EC2 running NGINX behind CloudFront with HTTPS?

Question

I have a CloudFront distribution already configured for an S3 bucket using Route53 domain with HTTPS enabled using a public certificate.

I want to use this CloudFront distribution with another origin (which is an EC2 instance running NGINX as a reverse proxy for an application on that same instance), but I also need to enable HTTPS.

The normal way I would enable HTTPS on EC2 with NGINX is to just setup the nginx configuration and point my domain "A record" to the instance then request a certificate with Let's Encrypt. But how should I do it when behind CloudFront? I won't use Let's Encrypt (not necessarily important to just use it) and would like to use an AWS public certificate as I did with my S3.

Could I just configure NGINX to listen on port 80 and add this EC2 instance as an origin on the CloudFront distribution then enable HTTPS and choose my public certificate there or how should this be done to work properly?

This time I am not going to use a Load Balancer, I want a direct connection between the EC2 and CloudFront. But I would also like to know how to set this up when using a Load Balancer (for the future).

Answer 1

Could I just configure NGINX to listen on port 80 and add this EC2 instance as an origin on the CloudFront distribution then enable HTTPS and choose my public certificate there or how should this be done to work properly?

Yes you can do this, but all traffic pattern will be:

Clinet---(HTTPS)--->CF---(HTTP)--->Instance

Which means that half of your connection (CF->Instance) will be in HTTP, which may not be desired.

If you want to have HTTPs on every path, you still need to have public valid SSL cerfiicate on the instance. CF will not work with self-signed certificates.