HTTPS for Single-Instance Node.js AWS Elastic Beanstalk Environment without Custom Domain or Load Balancer

This post describes how to setup HTTPS using a self-signed certificate for a Node.js 12 webapp deployed to a single-instance AWS Elastic Beanstalk environment without using a custom domain or a load balancer. This is useful in dev/test scenarios where HTTPS is required.

Step 1 β€” Create Beanstalk App

Create a Beanstalk app as shown below:

Step 2 β€” Get Application Code

Download & unzip the Node.js app code from here.

Step 3 β€” Generate Certificate

Run this at your terminal to generate a self-signed certificate:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes -subj '/CN=*.elasticbeanstalk.com'
openssl rsa -in key.pem -out key.pem

Step 4 β€” Modify Code

Create .ebextensions/https-instance-single.config in the app code with these contents:

Resources:
  sslSecurityGroupIngress: 
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

Create .ebextensions/https-instance.config in the app code with these contents:

files:
  /etc/pki/tls/certs/server.crt:
    mode: "000400"
    owner: root
    group: root
    content: |
      -----BEGIN CERTIFICATE-----
      # contents of cert.pem
      -----END CERTIFICATE-----
  /etc/pki/tls/certs/server.key:
    mode: "000400"
    owner: root
    group: root
    content: |
      -----BEGIN RSA PRIVATE KEY-----
      # contents of key.pem
      -----END RSA PRIVATE KEY-----

Create .platform/nginx/conf.d/https.conf in the app code with these contents:

server {
    listen                    443;
    server_name               localhost;
    ssl                       on;
    ssl_certificate           /etc/pki/tls/certs/server.crt;
    ssl_certificate_key       /etc/pki/tls/certs/server.key;
    ssl_session_timeout       5m;
    ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
}

Step 5 β€” Deploy Code

ZIP & upload the code to Beanstalk, open the Beanstalk app URL with https:// prefix & bypass the browser warning about the self-signed certificate to see the app!

2 comments

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.