---
type: article
wp_id: 725
title: 'HTTPS on Amazon Linux with Nginx'
date: '2021-10-02T19:58:23'
slug: 'https-on-amazon-linux-with-nginx'
image:
name: 'https-on-amazon-linux-with-nginx.png'
width: 6912
height: 3456
status: 'published'
description: 'Learn how to setup an Amazon Linux 2 EC2 instance with nginx to accept HTTPS requests. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html#letsencrypt Setup First you need to create a new amazon linux 2 ec2 instance with Nginx installed. You can follow one of these videos to get started: Nginx Reverse Proxy on AWS EC2 Amazon Linux 2: https://youtu.be/\_EBARqreeao Setting Up \[…\]'
tags: ['aws', 'cloud computing', 'https', 'nginx', 'ssl', 'tls']
previousPostSlug: 'aws-route-53-domain-name'
nextPostSlug: 'aws-cli'
---
Learn how to setup an Amazon Linux 2 EC2 instance with nginx to accept HTTPS requests.
[https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html#letsencrypt](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html#letsencrypt)
## Setup
First you need to create a new amazon linux 2 ec2 instance with Nginx installed. You can follow this vide to get started:
```shell
sudo amazon-linux-extras install nginx1 -y
sudo systemctl enable nginx
sudo systemctl start nginx
```
## DNS
Make sure you have a domain name pointed at the EC2's ip address.
Just make sure you can access the ec2 instance on port 80 using a domain name.
Before continuing, stop the nginx service
```shell
sudo systemctl stop nginx
```
## Certbot
Certbot is a free, open-source software tool for automatically using Let's Encrypt certificates on manually-administrated websites to enable HTTPS.
* https://certbot.eff.org/about/
In short, certbot is some software that makes setting up a TLS certificate incredibly easy.
Install certbot on the EC2 instance:
```shell
sudo wget -r --no-parent -A 'epel-release-*.rpm' https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/
sudo rpm -Uvh dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-*.rpm
sudo yum-config-manager --enable epel*
sudo yum install -y certbot
sudo yum install -y python-certbot-nginx
```
Run the following command to setup a TLS certificate for your domain name:
```shell
sudo certbot certonly --standalone --debug -d your.domain.here
```
Replace `your.domain.here` with your actual domain or sub domain.
Once you've gone through all of the steps, you should end up with two files in the `/etc/letsencrypt/live/your.domain` directory. Of course, always replacing `your.domain` with the actual domain name you used.
* `/etc/letsencrypt/live/your.domain/privkey.pem`
* `/etc/letsencrypt/live/your.domain/fullchain.pem`
These files contain the public and private keys needed to create a secure connection with this server. Now we just need to tell nginx to use these when an HTTPS request comes in.
Modify the `/etc/nginx/nginx.conf` file to allow requests on port 443. You can just uncomment the final part of this file and adjust the settings for:
* `ssl_certificate "/etc/letsencrypt/live/your.domain/fullchain.pem";`
* `ssl_certificate_key "/etc/letsencrypt/live/your.domain/privkey.pem";`
* `ssl_protocols TLSv1.2 TLSv1.3;`
* `ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;`
Make sure you replace `your.domain` with your actual domain name. Your final server block for port 443 might look something like this:
```nginx
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name your.domain;
ssl_certificate "/etc/letsencrypt/live/your.domain/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/your.domain/privkey.pem";
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://1.1.1.1:4000;
}
}
```
Then adjust the port 80 server block to forward HTTP requests to HTTPS requests.
```nginx
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
```
Restart nginx and test that you can now connect using HTTPS.
```shell
sudo systemctl restart nginx
```