Serve HTTPS From Elastic Beanstalk Application Instances

Elastic Beanstalk is Amazon’s platform-as-a-service built on top of EC2, S3 and other Amazon services.

An Elastic Beanstalk application consists of one or more EC2 instances running your application and a set of supporting resources, including an Elastic Load Balancer. By default, the load balancer listens on port 80 and forwards traffic to port 80 on your app servers. You can configure the load balancer to listen on 443 easily, but traffic from the LB to the app servers is not encrypted. To encrypt the traffic on this hop, you must configure your app servers to listen for HTTPS requests.

Options For Configuring App Servers To Serve HTTPS

This can be done one of 2 ways (examples specific to Tomcat, but the methods should be applicable to any app server).

  1. Use Elastic Beanstalk configuration files to install packages, create Apache configuration files, certificate and key files in the relevant locations.
  2. Create your own app server AMI with HTTPS enabled. For Tomcat, 443 forwarding to 80 (HTTPS)… How can I set up REAL HTTPS on Beanstalk outlines the required steps.

Method 1 seems preferable as it avoids the need to keep AMIs up-to-date, e.g. when security patches are released.

Using Elastic Beanstalk Configuration Files

  1. Create an .ebextensions dir at the root of your app dir or WAR file
  2. Copy in any files you want to create
  3. Create an Elastic Beanstalk configuration file to describing the required instance configuration changes

Example Configuration File

Custom commands are run before services are started. There’s no need to restart services if you’re changing their configuration (e.g. Apache in this case).

Note for Scala developers: SBT ignores hidden directories when building projects (and I can’t work out how to override that). You can use jar uf /path/to/file.war .ebextensions to insert the .ebextensions dir into the WAR file after packaging.

References

Login With SSH To Verify Changes

SSH to one of your Elastic Beanstalk instances to ensure that the changes have been applied correctly.

Initialisation Logging

The Elastic Beanstalk startup process writes any errors raised by custom container commands to /var/log/cfn-init.log. If your instance doesn’t start properly, for example services don’t start, look there.

Backend Authentication

Backend authentication is a feature of Elastic Load Balancer. It uses the public key of a certificate to verify that the backend app server is encrypting traffic with a valid certificate. This needs to be enabled for LB to app server HTTPS to work (otherwise you’ll get timeouts when making requests to the LB on port 443).

Security Group And Load Balancer Config File

A new load balancer and security group are created each time you deploy your application. Their configuration will revert back to the default, listen on port 80 only, whenever an environment is started. To avoid this, creating a second Elastic Beanstalk configuration file describing the required resource properties. E.g.

You’ll need to change this to point to your certificate in IAM, to restrict SSH access to the right IP range and to add your public key.

Customizing Environment Resources describes how to write configuration files for the other AWS resources in an Elastic Beanstalk environment.

How to write policies to manage backend authentication is described in the examples in ElasticLoadBalancing Policy Type.