How to add SSL to AWS EC2 instance so that HTTPS
Published in
4 min readNov 13, 2023
After deploy the Python app to AWS EC2, you can visit the app by http.
The following steps tell you how can we use https to visit the website.
first, login the AWS EC2 by SSH.
curl https://get.acme.sh | sh
sudo chmod -R 755 /home/ec2-user/firstweb/.well-known
sudo chown -R ec2-user:nginx /home/ec2-user/firstweb/.well-known
/home/ec2-user/.acme.sh/acme.sh --issue -d winjob.ai -d www.winjob.ai -w /home/ec2-user/firstweb --server letsencrypt
sudo nano /etc/nginx/conf.d/firstweb.conf# HTTP server block
server {
listen 80;
listen [::]:80;
server_name winjob.ai www.winjob.ai;
location ^~ /.well-known/acme-challenge/ {
root /home/ec2-user/firstweb; # This directory must be the root of your web content for the ACME challenge
allow all; # No restrictions for accessing this location
try_files $uri =404; # Serve files if present, or error
}
location / {
# Ensure that requests to the application root URL are proxied to Gunicorn
proxy_pass http://localhost:5000;
# Include proxy headers for forwarding the original host, IP, and protocol used
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Define the max body size for client requests, if needed
client_max_body_size 10M; # Adjust the size as necessary
}
# ... rest of your server block ...
}
sudo chmod o+x /home /home/ec2-user /home/ec2-user/firstwebsudo chown -R ec2-user:nginx /home/ec2-user/firstweb/.well-known
sudo chmod -R 755 /home/ec2-user/firstweb/.well-known
sudo chcon -Rt httpd_sys_content_t /home/ec2-user/firstweb/.well-known
find /home/ec2-user -name "winjob.ai"update nginx config
sudo nano /etc/nginx/conf.d/firstweb.conf# HTTP server block
server {
listen 80;
listen [::]:80;
server_name winjob.ai www.winjob.ai;
location ^~ /.well-known/acme-challenge/ {
root /home/ec2-user/firstweb; # This directory must be the root of your web content for the ACME challenge
allow all; # No restrictions for accessing this location
try_files $uri =404; # Serve files if present, or error
}
# Redirect all other requests to HTTPS
location / {
return 301 https://$server_name$request_uri;
}
}
# HTTPS server block
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name winjob.ai www.winjob.ai;
ssl_certificate /home/ec2-user/.acme.sh/winjob.ai_ecc/fullchain.cer;
ssl_certificate_key /home/ec2-user/.acme.sh/winjob.ai_ecc/winjob.ai.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
# Ensure that requests to the application root URL are proxied to Gunicorn
proxy_pass http://localhost:5000;
# Include proxy headers for forwarding the original host, IP, and protocol used
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Define the max body size for client requests, if needed
client_max_body_size 10M; # Adjust the size as necessary
}
# ... rest of your server block for HTTPS ...
}sudo nginx -t
sudo systemctl reload nginx
echo | openssl s_client -servername yourdomain.com -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates
