Spring Boot 和单实例 AWS Beanstalk SSL 设置错误

Posted

技术标签:

【中文标题】Spring Boot 和单实例 AWS Beanstalk SSL 设置错误【英文标题】:Spring Boot and Single Instance AWS Beanstalk SSL Setup Error 【发布时间】:2020-12-15 20:37:52 【问题描述】:

我在单实例 AWS Beanstalk 上设置了与 SSL 和 HTTPS(在 64 位 Amazon Linux 2/3.1.0 上运行的 Corretto 11 上的 Certbot 和 LetsEncrypt)相关的问题。 此环境用于暂存环境,稍后我将使用负载均衡器设置真实环境。

我按照下面的教程https://medium.com/@phil_mldtsv/configuring-your-aws-elastic-beanstalk-single-instance-spring-boot-app-for-https-using-lets-9750c03a8860

这是我的错误:

2020/08/23 07:01:16 [error] 6360#0: *166 connect() failed (111: Connection refused) while connecting to upstream, client: 78.151.174.205, server: , request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:5000/", host: "54.255.115.127:80"
2020/08/23 08:29:20 [warn] 6360#0: *170 using uninitialized "year" variable while logging request, client: 45.141.84.124, server: , request: "��/*����Cookie: mstshash=Administr"
2020/08/23 08:29:20 [warn] 6360#0: *170 using uninitialized "month" variable while logging request, client: 45.141.84.124, server: , request: "��/*����Cookie: mstshash=Administr"
2020/08/23 08:29:20 [warn] 6360#0: *170 using uninitialized "day" variable while logging request, client: 45.141.84.124, server: , request: "��/*����Cookie: mstshash=Administr"
2020/08/23 08:29:20 [warn] 6360#0: *170 using uninitialized "hour" variable while logging request, client: 45.141.84.124, server: , request: "��/*����Cookie: mstshash=Administr"
2020/08/23 09:11:40 [error] 6360#0: *171 connect() failed (111: Connection refused) while connecting to upstream, client: 193.138.154.68, server: , request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:5000/", host: "54.255.115.127:80"
2020/08/23 09:36:08 [error] 6360#0: *173 connect() failed (111: Connection refused) while connecting to upstream, client: 195.54.160.21, server: , request: "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1", upstream: "http://127.0.0.1:5000/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", host: "54.255.115.127:80"
2020/08/23 09:43:16 [error] 6360#0: *175 connect() failed (111: Connection refused) while connecting to upstream, client: 180.251.244.69, server: , request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:5000/", host: "54.255.115.127:80"
2020/08/23 10:50:06 [error] 6360#0: *179 connect() failed (111: Connection refused) while connecting to upstream, client: 5.76.67.42, server: , request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:5000/", host: "54.255.115.127:80"

这是我的 .config 文件

Resources:
  sslSecurityGroupIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: "Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

files:
  /tmp/redirect.conf:
    mode: "000644"
    owner: root
    group: root
    content: |
      return 301 https://$host$request_uri;

  /tmp/java_app.conf:
    mode: "000644"
    owner: root
    group: root
    content: |
      server 
        listen 443 ssl;

        error_page  497 https://$host$request_uri;

        ssl_certificate /etc/letsencrypt/live/ebcert/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/ebcert/privkey.pem;

        ssl_session_timeout 5m;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
        ssl_prefer_server_ciphers on;

        if ($ssl_protocol = "") 
          rewrite ^ https://$host$request_uri? permanent;
        

        location / 
          proxy_pass http://127.0.0.1:5000;
          proxy_set_header Connection "";
          proxy_http_version 1.1;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "upgrade";
        
      

  /opt/elasticbeanstalk/hooks/configdeploy/post/mv_config_deploy.sh:
    mode: "000644"
    owner: root
    group: root
    content: |
      #!/bin/bash -xe
      mv /tmp/java_app.conf /var/elasticbeanstalk/staging/nginx/conf.d/
      mv /tmp/redirect.conf /var/elasticbeanstalk/staging/nginx/conf.d/elasticbeanstalk/

container_commands:
  01_install_certbot:
    command: "wget https://dl.eff.org/certbot-auto;chmod a+x certbot-auto"
  02_stop_nginx:
    command: "sudo service nginx stop"
  03_getcert:
    command: "sudo ./certbot-auto certonly --debug --non-interactive --standalone --email $certemail --agree-tos -d $certdomain --keep-until-expiring"
  04_link:
    command: "ln -sf /etc/letsencrypt/live/$certdomain /etc/letsencrypt/live/ebcert"
  05_mvconfig:
    command: "sudo sh /opt/elasticbeanstalk/hooks/configdeploy/post/mv_config_deploy.sh;sudo rm -f /opt/elasticbeanstalk/hooks/configdeploy/post/mv_config_deploy.sh"
  06_removeconfig:
    command: "sudo service nginx start"

