diff --git a/.ebextensions/00_cleanup.config b/.ebextensions/00_cleanup.config new file mode 100644 index 000000000..ede6b116b --- /dev/null +++ b/.ebextensions/00_cleanup.config @@ -0,0 +1,5 @@ +commands: + 10_cleanup: + command: | + sudo rm -f /opt/elasticbeanstalk/hooks/configdeploy/post/* + sudo rm -f /etc/nginx/conf.d/* \ No newline at end of file diff --git a/.ebextensions/01_setup.config b/.ebextensions/01_setup.config new file mode 100644 index 000000000..e3214f8fe --- /dev/null +++ b/.ebextensions/01_setup.config @@ -0,0 +1,13 @@ +Resources: + sslSecurityGroupIngress: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]} + IpProtocol: tcp + ToPort: 443 + FromPort: 443 + CidrIp: 0.0.0.0/0 + +packages: + yum: + epel-release: [] \ No newline at end of file diff --git a/.ebextensions/02_nginx.config b/.ebextensions/02_nginx.config new file mode 100644 index 000000000..b93ea16e5 --- /dev/null +++ b/.ebextensions/02_nginx.config @@ -0,0 +1,105 @@ +files: + "/etc/nginx/nginx.pre": + mode: "000644" + owner: root + group: root + content: | + user nginx; + worker_processes auto; + error_log /var/log/nginx/error.log; + pid /var/run/nginx.pid; + + events { + worker_connections 1024; + } + + http { + port_in_redirect off; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + log_format healthd '$msec"$uri"$status"$request_time"$upstream_response_time"$http_x_forwarded_for'; + + access_log /var/log/nginx/access.log main; + sendfile on; + keepalive_timeout 65; + + include /etc/nginx/mime.types; + include /etc/nginx/conf.d/*.conf; + } + + "/etc/nginx/conf.d/http_custom.conf": + mode: "000644" + owner: root + group: root + content: | + server { + listen 8080; + + location ~ /.well-known/ { + root /var/www/letsencrypt/; + } + + location / { + return 301 https://$host$request_uri; + } + } + + "/etc/nginx/conf.d/https_custom.pre": + mode: "000644" + owner: root + group: root + content: | + upstream nodejs { + server 127.0.0.1:5000; + keepalive 256; + } + server { + listen 443 ssl default; + server_name localhost; + error_page 497 https://$host$request_uri; + + if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})T(\d{2})") { + set $year $1; + set $month $2; + set $day $3; + set $hour $4; + } + + access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd; + access_log /var/log/nginx/access.log main; + + location / { + proxy_pass http://nodejs; + proxy_set_header Connection ""; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + } + + gzip on; + gzip_comp_level 4; + gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript; + + ssl_certificate /etc/letsencrypt/live/ebcert/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/ebcert/privkey.pem; + ssl_session_timeout 5m; + ssl_protocols TLSv1.1 TLSv1.2; + ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + ssl_prefer_server_ciphers on; + + if ($host ~* ^www\.(.*)) { + set $host_without_www $1; + rewrite ^(.*) https://$host_without_www$1 permanent; + } + + if ($ssl_protocol = "") { + rewrite ^ https://$host$request_uri? permanent; + } + } \ No newline at end of file diff --git a/.ebextensions/03_container_commands.config b/.ebextensions/03_container_commands.config new file mode 100644 index 000000000..72fa89190 --- /dev/null +++ b/.ebextensions/03_container_commands.config @@ -0,0 +1,45 @@ +container_commands: + 10_setup_nginx: + command: | + sudo rm -f /tmp/deployment/config/#etc#nginx#conf.d#00_elastic_beanstalk_proxy.conf + sudo rm -f /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf + + sudo rm -f /tmp/deployment/config/#etc#nginx#nginx.conf + sudo rm -f /etc/nginx/nginx.conf + + sudo mv /etc/nginx/nginx.pre /etc/nginx/nginx.conf + + sudo service nginx stop + sudo service nginx start + 20_install_certbot: + command: | + wget https://dl.eff.org/certbot-auto + mv certbot-auto /usr/local/bin/certbot-auto + chown root /usr/local/bin/certbot-auto + chmod 0755 /usr/local/bin/certbot-auto + 30_create_webroot_path: + command: | + sudo rm -rf /var/www/letsencrypt/ + sudo mkdir /var/www/letsencrypt/ + 40_configure_cert: + command: | + certbot_command="/usr/local/bin/certbot-auto certonly --webroot --webroot-path /var/www/letsencrypt --debug --non-interactive --email ${LETSENCRYPT_EMAIL} --agree-tos --expand --keep-until-expiring" + for domain in $(echo ${LETSENCRYPT_DOMAINS} | sed "s/,/ /g") + do + certbot_command="$certbot_command --domains $domain" + done + eval $certbot_command + 50_link_cert: + command: | + domain="$( cut -d ',' -f 1 <<< "${LETSENCRYPT_DOMAINS}" )"; + if [ -d /etc/letsencrypt/live ]; then + domain_folder_name="$(ls /etc/letsencrypt/live | sort -n | grep $domain | head -1)"; + if [ -d /etc/letsencrypt/live/${domain_folder_name} ]; then + ln -sfn /etc/letsencrypt/live/${domain_folder_name} /etc/letsencrypt/live/ebcert + fi + fi + 60_enable_https_config: + command: | + sudo mv /etc/nginx/conf.d/https_custom.pre /etc/nginx/conf.d/https_custom.conf + sudo service nginx stop + sudo service nginx start \ No newline at end of file diff --git a/.ebextensions/04_configdeploy_post_hooks.config b/.ebextensions/04_configdeploy_post_hooks.config new file mode 100644 index 000000000..1574f6ee3 --- /dev/null +++ b/.ebextensions/04_configdeploy_post_hooks.config @@ -0,0 +1,11 @@ +files: + # Elastic Beanstalk recreates the default configuration during every configuration deployment + "/opt/elasticbeanstalk/hooks/configdeploy/post/99_kill_default_nginx.sh": + mode: "000755" + owner: root + group: root + content: | + #!