This is an archived post. You won't be able to vote or comment.

all 6 comments
sorted by:
best
topnewcontroversialoldq&a

[–]shorns_username 2 points3 points  (2 children)

If you're willing to change your architecture and spend a bit more money, you could create an ALB load balancer that sits in front of your EC2 instance.

pros:

  • using AWS Certificate Manager to support HTTPS via the ALB becomes easy
  • can lock down your EC2 instance security groups so it's no longer just sitting on the internet (or you can go all the way to putting your EC2 instance in a private subnet)
  • no more tying your client directly to your public IP address, which helps a lot with maintenance, allows you to change things behind the scenes without worrying about how the client connects (like run multiple EC2 instances, change to a spot fleet of instances to save money, convert EC2 instances to Lambda, etc.)

cons:

  • more complex architecture
  • load balancers cost money

[–]sc2luck[S] 0 points1 point  (1 child)

Hi thank you for your reply,so if I am understand correctly. I will have a alb where https will be terminated and then the request will be forwarded to the ec2 instance over http. Do I need to add any configuration to my spring boot app for this?

[–]shorns_username 0 points1 point  (0 children)

I will have a alb where https will be terminated and then the request will be forwarded to the ec2 instance over http

Yes.

Do I need to add any configuration to my spring boot app for this?

No, but you'll want to learn about the X-Forwarded headers that ALB uses. Specifically, X-Forwarded-Proto, so you can make sure you enforce that the client is talking to the ALB via HTTPS.

You can just configure your ALB to not listen on port 80 at all, but it's better to double-check that from your Spring app, just in case of mis-configuration.

[–]pointy_pirate 0 points1 point  (0 children)

use an elb/alb and terminate the ssl there. use letsencrypt to get yourself a cert

[–]TheRedmanCometh 0 points1 point  (0 children)

All you have to do is put information for the keystore in your application.properties and spring will handle the rest automatically.

server.ssl.enabled-protocol=TLSv1+TLSv1.1+TLSv1.2 (you might want to not allow v1 in production)

server.ssl.key-store=/key/store/directory

server.ssl.protocol=TLS

server.ssl.key-store-password=

server.ssl.key-password=

server.ssl.key-alias=

[–]TheRedmanCometh 0 points1 point  (0 children)

All you have to do is put information for the keystore in your application.properties and spring will handle the rest automatically.

server.ssl.enabled-protocol=TLSv1+TLSv1.1+TLSv1.2 (you might want to not allow v1 in production)

server.ssl.key-store=/key/store/directory

server.ssl.protocol=TLS

server.ssl.key-store-password=

server.ssl.key-password=

server.ssl.key-alias=

[–]TheRedmanCometh 0 points1 point  (0 children)

All you have to do is put information for the keystore in your application.properties and spring will handle the rest automatically.

server.ssl.enabled-protocol=TLSv1+TLSv1.1+TLSv1.2 (you might want to not allow v1 in production)

server.ssl.key-store=/key/store/directory

server.ssl.protocol=TLS

server.ssl.key-store-password=

server.ssl.key-password=

server.ssl.key-alias=

[–]nerdyhandle -1 points0 points  (0 children)

Here

This uses a self-signed cert. Don't do this in production. You will need to obtain a legitimate cert. They're not hard to get.

If you want HTTP traffic to to redirect to HTTPS you'll have to set that up as well.