Configuring HTTPS Termination at the instance
You can use configuration files to configure the proxy server that passes traffic to your application to terminate HTTPS connections. This is useful if you want to use HTTPS with a single instance environment, or if you configure your load balancer to pass traffic through without decrypting it.
To enable HTTPS, you must allow incoming traffic on port 443 to the EC2 instance that your Elastic Beanstalk application is running on. You do this by using the
Resources
key in the configuration file to add a rule for port 443 to the ingress rules for the AWSEBSecurityGroup security group.
The following snippet adds an ingress rule to the AWSEBSecurityGroup
security group that opens port 443 to all traffic for a single
instance environment:
.ebextensions/https-instance-securitygroup.config
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
In a load-balanced environment in a default Amazon Virtual Private Cloud (Amazon VPC), you can modify this policy to only accept traffic from the load balancer. See Configuring end-to-end encryption in a load-balanced Elastic Beanstalk environment for an example.
Platforms
- Terminating HTTPS on EC2 instances running Docker
- Terminating HTTPS on EC2 instances running Go
- Terminating HTTPS on EC2 instances running Java SE
- Terminating HTTPS on EC2 instances running Node.js
- Terminating HTTPS on EC2 instances running PHP
- Terminating HTTPS on EC2 instances running Python
- Terminating HTTPS on EC2 instances running Ruby
- Terminating HTTPS on EC2 instances running Tomcat
- Terminating HTTPS on Amazon EC2 instances running .NET Core on Linux
- Terminating HTTPS on Amazon EC2 instances running .NET