From 37b9d5e61d1e1011f7c6525aa243867134122488 Mon Sep 17 00:00:00 2001
From: Ismail Moghul <ismail.moghul@gmail.com>
Date: Thu, 15 Oct 2020 00:08:09 +0100
Subject: [PATCH] add self-signed https between LB + Web servers within the VPC
 (#202)

---
 .../https-instance-securitygroup.config       |  9 +++++++
 .elasticbeanstalk/config.yml                  |  6 ++---
 .../postdeploy/01_install_ssl_certificates.sh | 22 ++++++++++++++++
 .platform/nginx/conf.d/webapp-ssl.pre         | 25 +++++++++++++++++++
 4 files changed, 59 insertions(+), 3 deletions(-)
 create mode 100644 .ebextensions/https-instance-securitygroup.config
 create mode 100755 .platform/hooks/postdeploy/01_install_ssl_certificates.sh
 create mode 100644 .platform/nginx/conf.d/webapp-ssl.pre

diff --git a/.ebextensions/https-instance-securitygroup.config b/.ebextensions/https-instance-securitygroup.config
new file mode 100644
index 00000000..ee8a8d34
--- /dev/null
+++ b/.ebextensions/https-instance-securitygroup.config
@@ -0,0 +1,9 @@
+Resources:
+  sslSecurityGroupIngress:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
+      IpProtocol: tcp
+      ToPort: 443
+      FromPort: 443
+      CidrIp: 0.0.0.0/0
diff --git a/.elasticbeanstalk/config.yml b/.elasticbeanstalk/config.yml
index 55bad8a8..98da696f 100644
--- a/.elasticbeanstalk/config.yml
+++ b/.elasticbeanstalk/config.yml
@@ -1,10 +1,10 @@
 branch-defaults:
   prod-live:
-    environment: Phenopolis-prod
+    environment: phenopolis-production-live
   dev-live:
-    environment: Phenopolisapi-dev-env
+    environment: phenopolis-development-live
 environment-defaults:
-  Phenopolis-prod:
+  phenopolis-production-live:
     branch: null
     repository: null
 global:
diff --git a/.platform/hooks/postdeploy/01_install_ssl_certificates.sh b/.platform/hooks/postdeploy/01_install_ssl_certificates.sh
new file mode 100755
index 00000000..a17482fb
--- /dev/null
+++ b/.platform/hooks/postdeploy/01_install_ssl_certificates.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+set -e
+
+if [ -f "/etc/pki/tls/certs/server-key.pem" ]; then
+  echo '/etc/pki/tls/certs/server-key.pem already exists'
+else
+  openssl req -x509 -sha256 -nodes -newkey rsa:4096 -days 365 \
+    -keyout /etc/pki/tls/certs/server-key.pem \
+    -out /etc/pki/tls/certs/server-cert.pem \
+    -subj "/C=GB/ST=London/L=London/O=Phenopolis/OU=Org/CN=api-live.phenopolis.org"
+fi
+
+if [ -f "/etc/nginx/conf.d/webapp-ssl.conf" ]; then
+  echo '/etc/nginx/conf.d/webapp-ssl.conf already exists'
+else
+  mv /etc/nginx/conf.d/webapp-ssl.pre /etc/nginx/conf.d/webapp-ssl.conf
+fi
+
+echo "Restarting nginx"
+nginx -t
+nginx -s reload
diff --git a/.platform/nginx/conf.d/webapp-ssl.pre b/.platform/nginx/conf.d/webapp-ssl.pre
new file mode 100644
index 00000000..01cfd7de
--- /dev/null
+++ b/.platform/nginx/conf.d/webapp-ssl.pre
@@ -0,0 +1,25 @@
+server {
+  listen       443 ssl;
+  server_name _ localhost; # need to listen to localhost for worker tier
+
+  ssl_certificate      /etc/pki/tls/certs/server-cert.pem;
+  ssl_certificate_key  /etc/pki/tls/certs/server-key.pem;
+
+  ssl_session_timeout  5m;
+
+  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
+  ssl_prefer_server_ciphers   on;
+
+  location / {
+    proxy_pass          http://127.0.0.1:8000;
+    proxy_http_version  1.1;
+
+    proxy_set_header    Connection          $connection_upgrade;
+    proxy_set_header    Upgrade             $http_upgrade;
+    proxy_set_header    Host                $host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    gzip_static on;
+    gzip on;
+  }
+}