这是我的安全组配置

从实例内部

任何人都可以说出我的配置有什么问题吗? 提前致谢。

【问题讨论】:

我在实例中执行 certbot 后得到了这个:“对不起,我不知道如何在你的操作系统上引导 Certbot!” 第一步,尝试使用手动安装 certbot:serverfault.com/questions/890212/… 并确保在下次尝试之前这种方式可行 【参考方案1】:

截至目前 (https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance-java.html) 的所有当前 AWS 文档都适用于 corretto java 8 Linux 1 平台。此外,您提到的 .config 文件也适用于旧平台。

对于 Corretto Java 11 Linux 2 平台,由于它是不同的平台,您需要不同的配置文件。

现在,您需要添加 .ebextensions 文件夹以及另一个名为 .platform 的文件夹

在 .ebextensions 文件夹中,您需要添加两个 .config 文件 - 一个用于安装 certbot 和生成证书,另一个用于创建 cron 作业以更新证书。第二步是可选的,但是由于 Letsencrypt 证书在 3 个月后到期,因此更新证书以使 https 继续工作至关重要。

在 .platform 中,创建此文件夹结构 nginx/conf.d。 在 conf.d 文件夹中,创建一个名为 https.conf 的文件。

现在,如果您想从 HTTP 重定向到 HTTPS,那么您需要在 conf.d/elasticbeanstalk 文件夹中添加一个名为 00_application.conf 的配置文件。请注意,名称 00_application.conf 非常重要,因为 Nginx 文件夹中已经有一个具有该名称的文件,我们将用新文件替换该文件内容,以将流量从 HTTP 重定向到 HTTPS。如果您提供其他名称,则它将不起作用。

项目结构:

root
  - .ebextensions
      - https-instance.config
      - renew-ssl.config
  - .platform
      - nginx
          - conf.d
              - elasticbeanstalk
                 - 00_application.conf
              - https.conf
  - Procfile
  - Application Jar

https-instance.config

packages:
  rpm:
    epel: https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

commands:
  01_install_certbot_packages:
    command: sudo yum -y install certbot-nginx
  02_generate_ssl:
    command: sudo certbot certonly --nginx -d $enter_your_domain_name --non-interactive --email $enter_your_email_here@gmail.com  --agree-tos

renew-ssl.config(此命令在每周一凌晨 3:30 更新证书)

files:
  /etc/cron.d/renewssl:
    content: |
      30 3 * * 1 root /usr/bin/certbot renew --quit

00_application.conf

location / 
     set $redirect 0;
     if ($http_x_forwarded_proto != "https") 
       set $redirect 1;
     
     if ($http_user_agent ~* "ELB-HealthChecker") 
       set $redirect 0;
     
     if ($redirect = 1) 
       return 301 https://$host$request_uri;
     

     proxy_pass          http://127.0.0.1:5000;
     proxy_http_version  1.1;

     proxy_set_header    Connection          $connection_upgrade;
     proxy_set_header    Upgrade             $http_upgrade;
     proxy_set_header    Host                $host;
     proxy_set_header    X-Real-IP           $remote_addr;
     proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;

https.conf

# HTTPS server

server 
    listen       443;
    server_name  localhost;

    ssl                  on;
    ssl_certificate      /etc/letsencrypt/live/$enter_your_domain_name/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/$enter_your_domain_name/privkey.pem;

    ssl_session_timeout  5m;

    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers   on;

    location / 
        proxy_pass  http://localhost:5000;
        proxy_set_header   Connection "";
        proxy_http_version 1.1;
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto https;
    

过程文件

web: java -jar $application_jar_name.jar

最后,将所有 conf 文件夹连同 jar 一起压缩,并将压缩后的文件夹上传到 aws。

PS:我在这里假设默认端口为 5000。如果您通过环境变量更改它,那么您需要在配置文件中更改端口值。

【讨论】:

很好的答案,就像一个魅力!你也知道如何将非 www 重定向到 www 吗?【参考方案2】:

由于与最新版本的 Amazon LInux 2/4.10 的兼容性问题,Certbot 出错。 没什么可做的,你需要自己设置手动负载均衡器,并在那里设置ssl证书。

【讨论】:

以上是关于Spring Boot 和单实例 AWS Beanstalk SSL 设置错误的主要内容,如果未能解决你的问题,请参考以下文章

『深入学习 Spring Boot』——Bean 实例化流程

Spring Boot实战 Spring常用配置

Spring Boot教程4——@Scope注解

如何在 bean 实例化之前记录 Spring Boot 应用程序的所有活动属性?

Spring Boot自动配置实例

如何对接一个与 AWS RDS Postgres 实例连接的 Spring Boot 应用程序? [关闭]