ahelord · September 11, 2020 07:26 · ahelord · Sep 11, 2020
diff --git a/https-instance.config b/https-instance.config
 Resources:
  sslSecurityGroupIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

 files:
  /etc/nginx/conf.d/000_http_redirect_custom.conf:
    mode: "000644"
    owner: root
    group: root
    content: |
      server {
        listen 8080;
        return 301 https://$host$request_uri;
      }

  /etc/nginx/conf.d/https_custom.pre:
    mode: "000644"
    owner: root
    group: root
    content: |
      # HTTPS server
      server {
        listen       443 default ssl;
        server_name  localhost;
        error_page  497 https://$host$request_uri;

        ssl_certificate      /etc/letsencrypt/live/ebcert/fullchain.pem;
        ssl_certificate_key  /etc/letsencrypt/live/ebcert/privkey.pem;

        ssl_session_timeout  5m;
        ssl_protocols  TLSv1.2 TLSv1.3;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
        ssl_prefer_server_ciphers   on;

        location / {
          proxy_pass http://docker;
          proxy_http_version 1.1;

          proxy_set_header Connection "";
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
      }

 container_commands:
  10_installepel:
    command: "sudo yum reinstall -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm"
  20_installcertbot:
    command: "sudo yum install -y certbot"
  30_getcert:
    command: "sudo certbot certonly --standalone --debug --non-interactive --email $EMAIL --agree-tos --domains $DOMAIN \
                --expand --renew-with-new-domains --pre-hook \"service nginx stop\""
  40_link:
    command: "sudo ln -sf /etc/letsencrypt/live/$DOMAIN /etc/letsencrypt/live/ebcert"
  50_config:
    command: "mv /etc/nginx/conf.d/https_custom.pre /etc/nginx/conf.d/https_custom.conf"
  60_cronjobsetrenewal:
    command: '(crontab -l ; echo ''0 6 * * * root certbot renew --standalone --pre-hook "service nginx stop" --post-hook "service nginx start" --force-renew'') | crontab -'
	Resources:
	sslSecurityGroupIngress:
	Type: AWS::EC2::SecurityGroupIngress
	Properties:
	GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
	IpProtocol: tcp
	ToPort: 443
	FromPort: 443
	CidrIp: 0.0.0.0/0

	files:
	/etc/nginx/conf.d/000_http_redirect_custom.conf:
	mode: "000644"
	owner: root
	group: root
	content: \|
	server {
	listen 8080;
	return 301 https://$host$request_uri;
	}

	/etc/nginx/conf.d/https_custom.pre:
	mode: "000644"
	owner: root
	group: root
	content: \|
	# HTTPS server
	server {
	listen 443 default ssl;
	server_name localhost;
	error_page 497 https://$host$request_uri;

	ssl_certificate /etc/letsencrypt/live/ebcert/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/ebcert/privkey.pem;

	ssl_session_timeout 5m;
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
	ssl_prefer_server_ciphers on;

	location / {
	proxy_pass http://docker;
	proxy_http_version 1.1;

	proxy_set_header Connection "";
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}
	}

	container_commands:
	10_installepel:
	command: "sudo yum reinstall -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm"
	20_installcertbot:
	command: "sudo yum install -y certbot"
	30_getcert:
	command: "sudo certbot certonly --standalone --debug --non-interactive --email $EMAIL --agree-tos --domains $DOMAIN \
	--expand --renew-with-new-domains --pre-hook \"service nginx stop\""
	40_link:
	command: "sudo ln -sf /etc/letsencrypt/live/$DOMAIN /etc/letsencrypt/live/ebcert"
	50_config:
	command: "mv /etc/nginx/conf.d/https_custom.pre /etc/nginx/conf.d/https_custom.conf"
	60_cronjobsetrenewal:
	command: '(crontab -l ; echo ''0 6 * * * root certbot renew --standalone --pre-hook "service nginx stop" --post-hook "service nginx start" --force-renew'') \| crontab -'