/bin/bash -xe + rm -f /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf + service nginx stop + service nginx start \ No newline at end of file diff --git a/.ebextensions/05_cron.config b/.ebextensions/05_cron.config new file mode 100644 index 000000000..1c049b8ed --- /dev/null +++ b/.ebextensions/05_cron.config @@ -0,0 +1,8 @@ +files: + # Cron to renew cert + "/etc/cron.d/certbot_renew": + mode: "000644" + owner: root + group: root + content: | + @weekly root /usr/local/bin/certbot-auto renew \ No newline at end of file diff --git a/.ebextensions/https-instance-securitygroup.config b/.ebextensions/https-instance-securitygroup.config deleted file mode 100644 index de5657dde..000000000 --- a/.ebextensions/https-instance-securitygroup.config +++ /dev/null @@ -1,72 +0,0 @@ -packages: - yum: - mod24_ssl : [] - -files: - "/etc/httpd/conf.d/ssl_rewrite.conf": - mode: "000644" - owner: root - group: root - content: | - RewriteEngine On - RewriteCond %{HTTP:X-Forwarded-Proto} !https - RewriteRule . https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301] - - /etc/httpd/conf.d/ssl.conf: - mode: "000644" - owner: root - group: root - content: | - LoadModule ssl_module modules/mod_ssl.so - Listen 443 - - - Order deny,allow - Allow from all - - - SSLEngine on - SSLCertificateFile "/etc/letsencrypt/live/LETSENCRYPT_DOMAIN/fullchain.pem" - SSLCertificateKeyFile "/etc/letsencrypt/live/LETSENCRYPT_DOMAIN/privkey.pem" - SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH - SSLProtocol All -SSLv2 -SSLv3 - SSLHonorCipherOrder On - SSLSessionTickets Off - - Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" - Header always set X-Frame-Options DENY - Header always set X-Content-Type-Options nosniff - - ProxyPass / http://localhost:80/ retry=0 - ProxyPassReverse / http://localhost:80/ - ProxyPreserveHost on - RequestHeader set X-Forwarded-Proto "https" early - - - "/opt/elasticbeanstalk/tasks/taillogs.d/letsencrypt.conf": - mode: "000755" - owner: root - group: root - content: | - /var/log/letsencrypt/letsencrypt.log - -container_commands: -# installs certbot - 10_stop_apache: - command: "killall httpd ; sleep 3" - 10_replace_placeholders: - command: | - source /opt/elasticbeanstalk/support/envvars - SED_EXPRESSION='s/LETSENCRYPT_DOMAIN/'$LETSENCRYPT_DOMAIN'/g' - echo $SED_EXPRESSION - sed -i -e $SED_EXPRESSION /etc/httpd/conf.d/ssl.conf - 20_install_certbot: - command: "mkdir -p /opt/certbot && wget https://dl.eff.org/certbot-auto -O /opt/certbot/certbot-auto && chmod a+x /opt/certbot/certbot-auto" - 30_install_certificate: - command: | - source /opt/elasticbeanstalk/support/envvars - sudo /opt/certbot/certbot-auto certonly --debug --non-interactive --email ${LETSENCRYPT_EMAIL} --agree-tos --standalone -d "$LETSENCRYPT_DOMAIN" -d "www.$LETSENCRYPT_DOMAIN" --renew-by-default - 40_start_apache: - command: | - source /opt/elasticbeanstalk/support/envvars - sudo httpd -k start \ No newline at end of file diff --git a/.ebextensions/proxy.config b/.ebextensions/proxy.config deleted file mode 100644 index 78ea5e2a1..000000000 --- a/.ebextensions/proxy.config +++ /dev/null @@ -1,55 +0,0 @@ -files: - /etc/nginx/conf.d/proxy.conf: - mode: "000644" - owner: root - group: root - content: | - upstream nodejs { - server 127.0.0.1:5000; - keepalive 256; - } - - server { - listen 8080; - - if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})T(\d{2})") { - set $year $1; - set $month $2; - set $day $3; - set $hour $4; - } - access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd; - access_log /var/log/nginx/access.log main; - - location / { - proxy_pass http://nodejs; - proxy_set_header Connection ""; - proxy_http_version 1.1; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } - - gzip on; - gzip_comp_level 4; - gzip_types text/html text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; - - location /static { - alias /var/app/current/static; - } - - } - - /opt/elasticbeanstalk/hooks/configdeploy/post/99_kill_default_nginx.sh: - mode: "000755" - owner: root - group: root - content: | - #!/bin/bash -xe - rm -f /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf - service nginx stop - service nginx start - -container_commands: - removeconfig: - command: "rm -f /tmp/deployment/config/#etc#nginx#conf.d#00_elastic_beanstalk_proxy.conf /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf" \ No newline at end of file