# Zero to HTTPS: Secure Your AWS EC2 Website with CloudFront and ACM - A Step-by-Step Guide ## Introduction In this guide, we'll walk through setting up HTTPS for your website using AWS Certificate Manager (ACM) and CloudFront with an EC2 instance. This approach provides free SSL certificates, CDN benefits, and robust security. ## Prerequisites * A domain name (we'll use [example.com](http://example.com)) * An AWS account * An EC2 instance running your application * Basic understanding of DNS management ## Step 1: Request SSL Certificate from ACM * Switch to the **US East (N. Virginia) us-east-1** region (important!) * Navigate to AWS Certificate Manager (ACM) * Click "Request Certificate" and choose "Public certificate" * Add your domains: [`example.com`](http://example.com) [`www.example.com`](http://www.example.com) * Choose "DNS validation" * After requesting, you'll get CNAME records to add to your DNS: `CNAME a1b2c3... ->` [`validation1.acm-validations.aws`](http://validation1.acm-validations.aws) `CNAME d4e5f6... ->` [`validation2.acm-validations.aws`](http://validation2.acm-validations.aws) ## Step 2: Configure DNS Records In your domain registrar's DNS settings: * Add the validation CNAME records from ACM: `Type: CNAME Name: a1b2c3... (from ACM)` `Value:` [`validation1.acm-validations.aws`](http://validation1.acm-validations.aws) `(from ACM)` `TTL: 300` `Type: CNAME Name: d4e5f6... (from ACM)` `Value:` [`validation2.acm-validations.aws`](http://validation2.acm-validations.aws) `(from ACM)` `TTL: 300` * Wait for certificate validation (usually 5-10 minutes) ## Step 3: Set Up CloudFront Distribution * Go to CloudFront in AWS Console * Create Distribution * Configure origin: `Origin Domain: Your-EC2-Public-DNS` `Protocol: HTTP only` (since EC2 will handle HTTP traffic) `Origin Path: [leave empty]` `Name: EC2-Origin` * Configure settings: `Price Class: Choose based on your needs` `Alternate Domain Names (CNAMEs):` * [`example.com`](http://example.com) * [`www.example.com`](http://www.example.com) `Custom SSL Certificate: Select your ACM certificate` `Default Root Object: index.html (if applicable)`\] * Wait for deployment (15-30 minutes) ## Step 4: Update DNS for CloudFront Add these records in your DNS settings: `Type: ALIAS/ANAME` `Name: @ (root domain)` `Value:` [`your-distribution-domain.cloudfront.net`](http://your-distribution-domain.cloudfront.net) `TTL: 300` `Type: CNAME` `Name: www` `Value:` [`your-distribution-domain.cloudfront.net`](http://your-distribution-domain.cloudfront.net) `TTL: 300` ## Step 5: Configure Nginx on EC2 Update your Nginx configuration: `user nginx;` `worker_processes auto;` `error_log /var/log/nginx/error.log notice;` `pid /run/`[`nginx.pid`](http://nginx.pid)`;` `include /usr/share/nginx/modules/*.conf;` `events { worker_connections 1024; }` `http {` `# ... default settings ...` `server {` `listen 80; listen [::]:80;` `server_name` [`example.com`](http://example.com) [`www.example.com`](http://www.example.com)`;` `location / {` `proxy_pass` [`http://localhost:3000`](http://localhost:3000)`;` `proxy_set_header Host $host;` `proxy_set_header X-Real-IP $remote_addr;` `proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;` `proxy_set_header X-Forwarded-Proto $scheme;` `}` `location /api/ {` `proxy_pass` [`http://localhost:8000/`](http://localhost:8000/)`;` `proxy_set_header Host $host;` `proxy_set_header X-Real-IP $remote_addr;` `proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;` `proxy_set_header X-Forwarded-Proto $scheme;` `}` `location /`[`socket.io/`](http://socket.io/) `{` `proxy_pass` [`http://localhost:8000`](http://localhost:8000)`;` `proxy_http_version 1.1;` `proxy_set_header Upgrade $http_upgrade;` `proxy_set_header Connection "upgrade";` `proxy_set_header Host $host;` `proxy_set_header X-Real-IP $remote_addr;` `proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;` `proxy_set_header X-Forwarded-Proto $scheme;` `proxy_cache_bypass $http_upgrade;` `}` `}` `}` Test and reload Nginx: `sudo nginx -t` `sudo systemctl reload nginx` ## Step 6: EC2 Security Group Configuration Update your EC2 security group: `Inbound Rules: Type: HTTP (80)` `Protocol: TCP` `Source: CloudFront IP ranges` ## Benefits of This Setup * **Free SSL Certificates** * Auto-renewal through ACM * No manual certificate management * **CDN Benefits** * Faster global content delivery * Reduced server load * DDoS protection * **Security** * SSL/TLS encryption * AWS security features * CloudFront protection * **Scalability** * CloudFront global edge locations * Reduced origin server load ## Troubleshooting * **Certificate Not Validating** * Verify CNAME records are correct * Ensure you're in us-east-1 region * Check DNS propagation * **CloudFront Not Working** * Verify origin settings * Check EC2 security group * Confirm DNS records * **HTTPS Not Working** * Verify certificate status * Check CloudFront settings * Confirm DNS propagation ## Maintenance * **Certificate Renewal** * ACM handles automatically * No manual intervention needed * **Security Updates** * AWS manages CloudFront security * Keep EC2 and Nginx updated * **Monitoring** * Use CloudWatch for metrics * Monitor CloudFront analytics ## Conclusion This setup provides a robust, secure, and scalable solution for serving your website over HTTPS. The combination of ACM, CloudFront, and EC2 offers enterprise-level features with minimal maintenance overhead. Remember to: * Keep your EC2 instance secure * Monitor CloudFront metrics * Regularly update your application * Test HTTPS regularly ## Additional Resources * AWS CloudFront Documentation * ACM Documentation * Nginx Documentation