在 Spring Boot 应用程序中为 AWS Beanstalk 的 nginx 设置 HTTP 到 HTTPS 重定向
Posted
技术标签:
【中文标题】在 Spring Boot 应用程序中为 AWS Beanstalk 的 nginx 设置 HTTP 到 HTTPS 重定向【英文标题】:Set up HTTP to HTTPS redirect for AWS Beanstalk's nginx in Spring Boot app 【发布时间】:2018-03-10 18:12:33 【问题描述】:我有一个在 Beanstalk 上运行的 Spring Boot 应用程序,我最近想让我的整个网站通过 HTTPS 保护,所以我想默认将所有 HTTP 流量重定向到 HTTPS。
我已经使用 Amazon Certificate Manager 安装了我的 SSL 证书,它被我的 Amazon ELB 负载均衡器使用,因此 HTTPS 将在那里终止。
目前,负载均衡器配置有如下端口映射:
我还注意到,默认情况下,负载均衡器上还有一个 nginx,它侦听端口 80(实例端口),然后最终将其转发到我的 Spring Boot 应用程序。
所以我尝试通过将此 conf 文件放在 .ebextensions/nginx/conf.d/elasticbeanstalk/00_nginx_https_rw.conf 来进行重定向,并且 .ebextensions 文件夹位于我的 Spring Boot 存储库中的 src/main/resources 下本地:
files:
"/tmp/45_nginx_https_rw.sh":
owner: root
group: root
mode: "000644"
content: |
#! /bin/bash
CONFIGURED=`grep -c "return 301 https" /opt/elasticbeanstalk/support/conf/webapp_healthd.conf`
if [ $CONFIGURED = 0 ]
then
sed -i '/listen 80;/a \ if ($http_x_forwarded_proto = "http") return 301 https://$host$request_uri; \n' /opt/elasticbeanstalk/support/conf/webapp_healthd.conf
logger -t nginx_rw "https rewrite rules added"
exit 0
else
logger -t nginx_rw "https rewrite rules already set"
exit 0
fi
container_commands:
00_appdeploy_rewrite_hook:
command: cp -v /tmp/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/appdeploy/enact
01_configdeploy_rewrite_hook:
command: cp -v /tmp/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact
02_rewrite_hook_perms:
command: chmod 755 /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh
03_rewrite_hook_ownership:
command: chown root:users /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh
04_reload_nginx:
command: "sudo service nginx reload"
我使用该 conf 文件部署了我的 Spring Boot 应用程序,并且还在 Beanstalk 中执行了“重新启动应用程序服务器”,但它仍然不会从 HTTP 重定向到 HTTPS
我也对我的 conf 文件进行了尝试,但它也不起作用:
listen 80;
# ELB stores the protocol used between the client
# and the load balancer in the X-Forwarded-Proto request header.
# Check for 'https' and redirect if not
if ($http_x_forwarded_proto != 'https')
rewrite ^ https://$host$request_uri? permanent;
server_name mothersquad.com www.mothersquad.com
这是我放置 conf 文件的位置:
当我尝试访问我的网站的 HTTP 版本时,这些是我的 Nginx access.log:
172.31.42.155 - - [28/Sep/2017:07:38:53 +0000] "GET /health_check HTTP/1.1" 200 2 "-" "ELB-HealthChecker/1.0" "-"
172.31.42.155 - - [28/Sep/2017:07:39:03 +0000] "GET /health_check HTTP/1.1" 200 2 "-" "ELB-HealthChecker/1.0" "-"
172.31.42.155 - - [28/Sep/2017:07:39:13 +0000] "GET /health_check HTTP/1.1" 200 2 "-" "ELB-HealthChecker/1.0" "-"
172.31.42.155 - - [28/Sep/2017:07:39:23 +0000] "GET /health_check HTTP/1.1" 200 2 "-" "ELB-HealthChecker/1.0" "-"
172.31.42.155 - - [28/Sep/2017:07:39:23 +0000] "GET / HTTP/1.1" 200 93279 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (Khtml, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:23 +0000] "GET /css/landing.css HTTP/1.1" 200 13132 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:23 +0000] "GET /css/landing_bootstrap.css HTTP/1.1" 200 134640 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:23 +0000] "GET /js/landing.js HTTP/1.1" 200 5627 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/logo.png HTTP/1.1" 200 6830 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/tracery.png HTTP/1.1" 200 23045 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/squad-photo-4.jpg HTTP/1.1" 200 17441 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/squad-photo-1.jpg HTTP/1.1" 200 24258 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/squad-photo-2.jpg HTTP/1.1" 200 20504 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/squad-photo-5.jpg HTTP/1.1" 200 18711 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/squad-photo-3.jpg HTTP/1.1" 200 20686 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/virtualgroup.jpg HTTP/1.1" 200 46406 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/squad-photo-6.jpg HTTP/1.1" 200 21364 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/squad-photo-7.jpg HTTP/1.1" 200 18472 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/tracery-red.png HTTP/1.1" 200 2500 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/bg1.jpg HTTP/1.1" 200 48181 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/bg2.jpg HTTP/1.1" 200 116554 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
我在errors.log中没有看到任何错误
我还错过了什么?谢谢
【问题讨论】:
【参考方案1】:如果您已将证书安装到负载均衡器上,我建议您在 LB 处终止 SSL(假设您的 VPC 是安全的)。尝试将应用程序属性中的参数server.use-forward-headers 设置为true。这将导致您的启动应用遵循 X-Forwarded-Proto 和 X-Forward-For 标头。
完成此操作后,删除 LB 上的端口 80 侦听器,以便您的应用只能通过 443 访问。
【讨论】:
嗨,Lane,谢谢,所以如果我让这个 server.use-forward-headers 发生变化,这意味着我应该恢复我所有的 .enextensions nginx 变化吗?只是为了确保我正确理解这一点,当我只保持端口 443 而不是 80 时,所有 http 调用都会自动重定向到 https? 如果您想要重定向,请保留扩展名和端口。另请注意,您必须在属性文件或您拥有的任何外部属性源中设置该属性。由于连字符,您无法在 EBS 属性中设置它。 问题是我的 nginx conf 似乎还没有进行 http 重定向,我想先解决这个问题。我的 conf 文件中有什么不正确的地方吗? 我不相信 ebextensions 会根据它们在 jar 中的位置被 EBS 拾取。 .ebextensions 文件夹需要位于 jar 的根目录下,因此除非您在组装过程中移动它们,否则它们将位于 BOOT-INF/classes 下。 知道了,这很奇怪,因为我在网上看到 .ebextensions 文件夹可以位于 src/main/resources 下,而 gradle build 会将其正确打包到 jar 的根目录中。那么我应该将 .ebextensions 文件夹移到哪里?以上是关于在 Spring Boot 应用程序中为 AWS Beanstalk 的 nginx 设置 HTTP 到 HTTPS 重定向的主要内容,如果未能解决你的问题,请参考以下文章
为啥必须在 spring-boot 中为 web 应用程序提供单独的 @Controller 类文件?
为啥 spring-boot 应用程序无法在 AWS 中运行,但在本地运行良好?
使用 AWS Elastic Beanstalk 在 AWS 上部署 Spring Boot 应用程序