amazon-elastic-beanstalkebextensions

Elastic Beanstalk .ebextentsion - how to make it default to TLSv1.2


Linux 2 for Elastic Beanstalk written in Java

Below is my .platform/nginx/conf.d/https.conf file. When I run this, my Load Balancer defaults to ELBSecurityPolicy-2016-08. I only want ELBSecurityPolicy-TLS-1-2-2017-01 selected when I do this. What am I doing wrong?

server {
   listen 443 ssl;
   server_name  localhost;
   server_tokens off;

   access_log /var/log/nginx/ssl_access.log main;

   # access_log off;
   # ssl                  on;
   ssl_certificate      /etc/pki/tls/certs/server.crt;
   ssl_certificate_key  /etc/pki/tls/certs/server.key;

   ssl_session_timeout  5m;

   ssl_protocols  TLSv1.2;   
   ssl_prefer_server_ciphers   on;

   location /subd {
      proxy_pass  http://127.0.0.1:8443/subd;
      proxy_set_header   Connection "";
      proxy_http_version 1.1;
      proxy_set_header        Host            $host;
      proxy_set_header        X-Real-IP       $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
  }

}

Solution

  • It can be done with the load balancer, yes.

    On EB, I had SSL terminating at the ELB though not on the server (80=>instance:80, 443=>instance:8443). The solution was as follows (credit fully to the author of this gist).

    Current named policies for classic load balancers are on AWS' site.

    Create a new file .ebextension/change-elb-tls-policy.config

    option_settings:
      - namespace: aws:elb:policies:tlspolicy
        option_name: LoadBalancerPorts 
        value: 443    
      - namespace: aws:elb:policies:tlspolicy
        option_name: SSLReferencePolicy
        value: ELBSecurityPolicy-TLS-1-2-2017-01