This page looks best with JavaScript enabled

How I Enabled HTTPS on My EC2 Hosted Website

 ·  ☕ 6 min read

Introduction

In 2014, Google hinted that they are running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. This means it will affect SEO in some way. Today in the age of HTTP2, https is defualt. Default in the sense that many server software will only allow HTTP2 when https is configured.

The motivation for this post came when I wanted to enable Google Analytics on my site which is under construction. At very least I will be able to get some analytics information.

I will be using Amazon Linux 2 which seems to be made on top of CentOS, but certainly is not CentOS.

Installation

In this section, I’ll guide you through the installation process of nginx. If you already have an instance of nginx running, you can skip to the configuration steps. Second thing to install is the certbot.

I would enter following command in the terminal:

sudo yum install nginx certbot-nginx

First thing to do after installing nginx is to start and enable the service.

sudo systemctl enable nginx
sudo systemctl start nginx

With this done, we can proceed to the configuration stage.

Configuration

First things first, let’s see if our side works without HTTPS.

nginx

My /etc/nginx/nginx.conf is almost identical to the default instance. The only difference is in the server` block where I have removed the instance of default_server.

    server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  _;

to

    server {
        listen       80;
        listen       [::]:80;
        server_name  _;

This is for the main config. Now I choose to use separate configs for each of my domain. For that, conf.d subdirectory can be used to place configuration files.

This is my santosh.pictures.conf:

server {
	listen 80;
	listen [::]:80;
	root /var/www/html;
	server_name santosh.pictures;

	location / {
		proxy_pass http://localhost:4500;
	}
}

Thing to note here is that I have a Go application running on port 4500, and the domain I own is santosh.pictures. The above application has my gtag being hosted in an index.html, and the text Website under construction.

After configuring this, you can reload the configuration.

sudo systemctl reload nginx

With this, I have just configured reverse proxy for my application. My site right now appear like this.

santosh.pictures without https
santosh.pictures without https

Now I am going ahead to configure certbot.

certbot

Installing certbot-nginx also installs certbot. certbot-nginx makes our work by automating the renewal of certificate automatically.

To get started with cerbot, you have nothing much to do. This is a very automated process. You will be asked for some input. Here is how my prompt looked like when configuring the bot.

ec2-user at ip-172-31-45-160 in /efs/repos $ sudo certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): sntshkmr60@gmail.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: yes

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Account registered.

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: santosh.pictures
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for santosh.pictures
Performing the following challenges:
http-01 challenge for santosh.pictures
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/santosh.pictures.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/santosh.pictures.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://santosh.pictures
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/santosh.pictures/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/santosh.pictures/privkey.pem
   Your certificate will expire on 2021-07-10. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again with the "certonly" option. To non-interactively
   renew *all* of your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

This is going to change my santosh.pictures.conf to something like this:

server {
    root /var/www/html;
    server_name santosh.pictures;

    location / {
        proxy_pass http://localhost:4500;
    }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/santosh.pictures/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/santosh.pictures/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = santosh.pictures) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80;
    server_name santosh.pictures;
    return 404; # managed by Certbot
}

Once every change is done. You can reload the nginx service with systemctl reload nginx.

At this point, my address bar looks like this.

santosh.pictures with secure http
santosh.pictures with secure http

Conclusion

HTTPS is the new HTTP nowadays already. For next time, I have thought to cover this nginx thing with either Terraform or Docker. Feel free to share it with your network if you found it useful.

Share on

Santosh Kumar
WRITTEN BY
Santosh Kumar
Fullstack Developer at Method Studios