6

I am trying to enable https to my springboot webserver backend deployed on AWS elastic beanstalk with a self-signed SSL. I followed online tutorials and guides to change my nginx config with a new https-instance.config.

files:
  /etc/nginx/conf.d/myconf.conf:
    mode: "conf"
    owner: root
    group: root
    content: |
      # HTTPS server

      server {
        listen 443;
        server_name localhost;

        ssl on;
        ssl_certificate /etc/pki/tls/certs/server.crt;
        ssl_certificate_key /etc/pki/tls/certs/server.key;
        ssl_prefer_server_ciphers on;

        location / {
          proxy_pass  http://localhost:5000;
          proxy_http_version  1.1;
          proxy_set_header  Connection "";
          proxy_set_header  Host  $host;
          proxy_set_header  X-Real-IP  $remote_addr;
          proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
        }
      }

  /etc/pki/tls/certs/server.crt:
    mode: "000400"
    owner: root
    group: root
    content: |
      -----BEGIN CERTIFICATE-----
 mycert
      -----END CERTIFICATE-----
      
  /etc/pki/tls/certs/server.key:
    mode: "000400"
    owner: root
    group: root
    content: |
      -----BEGIN RSA PRIVATE KEY-----
mykey
      -----END RSA PRIVATE KEY-----

  /opt/elasticbeanstalk/hooks/appdeploy/post/03_restart_nginx.sh:
      mode: "000755"
      owner: root
      group: root
      content: |
        #!/usr/bin/env bash
        sudo service nginx restart

When I ssh to my instance I am unable to find my myconf.conf files under conf.d. Running service nginx status gives me

● nginx.service - The nginx HTTP and reverse proxy server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/nginx.service.d
           └─nginx.conf
   Active: active (running) since Wed 2020-08-26 03:06:34 UTC; 15min ago
  Process: 28894 ExecStartPost=/bin/sh -c systemctl show -p MainPID nginx.service | cut -d= -f2 > /var/pids/nginx.pid (code=exited, status=0/SUCCESS)
  Process: 28890 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
  Process: 28887 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
  Process: 28886 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)
 Main PID: 28893 (nginx)
   CGroup: /system.slice/nginx.service
           ├─28893 nginx: master process /usr/sbin/nginx
           └─28897 nginx: worker process

Aug 26 03:06:34  systemd[1]: Starting The nginx HTTP and reverse proxy server...
Aug 26 03:06:34 nginx[28887]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Aug 26 03:06:34  nginx[28887]: nginx: configuration file /etc/nginx/nginx.conf test is successful
Aug 26 03:06:34  systemd[1]: Started The nginx HTTP and reverse proxy server.

What am I missing out. This is my first project on AWS EBS.

Note: I am running the free tier single instance for EBS

ong
  • 75
  • 1
  • 4

3 Answers3

9

The nginx setting you are trying to use (/etc/nginx/conf.d/myconf.conf) is for Amazon Linux 1.

But it seems that you are using Amazon Linux 2 (AL2). Thus you should be using different files for setting nginx. For AL2, the nginx settings should be in .platform/nginx/conf.d/, not in .ebextentions as shown in the docs.

Therefore, you could have the following .platform/nginx/conf.d/myconfig.conf with content:

server {
    listen 443;
    server_name localhost;

    ssl on;
    ssl_certificate /etc/pki/tls/certs/server.crt;
    ssl_certificate_key /etc/pki/tls/certs/server.key;
    ssl_prefer_server_ciphers on;

    location / {
      proxy_pass  http://localhost:5000;
      proxy_http_version  1.1;
      proxy_set_header  Connection "";
      proxy_set_header  Host  $host;
      proxy_set_header  X-Real-IP  $remote_addr;
      proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
    }
}

The above is an example only of the config file. I can't verify if the setting will actually work, but you are definitely using wrong folders to set nginx options in AL2.

My recommendation would be to try to make it work manually through ssh first. You may find that you need to overwrite entire nginx setting if nothing works by providing your own .platform/nginx/nginx.conf file.

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • 2
    Thanks Marcin, did not occur to me that it could be the wrong linux version! – ong Aug 26 '20 at 05:28
  • 1
    Thank you so much! I spent a long time looking through the AWS docs/tutorials (but I guess this was for the wrong version). I could not figure out why my configs were not showing up when I would ssh in. – Mark Colby Nov 16 '20 at 23:17
  • does this `.platform/nginx/nginx.conf` execute before`.platform/hooks`? I have a setting like this, but it always errors that the file `.crt` does not exists. The file generated using `certbot` that executed on `.platform/hooks/prebuild` – aijogja Dec 21 '20 at 07:29
8

Amazon Linux 2: you have to create file in folder the same hierarchic where you actually want to place it on Elasticbeanstalk. For example for me in EBS I need to create custom conf file under /etc/nginx/conf.d/elasticbeanstalk/ For that my folder structure will be: enter image description here

and in file I can add my required configurations:

location / {
            try_files $uri $uri/ /index.php?$args;
      }
Hassan Ali Shahzad
  • 2,439
  • 29
  • 32
3

Located the type of Amazon Linux 2 (AL2) on your Elastic Beanstalk Dashboard:

Elastic Beanstalk Platform type

Create the following directory structure from the root directory of your App:

.platform/nginx/conf.d/

Create the following file:

.platform/nginx/conf.d/01_custom_ngix.conf

add the following to your 01_custom_ngix.conf file you created:

add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;

Git commit your changes (make sure to do this before deploying because your code will not be deployed when using eb deploy unless you commit your changes)

Deploy your code:

> eb deploy

options: eb deploy --verbose --debug

Verify your http response using http cli:

> http https://name-of-nodejs-server.domain.com

output:

HTTP/1.1 200 OK
Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Content-Length,Content-Range
Connection: keep-alive
Content-Length: 22
Content-Type: text/html; charset=utf-8
Date: Thu, 26 Aug 2021 02:33:30 GMT
ETag: W/"16-dDAEIDLSKDKGJGJGKDLASE"
Server: nginx/1.20.0
X-Powered-By: Express

DONE

Optional, you can also increase your client_max_body_size by adding the following to your 01_custom_ngix.conf:

client_max_body_size 1000M;
client_body_buffer_size 100M;
....
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
Gil Perez
  • 853
  • 10
  • 13