techs recommend one of the following:

Add a listener for a Classic Load Balancer:

1. Initially, we select, Add Listener.

2. For Port, we enter the incoming traffic port (generally 443).

3. For Protocol, we select HTTPS.

4. Then for Instance Port, we enter 80.

5. For Instance Protocol, we select HTTP.

6. For the SSL certificate, we select the certificate and the SSL policy from the drop-down menu.

7. Eventually, we Add, and then select Apply.

Add a listener for an Application Load Balancer:

1. Select Add Listener.

2. For Port, we enter the incoming traffic port.

3. For Protocol, we select HTTPS.

4. For the SSL certificate, we select` the certificate and then choose the SSL policy from the dropdown list.

5. Finally, we select Add > Apply.

Add a listener for a Network Load Balancer:

1. In this case, firstly, we select Add Listener.

2. For Port, we enter the incoming traffic port.

3. Then we select Add > Apply.

Configure the instances to terminate HTTPS connections

To do so, we use configuration files to modify the software running on the instances. In addition, we use it to modify security groups to allow secure connections.

Suppose we have a single-instance environment. Then we can skip the following steps and go to the section, Terminate HTTPs on the instance.

1. Initially, we add a secure listener to the load balancer based on the type of load balancer in the Elastic Beanstalk environment.

For a Classic Load Balancer, we use a .ebextensions/https-reencrypt-clb.config file:

option_settings:
aws:elb:listener:443:
InstancePort: 443
InstanceProtocol: HTTPS
aws:elasticbeanstalk:application:
Application Healthcheck URL: HTTPS:443/

On the other hand, for an Application Load Balancer we use a .ebextensions/https-reencrypt-alb.config file:

option_settings:
aws:elbv2:listener:443:
DefaultProcess: https
ListenerEnabled: 'true'
Protocol: HTTPS
aws:elasticbeanstalk:environment:process:https:
Port: '443'
Protocol: HTTPS

For a Network Load Balancer, we use a .ebextensions/https-reencrypt-nlb.config file:

option_settings:
aws:elbv2:listener:443:
DefaultProcess: https
ListenerEnabled: 'true'
aws:elasticbeanstalk:environment:process:https:
Port: '443'

2. Update the load balancer to receive traffic on port 443.

Moving ahead, we create a new security group. Then we have Elastic Beanstalk use that security group to receive traffic on port 443.

For example,

option_settings:
# Use the custom security group for the load balancer
aws:elb:loadbalancer:
SecurityGroups: '`{ "Ref" : "loadbalancersg" }`'
ManagedSecurityGroup: '`{ "Ref" : "loadbalancersg" }`'
Resources:
loadbalancersg:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: load balancer security group
VpcId: vpc-#######
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0

Here, the .ebextensions/https-lbsecuritygroup.config file creates a security group and attaches it to the load balancer.

In the output, we replace VpcId with the correct value for the environment.

3. Then we add ingress and egress rules. It allows communication over port 443 between the load balancer’s security group and the security group of the instances.

For example, we can use the following .ebextensions/https-backendsecurity.config file:

Resources:
# Add 443-inbound to instance security group (AWSEBSecurityGroup)
httpsFromLoadBalancerSG:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
SourceSecurityGroupId: {"Fn::GetAtt" : ["loadbalancersg", "GroupId"]}
# Add 443-outbound to load balancer security group (loadbalancersg)
httpsToBackendInstances:
Type: AWS::EC2::SecurityGroupEgress
Properties:
GroupId: {"Fn::GetAtt" : ["loadbalancersg", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
DestinationSecurityGroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}

Now, the load balancer connects to the backend instances securely via HTTPS.  It accepts any certificate from the instance.

In such a case, we can add policies to it to trust only a specific certificate.

For example, the following .ebextensions/https-backendauth.config file creates two policies.

One specifies a public certificate, and the other tells to trust only that certificate for connections to instance port 443.

option_settings:
# Backend Encryption Policy
aws:elb:policies:backendencryption:
PublicKeyPolicyNames: backendkey
InstancePorts: 443
# Public Key Policy
aws:elb:policies:backendkey:
PublicKey: |
-----BEGIN CERTIFICATE-----
################################################################
################################################################
################################################################
################################################################
################################################
-----END CERTIFICATE-----

4. After that, we configure the proxy server that runs on the instance to terminate HTTPS.

5. Finally, to deploy them we add the configuration files to the directory, .ebextensions at the root of the application bundle.

Then, we deploy the source code that includes these configuration files.

Terminate HTTPS on the instance (end-to-end HTTPS) in a single-instance environment

1. We allow incoming traffic on port 443 to the EC2 instance that the Elastic Beanstalk application is running on.

For example,

Resources:
sslSecurityGroupIngress: 
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0

2. Then to terminate HTTPS, we configure the proxy server that runs on the instance.

3. To deploy configuration files to the environment, we add the configuration files to .ebextensions at the root of the application bundle.

Then, we deploy the source code that includes these configuration files.

[Stuck with the procedures? We are here for you]

Conclusion

In short, we saw how our Support Techs configure HTTPS on Elastic Beanstalk Environment.