AWS Elastic Beanstalk
Developer Guide (API Version 2010-12-01)
AWS services or capabilities described in AWS Documentation may vary by region/location. Click Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.

Terminating HTTPS on EC2 Instances Running Go

For Go container types, you enable HTTPS with a configuration file and an nginx configuration file that configures the nginx server to use HTTPS.

Add the following snippet to your configuration file, replacing the certificate and private key placeholders as instructed, and save it in your source bundle's .ebextensions directory. The configuration file performs the following tasks:

  • The Resources key enables port 443 on the security group used by your environment's instance.

  • The files key creates the following files on the instance:


    Creates the certificate file on the instance. Replace certificate file contents with the contents of your certificate.


    YAML relies on consistent indentation. Match the indentation level when replacing content in an example configuration file and make sure that your text editor uses spaces, not tab characters, to indent.

    If you have intermediate certificates, include them in server.crt after your site certificate:

          -----BEGIN CERTIFICATE-----
      certificate file contents
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      first intermediate certificate
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      second intermediate certificate
      -----END CERTIFICATE-----

    Creates the private key file on the instance. Replace private key contents with the contents of the private key used to create the certificate request or self-signed certificate.

  • The container_commands key restarts the nginx server after everything is configured so that the server loads the nginx configuration file.

Example .ebextensions/https-instance.config

    content: |
      -----BEGIN CERTIFICATE-----
      certificate file contents
      -----END CERTIFICATE-----
    content: |      
      -----BEGIN RSA PRIVATE KEY-----
      private key contents # See note below.
      -----END RSA PRIVATE KEY-----

    command: "service nginx restart"


Avoid commiting a configuration file that contains your private key to source control. After you have tested the configuration and confirmed that it works, store your private key in Amazon S3 and modify the configuration to download it during deployment. For instructions, see Storing Private Keys Securely in Amazon S3.

Place the following in a file with the .conf extension in the .ebextensions/nginx/conf.d/ directory of your source bundle (e.g., .ebextensions/nginx/conf.d/https.conf). Replace app_port with the port number that your application listens on. This example configures the nginx server to listen on port 443 using SSL. For more information about these configuration files on the Go platform, see Configuring the Reverse Proxy.

Example .ebextensions/nginx/conf.d/https.conf

# HTTPS server

server {
    listen       443;
    server_name  localhost;
    ssl                  on;
    ssl_certificate      /etc/pki/tls/certs/server.crt;
    ssl_certificate_key  /etc/pki/tls/certs/server.key;
    ssl_session_timeout  5m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers   on;
    location / {
        proxy_pass  http://localhost:app_port;
        proxy_set_header   Connection "";
        proxy_http_version 1.1;
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

In a single instance environment, you must also modify the instance's security group to allow traffic on port 443. The following configuration file retrieves the security group's ID using an AWS CloudFormation function and adds a rule to it:

Example .ebextensions/https-instance-single.config

    Type: AWS::EC2::SecurityGroupIngress
      GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443

For a load balanced environment, you configure the load balancer to either pass secure traffic through untouched, or decrypt and re-encrypt for end-to-end encryption.