bluengreen · April 12, 2018 06:46
diff --git a/.ebextension-lets-encrypt.yaml b/.ebextension-lets-encrypt.yaml
 Resources:
  sslSecurityGroupIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0
      
 packages:
  yum:
    mod24_ssl : []

 files:
  /etc/httpd/conf.d/ssl.conf:
    mode: "000644"
    owner: root
    group: root
    content: |
      LoadModule ssl_module modules/mod_ssl.so
      Listen 443
      <VirtualHost *:443>
        <Proxy *>
          Order deny,allow
          Allow from all
        </Proxy>

        SSLEngine             on
        SSLCertificateFile    /etc/letsencrypt/live/ebcert/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/ebcert/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/ebcert/chain.pem
        SSLCipherSuite        EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
        SSLProtocol           All -SSLv2 -SSLv3
        SSLHonorCipherOrder   On
        SSLSessionTickets     Off

        Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
        Header always set X-Frame-Options DENY
        Header always set X-Content-Type-Options nosniff

        ProxyPass / http://localhost:80/ retry=0
        ProxyPassReverse / http://localhost:80/
        ProxyPreserveHost on
        #RequestHeader set X-Forwarded-Proto "https" early

      </VirtualHost>
      
 container_commands:
  10_stop_httpd:
    command: "sudo service httpd stop"
  20_install_certbot:
    command: "wget https://dl.eff.org/certbot-auto;chmod a+x certbot-auto"
  30_get_cert:
    command: "sudo ./certbot-auto certonly --non-interactive --email ${certemail} --agree-tos --standalone --domains ${certdomain} --keep-until-expiring"
  40_link:
    command: "sudo ln -sf /etc/letsencrypt/live/${certdomain} /etc/letsencrypt/live/ebcert"
  40_start_httpd:
    command: "sudo service httpd start"
	Resources:
	sslSecurityGroupIngress:
	Type: AWS::EC2::SecurityGroupIngress
	Properties:
	GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
	IpProtocol: tcp
	ToPort: 443
	FromPort: 443
	CidrIp: 0.0.0.0/0

	packages:
	yum:
	mod24_ssl : []

	files:
	/etc/httpd/conf.d/ssl.conf:
	mode: "000644"
	owner: root
	group: root
	content: \|
	LoadModule ssl_module modules/mod_ssl.so
	Listen 443
	<VirtualHost *:443>
	<Proxy *>
	Order deny,allow
	Allow from all
	</Proxy>

	SSLEngine on
	SSLCertificateFile /etc/letsencrypt/live/ebcert/cert.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/ebcert/privkey.pem
	SSLCertificateChainFile /etc/letsencrypt/live/ebcert/chain.pem
	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
	SSLProtocol All -SSLv2 -SSLv3
	SSLHonorCipherOrder On
	SSLSessionTickets Off

	Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
	Header always set X-Frame-Options DENY
	Header always set X-Content-Type-Options nosniff

	ProxyPass / http://localhost:80/ retry=0
	ProxyPassReverse / http://localhost:80/
	ProxyPreserveHost on
	#RequestHeader set X-Forwarded-Proto "https" early

	</VirtualHost>

	container_commands:
	10_stop_httpd:
	command: "sudo service httpd stop"
	20_install_certbot:
	command: "wget https://dl.eff.org/certbot-auto;chmod a+x certbot-auto"
	30_get_cert:
	command: "sudo ./certbot-auto certonly --non-interactive --email ${certemail} --agree-tos --standalone --domains ${certdomain} --keep-until-expiring"
	40_link:
	command: "sudo ln -sf /etc/letsencrypt/live/${certdomain} /etc/letsencrypt/live/ebcert"
	40_start_httpd:
	command: "sudo service httpd start"