How do I configure an SSL/TLS certificate for an application that runs in an Elastic Beanstalk environment?

Short description

To activate SSL/TLS encryption for your application that runs on Elastic Beanstalk, take one of the following actions:

• Configure HTTPS termination at the load balancer level
• Configure HTTPS termination at the Amazon Elastic Compute Cloud (Amazon EC2) instance level
• Redirect HTTP to HTTPS

Resolution

Configure HTTPS termination at the load balancer level

To update your Elastic Beanstalk environment to use HTTPS, you must configure an HTTPS listener for the load balancer in your environment. There are two types of load balancers that support an HTTPS listener:

• Classic Load Balancer
• Application Load Balancer

For more information, see Configuring HTTPS Termination at the load balancer.

Configure HTTPS termination at the instance level

To use HTTPS with a single EC2 instance environment or configure your load balancer to pass traffic through without decryption, use platform hooks. With the platform hooks, configure the proxy server that passes traffic to an application to stop the HTTPS connections. The hook file depends on the type of Elastic Beanstalk platform. For more information, see Configuring HTTPS Termination at the instance.

To extend the Elastic Beanstalk default NGINX configuration, add .conf configuration files to a folder that's named .platform/nginx/conf.d/ in your application source bundle. The Elastic Beanstalk NGINX configuration automatically includes .conf files in this folder. Example configuration:

~/workspace/my-app/
|-- .platform
|   `-- nginx
|       `-- conf.d
|           `-- myconf.conf
`--

To override the Elastic Beanstalk default NGINX configuration, include a configuration in your source bundle at .platform/nginx/nginx.conf. Example configuration:

~/workspace/my-app/
|-- .platform
|   `-- nginx
|       `-- nginx.conf
`--

If you override the NGINX configuration, then pull in the Elastic Beanstalk configurations to access enhanced health reporting and monitoring, automatic application mappings, and static files. To pull in the configurations, add the following line to your nginx.conf:

include conf.d /elasticbeanstalk/ *.conf;

For more information about a how to configure a proxy, see Reverse proxy configuration.

You might get the following message in the proxy error log:

"nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive."

To avoid this issue, store the following .conf file in the .platform/nginx/conf.d/ platform hooks folder to terminate the SSL/TLS at the instance level:

listen       443 ssl;
server_name  localhost;


location / {
              proxy_pass  http://localhost:app_port;
              proxy_set_header   Connection "";
              proxy_http_version 1.1;
              proxy_set_header        Host            $host;
              proxy_set_header        X-Real-IP       $remote_addr;
              proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header        X-Forwarded-Proto https;
          }
      }

Note: AWS retired Amazon Linux AMI (AL1) platforms. It's a best practice to use platform hooks to add changes to the proxy server. Move proxy configuration files from the AL1 .ebextensions/nginx directory to the .platform/nginx platform hooks directory in Amazon Linux 2 (AL2) and Amazon Linux 2023 (AL2023).

Redirect HTTP to HTTPS

HTTP to HTTPS redirection redirects non-secure traffic that the client initiates to HTTPS. To redirect HTTP traffic to HTTPS for your application, configure the web servers on your environment's instances, or configure the environment's Application Load Balancer.

Note: By default, Classic Load Balancers can't redirect HTTP traffic to HTTPS. Instead, you must configure your rewrite rules for the web server instances that are behind the Classic Load Balancer.