- Newest
- Most votes
- Most comments
Hello.
As answered by re:Post Agent, if ALB can be used, I think it is easy to issue an SSL certificate from ACM and set up an HTTPS listener.
However, if there are cost restrictions, it should be possible to convert to HTTPS by placing an SSL certificate directly on EC2 and referencing it in the web server settings.
I think the Apache settings discussed in the GitHub issue below will be helpful.
https://github.com/wekan/wekan/issues/916
https://docs.kanboard.org/v1/admin/docker/
Please create a directory called "kanboard_ssl" in the same directory as "docker-compose.yml" and place the SSL certificate.
Also, create "nginx.conf" to reference the SSL certificate.
I tried mounting the SSL certificate issued by Let's Encrypt inside the Docker container.
docker-compose.yml
version: '2'
services:
kanboard:
image: kanboard/kanboard:latest
ports:
- "80:80"
- "443:443"
volumes:
- kanboard_data:/var/www/app/data
- kanboard_plugins:/var/www/app/plugins
- ./kanboard_ssl:/etc/nginx/ssl
- ./nginx.conf:/etc/nginx/nginx.conf
environment:
DATABASE_URL: mysql://kanboard:kanboard-secret@db/kanboard
db:
image: mariadb:latest
command: --default-authentication-plugin=mysql_native_password
environment:
MYSQL_ROOT_PASSWORD: secret
MYSQL_DATABASE: kanboard
MYSQL_USER: kanboard
MYSQL_PASSWORD: kanboard-secret
volumes:
- db:/var/lib/mysql
volumes:
kanboard_data:
kanboard_plugins:
kanboard_ssl:
db:
Change the domain name of "server_name" to the domain you are using.
nginx.conf
user nginx;
worker_processes 1;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
server_tokens off;
access_log off;
error_log /dev/stderr;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
server {
listen 80;
listen 443 ssl;
http2 on;
server_name example.com;
index index.php;
root /var/www/app;
client_max_body_size 32M;
# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=intermediate&openssl=1.1.1i&hsts=false&ocsp=false&guideline=5.6
ssl on;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SERVER_NAME $host;
}
location ~ /data {
return 404;
}
location ~* ^.+\.(log|sqlite)$ {
return 404;
}
location ~ /\.ht {
return 404;
}
location ~* ^.+\.(ico|jpg|gif|png|css|js|svg|eot|ttf|woff|woff2|otf)$ {
log_not_found off;
expires 7d;
etag on;
}
gzip on;
gzip_comp_level 3;
gzip_disable "msie6";
gzip_vary on;
gzip_types
text/javascript
application/javascript
application/json
text/xml
application/xml
application/rss+xml
text/css
text/plain;
}
}
After creating the above file, try starting the container.
docker-compose up -d
If it starts normally, you can connect using HTTPS as shown below.
To secure your Wekan board running on an EC2 instance with HTTPS, you have a few options:
-
AWS Certificate Manager (ACM):
- Request a free public SSL/TLS certificate from ACM for your custom domain.
- This is the recommended approach for AWS services.
- You'll need to validate domain ownership by adding a CNAME record to your DNS.
-
Use an Application Load Balancer (ALB):
- Create an ALB in front of your EC2 instance.
- Associate the ACM certificate with the ALB.
- Configure the ALB to forward traffic to your EC2 instance.
-
Install the certificate directly on the EC2 instance:
- If you prefer to manage the certificate yourself, you can install it directly on the EC2 instance.
- You'll need to configure your web server (e.g., Nginx) to use the certificate.
-
AWS Amplify Hosting (if applicable):
- If you're using AWS Amplify to host your web app, you can use their custom SSL certificate feature.
- You can bring your own SSL certificate from ACM.
Regarding your specific setup:
- You don't apply the certificate to the IP address, but to the domain name.
- The A record should point your vanity URL (custom domain) to the EC2 instance's public IP.
- You need to obtain a certificate for the custom domain you're using for the Wekan board.
- If using ACM, ensure the certificate is in the same region as your EC2 instance or ALB.
Remember to configure your security groups to allow HTTPS traffic (port 443) to your EC2 instance or ALB. Also, make sure your Wekan application is configured to use HTTPS.
For the most seamless integration with AWS services, using ACM with an ALB is often the simplest and most manageable approach for applying SSL/TLS certificates to EC2-hosted applications.
Sources
Options for AWS customers who use Entrust-issued certificates | AWS Security Blog
Bring your own SSL certificate to AWS Amplify Hosting | Front-End Web & Mobile
Relevant content
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago