Deploy PHP webapp over https on Elastic Search

All we need is an easy explanation of the problem, so here it is.

In my company it’s our first time using AWS Elastic Beanstalk to deploy webapps and we are having difficulties to make it work over https. The application is running in single node (we aren’t using a load balancer) and is written with CodeIgniter 3 in PHP 8.0 running over the EB platform v3.3.10. Now we have an environment with it working over http, while we try make it work over https.

We are using Apache as proxy server and we have generated the configuration files as mentioned in the docs. But we keep receiving errors during the deployment:
deployment error snapshot

To simplify things we started trying to deploy a simple "hello world" app and make it work over https, but we keep failing… we don’t know what we are failing at, what we are doing wrong…

The config files that we have made are the following ones.

https-instance-single.config

Resources:
  sslSecurityGroupIngress: 
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

And https-instance.config

packages:
  yum:
    mod24_ssl : []

files:
  /etc/httpd/conf.d/ssl.conf:
    mode: "000644"
    owner: root
    group: root
    content: |
      LoadModule ssl_module modules/mod_ssl.so
      Listen 443
      <VirtualHost *:443>
        <Proxy *>
          Order deny,allow
          Allow from all
        </Proxy>

        SSLEngine             on
        SSLCertificateFile    "/etc/pki/tls/certs/server.crt"
        SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
        SSLCipherSuite        EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
        SSLProtocol           All -SSLv2 -SSLv3
        SSLHonorCipherOrder   On
        SSLSessionTickets     Off
        
        Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
        Header always set X-Frame-Options DENY
        Header always set X-Content-Type-Options nosniff
        
        ProxyPass / http://localhost:80/ retry=0
        ProxyPassReverse / http://localhost:80/
        ProxyPreserveHost on
        RequestHeader set X-Forwarded-Proto "https" early
      </VirtualHost>
  
  /etc/pki/tls/certs/server.crt:
    mode: "000400"
    owner: root
    group: root
    content: |
      -----BEGIN CERTIFICATE-----
      My certificate
      -----END CERTIFICATE-----
  
  /etc/pki/tls/certs/server.key:
    mode: "000400"
    owner: root
    group: root
    content: |
      -----BEGIN RSA PRIVATE KEY-----
      My private key
      -----END RSA PRIVATE KEY-----

The "funny" thing is that if we change mod24_ssl for just mod_ssl, it doesn’t produce an error while deploying it, but still it doesn’t work and doesn’t expose the 443 port. We have checked it with telnet and it’s closed.

We have checked in the security group that HTTP and HTTPS inbound traffic is enabled.

We suppose that we are not the first ones having this problem and it might be something that we have done wrong and hopefully something easy to make it work. So if someone reads this and knows what could it be, we really appreciate any help that you can provide.

Thank you

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

Version 3.3.10 is based on Amazon Linux 2 (AL2), however all your settings are for AL1 which do not work in the new version.

To property setup your httpd in EB based on AL2 you have to use .platform folder, not .ebextentions. All details are in AWS Docs under Reverse proxy configuration and Configuring Apache HTTPD sections.

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply