for AWS hosted use cases, this is what I did:

• Register a domain in AWS
• Request a certificate for the domain or subdomain of the URL of your desired app (myapp.domain.com) in AWS Certificate Manager
• Run your app on EC2 (on an elastic IP)
• Create an application load balancer with the SSL certificate that you created in the 2nd step, and target groups pointing to your EC2 IP.
• Allow the EC2 access from the load balancer security group on 8501
• Add additional listener rules to reroute HTTP to HTTPS

Note that there are other steps to check regarding security groups (who should be able to access the load balancer vs the server running Streamlit), proper records in the hosted zones for the domain, using the right ports in all the steps (443, 80, 8501) etc etc.

This is as simple as it can get in an AWS environment. The load balancer handles all traffic and the SSL protocols, and the EC2 instance runs faster this way running only Streamlit code.

Thanks all! I was running on AWS, but my domain was NOT in AWS (squarespace), so doing the load balancer route gets complicated - you have to do a Network Load Balancer in front of, and I couldn’t figure how to get all the balancers and targets to seeming work together. So I heavily borrowed from @Dhruv4 's great post - here was my entire thing, beginning to end, on a clean machine

• Start a small instance on AWS using a stock ubuntu AMI
  • Set up a security group that allows HTTP, HTTPS, and SSH traffic
• Register an Elastic IP address, and assign it to the instance
• Go to domain registrar, and assign @ and www to the IP address
• Log into the machine, and then

sudo apt-get update && sudo apt-get upgrade -y
sudo apt-get install certbot python3-certbot-nginx python3-pip -y
sudo certbot --nginx -d yoursite.extension -d www.yoursite.extension

• Add this block to the http section of /etc/nginx/nginx.conf:

    map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
    }
    server {
        listen 443 ssl;
        server_name yoursite.extension;

        ssl_certificate /etc/letsencrypt/live/yoursite.extension/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/yoursite.extension/privkey.pem;

        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers HIGH:!aNULL:!MD5;

        location / {
            proxy_pass http://localhost:8501;
            proxy_http_version 1.1;

            # WebSocket support
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";

            # Standard proxy headers
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }

    server {
        listen 80;
        server_name yoursite.extension;
        return 301 https://$host$request_uri;  # Redirect all HTTP traffic to HTTPS
    }

• Finally:

sudo rm /etc/nginx/sites-enabled/default
sudo nginx -t && sudo nginx -s reload
# make sure it's not returning an error here, of course! 

tmux new -s yourapp
python3 -m pip install streamlit
git clone https://github.com/yourorg/yourrepo.git
cd yourrepo
python3 -m pip install -r requirements.txt 
streamlit run some_appfile.py