Enforce SSL on AWS Elastic Beanstalk
Enabling SSL on AWS Elastic Beanstalk with Classic Elastic Load Balancer is not that easy, it might seem impossible when for example we have to use a standard PHP Environment for our application deployment. Unfortunately Amazon AWS does not provide any option or additional tools to achieve this when using Classic Elastic Load Balancer and we will end up using being HTTP or HTTPS. There is no way to set up a redirect from HTTP to HTTPS being on Classic EB or ELB. No matter how unrealistic this it may sound taking into account that nothing publicly exposed should respond back and forth without any encryption the reality is that there is a way to sort this out, not quite a traditional way to secure your environment when using AWS EB with AWS Classic ELB but in this tutorial we will show you how to achieve this in just a few steps.
Table of contents
Short story
Create .ebextensions
Deployment and testing
Note
Short story
We will start by assuming that we have already deployed a new AWS Elastic Beanstalk application for a specific environment having at least two EC2 instances and also an active AWS Classic Elastic Load Balancer. Please note that if we don’t provision the environment with at least two AWS EC2 instances then no ELB will be provided, we need to make sure that we build the environment with two EC2’s, later, once the EB environment is up and running we can amend the configuration to use only one EC2 instance keeping this way the ELB into the mix.
Also, we need to make sure that Elastic Load Balancer is properly configured to accept connections on port 80 and 443 as well – having a valid SSL certificate – proxied back to our EC2 instances on port 80. Shortly we need to have two listeners configured within ELB, first listener on port 80 (Load Balancer Port) > 80 (Instance Port) and the second listener on port 443 (Load Balancer Port) > 80 (Instance Port).
If we have this setup in place then we are ready to move on to our next step.
Create .ebextensions
On the same folder where our application files and folders are present we need to create a new folder called .ebextensions (Elastic Beanstalk Extensions). Once that folder is created then we have to create a new file name named for example ssl.config, the name of this configuration file really doesn’t matter, all that matters is the .config extension. On the same note please bear in mind that all files that are present inside .ebextensions folder are called in alphabetical order. Also, all .config files have a YAML structure and relies on consistent indentation.
$ cd /path/to/application
$ mkdir .ebextensions
$ cd .ebextensions
$ vi ssl.config
Inside ssl.config please add the following code lines:
files:
"/etc/httpd/conf.d/ssl_enable.conf":
mode: "000644"
owner: root
group: root
content: |
RewriteEngine On
<If "-n '%{HTTP:X-Forwarded-Proto}' && %{HTTP:X-Forwarded-Proto} != 'https'">
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
</If>
Deployment and testing
Now that we have our .ebextensions folder in place and the configuration file for SSL we can zip our application, deploy it and test the solution.
$ zip -r myApplication.zip * .[^.]*
Once the application has been deployed via Web Console or CLI we need to Restart the App server(s) in order for EB to apply the new configuration, this can be easily done via Web Console using Actions drop-down menu (right hand side) and click on Restart App Server(s). If all comes back up to green then we can test our configuration using a browser or via CLU using curl, we will use curl in our tutorial:
$ curl -I dummy-domain.com -v
A successful output will look like this:
* Rebuilt URL to: dummy-domain.com/
...
* Connected to dummy-domain.com (10.22.30.44) port 80 (#0)
...
HTTP/1.1 302 Found
...
Location: https://dummy-domain.com/
...
Note
This solution has been tested on AWS Elastic Beanstalk with application environments having Apache (2.4) as backend web server and Classic Elastic Load Balancer. Please note that the new AWS ELB generation does support HTTP to HTTPS redirect.