Configuring HTTPS Termination at the instance - AWS Elastic Beanstalk

Configuring HTTPS Termination at the instance

You can use configuration files to configure the proxy server that passes traffic to your application to terminate HTTPS connections. This is useful if you want to use HTTPS with a single instance environment, or if you configure your load balancer to pass traffic through without decrypting it.

To enable HTTPS, you must allow incoming traffic on port 443 to the EC2 instance that your Elastic Beanstalk application is running on. You do this by using the Resources key in the configuration file to add a rule for port 443 to the ingress rules for the AWSEBSecurityGroup security group.

The following snippet adds an ingress rule to the AWSEBSecurityGroup security group that opens port 443 to all traffic for a single instance environment:

.ebextensions/https-instance-securitygroup.config

Resources: sslSecurityGroupIngress: Type: AWS::EC2::SecurityGroupIngress Properties: GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]} IpProtocol: tcp ToPort: 443 FromPort: 443 CidrIp: 0.0.0.0/0

In a load-balanced environment in a default Amazon Virtual Private Cloud (Amazon VPC), you can modify this policy to only accept traffic from the load balancer. See Configuring end-to-end encryption in a load-balanced Elastic Beanstalk environment for an example.