Open in app

Sign in

Write

Sign in

Deploying and Securing a Spring Boot Application on AWS Lightsail with SSL

Mahfuzul Alam
7 min readJan 8, 2024

--

Introduction

In this article, we’ll explore how to deploy a Spring Boot application on an AWS Lightsail instance, ensuring it runs on port 443 with a secure SSL configuration. This guide is perfect for developers and DevOps engineers looking to leverage AWS infrastructure for hosting Java-based applications with enhanced security.

Prerequisites

  • A Spring Boot application packaged as a JAR file.
  • An AWS Lightsail account and a basic understanding of AWS services.
  • A domain name pointing to your AWS Lightsail instance.
  • Basic knowledge of Linux commands and the terminal.

Step 1: Setting Up Your AWS Lightsail Instance

  • Create a Lightsail instance: Choose a Linux OS and an appropriate plan.
  • SSH Access: Securely connect to your instance using SSH.
  • Update Packages: Ensure all packages are up-to-date using sudo apt-get update.

Step 2: Installing Java

  • Check Existing Java Installation: Use java -version to check if Java is installed.
  • Install Java 17: If not installed, use sudo apt install openjdk-17-jdk to install Java 17.
  • Verify Installation: Run java -version again to confirm the installation.

Step 3: Uploading Your JAR File to an AWS S3 Bucket

In this step, we’ll cover how to upload your Spring Boot application’s JAR file to an AWS S3 bucket and then download it onto your AWS Lightsail instance using AWS CLI.

  1. Prepare Your JAR File:
    - Ensure your Spring Boot application is packaged as a JAR file and is ready for deployment.
  2. Access AWS Management Console:
    - Go to the AWS Management Console in your web browser.
    - Navigate to the S3 service.
  3. Create a New S3 Bucket (if required):
    - Click on “Create bucket”.
    - Provide a unique name for your bucket and select the appropriate region.
    - Click on “Create” at the bottom of the page.
  4. Upload Your JAR File:
    - Open your newly created bucket.
    - Click on “Upload”.
    - Select your JAR file and upload it to the bucket.
    - Make a note of the bucket name and the JAR file name/key.

Configuring AWS CLI on Your AWS Lightsail Instance

  1. Connect to Your Lightsail Instance via SSH.
  2. Install AWS CLI:
    - Update the package list: sudo apt-get update.
    - Install AWS CLI: sudo apt-get install awscli.
  3. Configure AWS CLI:
    - Run aws configure.
    - Enter your AWS Access Key ID and Secret Access Key when prompted.
    - Specify your S3 region name (e.g. us-west-2).
    - Set the default output format as json (optional).

Downloading Your JAR File to Your Lightsail Instance

  1. Navigate to the Desired Directory:
    - Change to the directory where you want to download the JAR file (e.g., /home/ubuntu/).
  2. Download the JAR File Using AWS CLI:
    - Execute the following command:
    aws s3 cp s3://[your-bucket-name]/[your-jar-file].jar .
    -     Replace [your-bucket-name] with the name of your S3 bucket.
    - Replace [your-jar-file].jar with the name of your JAR file.
  3. Verify the Download:
    - Check that the JAR file is downloaded by listing the files in the directory: ls -l.

By following these steps, you have successfully uploaded your Spring Boot application’s JAR file to an S3 bucket and then downloaded it onto your AWS Lightsail instance. This process not only ensures that your JAR file is securely stored in AWS S3 but also simplifies the deployment process on Lightsail.

Step 4: Creating a Systemd Service

A systemd service allows your Spring Boot application to start automatically on system boot and provides commands to start, stop, and restart your application.

Create the Service File

  1. Navigate to the systemd directory:
    cd /etc/systemd/system/
  2. Create a new service file for your application:
    sudo nano myapp.service
    Replace myapp with a name that represents your application.

Configure the Service

In the myapp.service file, add the following configuration:

[Unit]
Description=My Spring Boot Application
After=syslog.target
[Service]
User=ubuntu
# Ensure the path below points to the location of your JAR file
ExecStart=/usr/bin/java -jar /path/to/your/app.jar
SuccessExitStatus=143
TimeoutStopSec=10
Restart=on-failure
RestartSec=5[Install]
WantedBy=multi-user.target
  • Description: A brief description of your service.
  • After: Specifies that the service should start after the syslog system is up.
  • User: The user under which the service will run. This example uses the default ubuntu user. Change it if necessary.
  • ExecStart: The command to start your application. Replace /path/to/your/app.jar with the actual path to your JAR file.
  • SuccessExitStatus: The exit status that will be considered successful for the service.
  • TimeoutStopSec: Time to wait for the service to stop gracefully before killing it.
  • Restart: When to restart the service. on-failure means the service will restart if it exits with a non-zero exit code.
  • RestartSec: Time to wait before restarting the service.

Enable and Start the Service

  1. Reload the systemd daemon to recognize your new service file:
    sudo systemctl daemon-reload
  2. Enable the service to start on boot:
    sudo systemctl enable myapp.service
  3. Start the service:
    sudo systemctl start myapp.service
  4. Check the status of your service:
    sudo systemctl status myapp.service

This configuration ensures that your Spring Boot application is managed as a service, providing reliability and ease of use. You can now start, stop, and restart your application using standard systemd commands.

