Zero to HTTPS: Secure Your AWS EC2 Website with CloudFront and ACM - A Step-by-Step Guide

Introduction

In this guide, we'll walk through setting up HTTPS for your website using AWS Certificate Manager (ACM) and CloudFront with an EC2 instance. This approach provides free SSL certificates, CDN benefits, and robust security.

Prerequisites

• A domain name (we'll use example.com)

• An AWS account

• An EC2 instance running your application

• Basic understanding of DNS management

Step 1: Request SSL Certificate from ACM

• Switch to the US East (N. Virginia) us-east-1 region (important!)

• Navigate to AWS Certificate Manager (ACM)

• Click "Request Certificate" and choose "Public certificate"

• Add your domains:
  example.com
www.example.com

• Choose "DNS validation"

• After requesting, you'll get CNAME records to add to your DNS:
  CNAME a1b2c3... -> validation1.acm-validations.aws
CNAME d4e5f6... -> validation2.acm-validations.aws

Step 2: Configure DNS Records

In your domain registrar's DNS settings:

• Add the validation CNAME records from ACM:
  Type: CNAME Name: a1b2c3... (from ACM)
Value: validation1.acm-validations.aws (from ACM)
TTL: 300

  Type: CNAME Name: d4e5f6... (from ACM)
Value: validation2.acm-validations.aws (from ACM)
TTL: 300

• Wait for certificate validation (usually 5-10 minutes)

Step 3: Set Up CloudFront Distribution

• Go to CloudFront in AWS Console

• Create Distribution

• Configure origin:
  Origin Domain: Your-EC2-Public-DNS
Protocol: HTTP only (since EC2 will handle HTTP traffic)
  Origin Path: [leave empty]
Name: EC2-Origin

• Configure settings:
  Price Class: Choose based on your needs
Alternate Domain Names (CNAMEs):

  • example.com

  • www.example.com
Custom SSL Certificate: Select your ACM certificate
Default Root Object: index.html (if applicable)]

• Wait for deployment (15-30 minutes)

Step 4: Update DNS for CloudFront

Add these records in your DNS settings:
Type: ALIAS/ANAME
Name: @ (root domain)
Value: your-distribution-domain.cloudfront.net
TTL: 300

Type: CNAME
Name: www
Value: your-distribution-domain.cloudfront.net
TTL: 300

Step 5: Configure Nginx on EC2

Update your Nginx configuration:
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /run/nginx.pid;

include /usr/share/nginx/modules/*.conf;

events { worker_connections 1024; }

http {
# ... default settings ...

server {
listen 80; listen [::]:80;
server_name example.com www.example.com;

location / {
proxy_pass http://localhost:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}

location /api/ {
proxy_pass http://localhost:8000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}

location /socket.io/ {
proxy_pass http://localhost:8000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http_upgrade;
}
}
}

Test and reload Nginx:
sudo nginx -t
sudo systemctl reload nginx

Step 6: EC2 Security Group Configuration

Update your EC2 security group:
Inbound Rules: Type: HTTP (80)
Protocol: TCP
Source: CloudFront IP ranges

Benefits of This Setup

• Free SSL Certificates

• Auto-renewal through ACM

• No manual certificate management

• CDN Benefits

• Faster global content delivery

• Reduced server load

• DDoS protection

• Security

• SSL/TLS encryption

• AWS security features

• CloudFront protection

• Scalability

• CloudFront global edge locations

• Reduced origin server load

Troubleshooting

• Certificate Not Validating

• Verify CNAME records are correct

• Ensure you're in us-east-1 region

• Check DNS propagation

• CloudFront Not Working

• Verify origin settings

• Check EC2 security group

• Confirm DNS records

• HTTPS Not Working

• Verify certificate status

• Check CloudFront settings

• Confirm DNS propagation

Maintenance

• Certificate Renewal

• ACM handles automatically

• No manual intervention needed

• Security Updates

• AWS manages CloudFront security

• Keep EC2 and Nginx updated

• Monitoring

• Use CloudWatch for metrics

• Monitor CloudFront analytics

Conclusion

This setup provides a robust, secure, and scalable solution for serving your website over HTTPS. The combination of ACM, CloudFront, and EC2 offers enterprise-level features with minimal maintenance overhead.

Remember to:

• Keep your EC2 instance secure

• Monitor CloudFront metrics

• Regularly update your application

• Test HTTPS regularly

Additional Resources

• AWS CloudFront Documentation

• ACM Documentation

• Nginx Documentation