Enable HTTPS on Amazon Beanstalk in Spring Boot application

Asked

Viewed 646 times

4

I’m finding it difficult to enable the HTTPS in an app on Amazon Beanstalk in single instance.

The application is developed in Java (Spring Boot), with embedded Tomcat and for deployment I used the file .jar generated. The application is functional and a domain has already been added. On the http port is working perfectly.

I have requested and already available a certificate attached to the corresponding domain by Amazon console in "Certificate Manager".

By the tutorials it seems that when the instance uses the load balance Amazon simplifies the use of the generated certificate, however the application is using a single instance, for this case the manuals instruct the enabling via configuration files, and this is the part where I’m "stuck".

I tried to follow the following tutorials:

However I don’t know exactly if I should create or edit files and directories and where, especially because in S3 of the application I have the following architecture.

S3 da aplicação

In short, I ask for help to configure my application to accept https requests using the certificate generated in Amazon.

Grateful.

2 answers

2

In fact, it seems that it is not very obvious how to do this with Spring Boot.

However I don’t know exactly if I should create or edit files and directories and where, especially as in the application S3 have the following architecture.

Goes into the root of the Spring Boot JAR.

It seems that the simplest form to do this is for Maven.

Add the .ebextensions at the root of your project and add the following plugin at the end of plugins pom.xml for your project:

<plugin>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-antrun-plugin</artifactId>
            <version>1.6</version>
            <executions>
                <execution>
                    <id>prepare</id>
                    <phase>package</phase>
                    <configuration>
                        <tasks>
                            <unzip src="${project.build.directory}/${project.build.finalName}.jar" dest="${project.build.directory}/${project.build.finalName}" />
                            <copy todir="${project.build.directory}/${project.build.finalName}/" overwrite="false">
                                <fileset dir="./" includes=".ebextensions/**"/>
                            </copy>
                            <zip compress="false" destfile="${project.build.directory}/${project.build.finalName}.jar" basedir="${project.build.directory}/${project.build.finalName}"/>
                        </tasks>
                    </configuration>
                    <goals>
                        <goal>run</goal>
                    </goals>
                </execution>
            </executions>
        </plugin>

This plugin will use ant to unzip the final Spring Boot JAR, copy the .ebextensions at the root of the JAR content, compress the content into a new JAR with the same name as the original.

  • Thanks for the reply. This procedure would not have as a result the creation of the directory at the root of the place where the app was deployed?

  • It would be different to create the directory . ebextensions on the AWS console manually?

  • @Duiliobenjoino, for the first question, I understand that not. From what I read in the documentation, it needs to be inside the JAR/WAR itself. I recommend doing a test and see if it works.

  • I am trying to perform the test but still find difficulties in creating the files correctly, especially the file that needs the certificate data. You can use the certificate generated by AWS in this scheme?

  • @Duiliobenjoino, there seems to me another question. I suggest to open a new question about how this configuration should be made .ebextensions, because I understood in your original question that your doubt was about the file location and how to put it in the application with Spring Boot.

  • Due to the complexity found and lack of time to resolve the issue, I chose to use a load balance. This way it was simple to set up and became functional. Now is wait to check the costs involved. Anyway, thank you for your attention.

Show 1 more comment

1

After a few searches and performing this procedure manually, follow the step-by-step to climb a Spring Boot application with https in the Elastic Beanstalk of just one instance, just as @Duiliobenjoino said in the comments he managed to perform the procedure with Load Balance since AWS automates the inclusion of SSL certificate leaving everything simpler, on the other hand it is a little more complex when we do not have Load Balance.

That description and a compilation of the official documentation: https://docs.aws.amazon.com/pt_br/elasticbeanstalk/latest/dg/https-singleinstance-java.html

According to the official link to enable https in a Java SE environment that is the case of Spring Boot it is necessary that it be packaged together with bytecode of a folder called . ebextensions that folder must have 3 files, are they:

  1. .ebextensions/https-instance.config
  2. .ebextensions/https-instance-single.config
  3. .ebextensions/Nginx/conf. d/https.conf

An important remark about the first two files, I had a little trouble generating them correctly because it is possible to send themlos in two formats YAML or JSON as the documentation recommends YAML for the fact that it is more readable was the format I chose but I had never used and I did not pay attention to the issue of formatting something that is very clear in the documentation and that should be followed to the perfect functioning, "always use spaces to back up the keys at different nesting levels" this means that a text editor should be used that uses spaces to format the file in my case I used Intellij that does this as default for YAML files.

When creating a new file in Intellij with the . config extension you will be asked which editor you want to associate this file with YAML.

Como associar o arquivo .config a editor YAML no Intellij

Follow the documentation for more information about the configuration files: https://docs.aws.amazon.com/pt_br/elasticbeanstalk/latest/dg/ebextensions.html

The first file refers to the SSL certificate, its private key and a command to restart Nginx. I will not go into detail of the generation of this self-signed certificate as it is very detailed here at the end of the certificate generation there were two server.crt and privatekey.pem files respectively. Put the content of the certificate inside content in the path /etc/pki/tls/Certs/server.crt and the content of the key inside content in the path /etc/pki/tls/Certs/server.key getting this way: (much attention to the issue of formatting)

inserir a descrição da imagem aqui inserir a descrição da imagem aqui

The second file refers to the instance security group as we are configuring a single instance environment this setting is mandatory to add a rule to the group of this instance that serves to enable traffic on port 443, just copy the code to the file as this in the documentation.

The third file refers to the configuration of Nginx, this is a reverse proxy that comes by default in the Elastic Beanstalk environment, it has a default configuration but to enable https and need to replace it. Just copy the code to the file like this in the documentation by replacing the app_port value with the port number of your application.

With the 3 files created your Spring Boot project should look like this:

inserir a descrição da imagem aqui

The project is ready to be sent to Elasticbeanstalk with https enabled problem and that the default jar that is generated by the spring boot plugin does not contain the folder. ebextensions, to generate a jar that contains this folder is necessary just as @Dherik commented in his reply to add a new plugin, I did exactly how he put it with just a change in the zip tag, destfile property put at the end of the AWS name to differentiate the spring boot jar from the AWS specific.

destfile="${project.build.directory}/${project.build.finalName}-AWS.jar"

Follow the link to the example project created for possible questions: https://github.com/pedrobacchini/EnableHTTPSElasticBeanstalk

Regarding the use of the certificate generated by aws I believe it is necessary to copy the certificate and private key as I described for the certificate self-signed and should work normally, I am not sure because I did not test this case because the certificate auto-signed was enough.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.