Step 5: Installing and Configuring Nginx

Serving your Spring Boot application on port 80 (the standard HTTP port) can be done by setting up a reverse proxy, similar to how it’s done for port 443 (HTTPS), but without the SSL configuration. You can use Nginx or Apache for this purpose. Here, I’ll provide a guide using Nginx:

Install Nginx
Let’s install Nginx with the following commands:

  1. Update your package list:
    sudo apt-get update
  2. Install Nginx:
    sudo apt-get install nginx
  3. Start and enable Nginx:
    sudo systemctl start nginx
    sudo systemctl enable nginx

Configure Nginx as a Reverse Proxy

  1. Create a new configuration file for your application in /etc/nginx/sites-available/. Let's call it myapp
    sudo nano /etc/nginx/sites-available/myapp
  2. Add the following configuration to the file. This setup configures Nginx to listen on port 80 and forward requests to your application running on port 8083:
server {
    listen 80;
    server_name your_domain.com;  # Replace with your domain or IP
    location / {
        proxy_pass http://localhost:8083;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

3. Enable the configuration by creating a symbolic link to the sites-enabled directory:

sudo ln -s /etc/nginx/sites-available/myapp /etc/nginx/sites-enabled/

4. Test the Nginx configuration for syntax errors:
sudo nginx -t

5. Reload Nginx to apply the changes:
sudo systemctl reload nginx

Adjust Firewall Settings (If Applicable)
If your server has a firewall enabled, make sure that port 80 is open:

sudo ufw allow 'Nginx HTTP'
sudo ufw reload

DNS Configuration
Ensure your domain’s DNS settings point to the IP address of your AWS Lightsail instance.

Final Steps and Testing
- After completing these steps, your Spring Boot application should be accessible via HTTP on port 80.
- Test this by accessing http://your_domain.com in a web browser.

This setup allows your application to serve traffic over HTTP on port 80, with Nginx acting as a reverse proxy to your application running on port 8083. Remember, serving over HTTP is not secure compared to HTTPS, especially if sensitive data is involved. It’s generally recommended to use HTTPS for production applications.

Step 6: Securing Your Application with SSL

To install a free SSL certificate and enable HTTPS requests on port 443 for your Spring Boot application running on an AWS Lightsail instance, you can use Let’s Encrypt, a widely-used certificate authority that provides free SSL certificates. The Certbot tool, developed by the Electronic Frontier Foundation, simplifies the process of obtaining and installing Let’s Encrypt certificates. Here’s how to do it:

Install Certbot and the Nginx Plugin

  1. Update your package list:
    sudo apt-get update
  2. Install Certbot and the Nginx plugin:
    sudo apt-get install certbot python3-certbot-nginx

Obtain a Let’s Encrypt SSL Certificate

  1. Run Certbot:
    sudo certbot --nginx
    - Certbot will ask for information like your email address and agree to the terms of service.
    - It will then ask which domains you want to activate HTTPS for. Ensure your domain points to your AWS Lightsail instance’s IP address.
  2. Automatic Configuration:
    - Certbot will automatically configure SSL for Nginx and reload the server to apply changes.

Test Automatic Renewal
Let’s Encrypt certificates are valid for 90 days, but Certbot can automatically renew them:

  1. Test the renewal process:
    sudo certbot renew --dry-run
    - This command simulates certificate renewal without actually replacing your current certificate.
  2. Automating Renewal:
    - Certbot creates a cron job or systemd timer to automatically renew certificates that are near expiry.

Adjust Your Nginx Configuration (if needed)
Certbot usually configures Nginx automatically, but you can check or adjust the settings:

  1. Edit your Nginx configuration:
    sudo nano /etc/nginx/sites-available/your-config-file
    - Replace your-config-file with the appropriate file name.
  2. Ensure the SSL settings are correct:
    - Certbot should have added lines to handle SSL, including listen 443 ssl;, the ssl_certificate, and ssl_certificate_key directives.
  3. Reload Nginx to apply any changes:
    sudo systemctl reload nginx

Configure HTTPS Redirect (Optional)
You may want to redirect all HTTP traffic to HTTPS for security:

  1. Edit your Nginx configuration:
    sudo nano /etc/nginx/sites-available/your-config-file
  2. Add a server block to handle the redirect:
server {
    listen 80;
    server_name your_domain.com;
    return 301 https://$server_name$request_uri;
}

3. Reload Nginx:
sudo systemctl reload nginx

Step 7: Adjusting Firewall and Testing

  • Firewall Configuration: Ensure ports 80 and 443 are open in the firewall.
  • Testing: Access your application via https://your_domain.com to verify the setup.

Conclusion

Deploying a Spring Boot application on AWS Lightsail and securing it with SSL is a straightforward process that enhances the security and reliability of your application. By following these steps, you can successfully host and secure your Java-based applications in the cloud.

Spring Boot
Aws Lightsail
Ssl
S3
Deployment

--

--

Mahfuzul Alam
Mahfuzul Alam

Written by Mahfuzul Alam

37 Followers
12 Following

Software Engineer| AWS Certified Solutions Architect

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams