Setup (AWS) Amazon Elastic Beanstalk to work with Let's Encrypt.

What is Lets Encrypt?

Let’s Encrypt is a freeautomated, and open Certificate Authority.


To enable HTTPS on your website, you need to get a certificate (a type of file) from a Certificate Authority (CA). Let’s Encrypt is a CA. In order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain. With Let’s Encrypt, you do this using software that uses the ACME protocol, which typically runs on your web host.

Setup Lets Encrypt for your PHP Beanstalk Application.


Prepare your zipped project.

My project folders and files


My zipped project.


Create .ebextensions Folder

Before make a zipped project make sure you already have .ebextensions/*.config. Create https.config file under .ebextensions. you can use your own file name for your *.config files.
Resources:
    sslSecurityGroupIngress:
        Type: AWS::EC2::SecurityGroupIngress
        Properties:
            GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
            IpProtocol: tcp
            ToPort: 443
            FromPort: 443
            CidrIp: 0.0.0.0/0

files:
    /etc/httpd/conf.d/default.conf:
        mode: "000644"
        owner: root
        group: root
        content: |
            <VirtualHost *:80>
                RewriteEngine On
                DocumentRoot /var/www/html/ovideo
                ServerName teahrm.id
            </VirtualHost>
    /etc/httpd/conf.d/ssl.pre:
        mode: "000644"
        owner: root
        group: root
        content: |
            LoadModule ssl_module modules/mod_ssl.so
            Listen 443

            <VirtualHost *:443>
                <Directory /opt/python/current/app/build/static>
                    Order deny,allow
                    Allow from all
                </Directory>
                
                SSLEngine on
                SSLCertificateFile "/etc/letsencrypt/live/teahrm.id/fullchain.pem"
                SSLCertificateKeyFile "/etc/letsencrypt/live/teahrm.id/privkey.pem"
                SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
                SSLProtocol All -SSLv2 -SSLv3
                SSLHonorCipherOrder On
                SSLSessionTickets Off
                
                Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
                Header always set X-Frame-Options DENY
                Header always set X-Content-Type-Options nosniff
                
                ProxyPass / http://localhost:80/ retry=0
                ProxyPassReverse / http://localhost:80/
                ProxyPreserveHost on
                RequestHeader set X-Forwarded-Proto "https" early
                # If you have pages that may take awhile to
                # respond, add a ProxyTimeout:
                # ProxyTimeout seconds
            </VirtualHost>

    /tmp/renew_cert_cron:
        mode: "000777"
        owner: root
        group: root
        content: |
            # renew Lets encrypt cert with certbot command
            0 1,13 * * * /tmp/certbot-auto renew

packages:
    yum:
        epel-release: []
        mod24_ssl : []

# Steps here
# 1. Install certbot
# 2. Get cert (stop apache before grabbing)
# 3. Link certs where Apache can grab
# 4. Get the Apache config in place
# 5. Move certbot-auto into tmp folder
container_commands:
    10_installcertbot:
        command: "wget https://dl.eff.org/certbot-auto;chmod a+x certbot-auto"
    20_getcert:
        command: "sudo ./certbot-auto certonly --debug --non-interactive --email mhyusufibrahim@gmail.com --agree-tos --debug --apache --domains teahrm.id --keep-until-expiring"
    30_link:
        command: "sudo ln -sf /etc/letsencrypt/live/teahrm.id /etc/letsencrypt/live/ebcert"
    40_config:
        command: "sudo mv /etc/httpd/conf.d/ssl.pre /etc/httpd/conf.d/ssl.conf"
    50_mv_certbot_to_temp_for_cron_renew:
        command: "sudo mv ./certbot-auto /tmp"
    60_create_cert_crontab:
        command: "sudo crontab /tmp/renew_cert_cron"
    70_delete_cronjob_file:
        command: "sudo  rm /tmp/renew_cert_cron"


Upload to your Beanstalk






The Final Result


HTTPS installed.


Comments

Popular posts from this blog

Numpang Kerja Remote dari Bandung Creative Hub

Numpang Kerja Remote dari Bandung Digital Valley

Cara Decompile berkas Dex dan Apk Android