在 Spring Boot 应用程序中为 AWS Beanstalk 的 nginx 设置 HTTP 到 HTTPS 重定向

Posted

技术标签:

【中文标题】在 Spring Boot 应用程序中为 AWS Beanstalk 的 nginx 设置 HTTP 到 HTTPS 重定向【英文标题】:Set up HTTP to HTTPS redirect for AWS Beanstalk's nginx in Spring Boot app 【发布时间】:2018-03-10 18:12:33 【问题描述】:

我有一个在 Beanstalk 上运行的 Spring Boot 应用程序,我最近想让我的整个网站通过 HTTPS 保护,所以我想默认将所有 HTTP 流量重定向到 HTTPS。

我已经使用 Amazon Certificate Manager 安装了我的 SSL 证书,它被我的 Amazon ELB 负载均衡器使用,因此 HTTPS 将在那里终止。

目前,负载均衡器配置有如下端口映射:

我还注意到,默认情况下,负载均衡器上还有一个 nginx,它侦听端口 80(实例端口),然后最终将其转发到我的 Spring Boot 应用程序。

所以我尝试通过将此 conf 文件放在 .ebextensions/nginx/conf.d/elasticbeanstalk/00_nginx_https_rw.conf 来进行重定向,并且 .ebextensions 文件夹位于我的 Spring Boot 存储库中的 src/main/resources 下本地:

files:
  "/tmp/45_nginx_https_rw.sh":
  owner: root
  group: root
  mode: "000644"
  content: |
  #! /bin/bash

  CONFIGURED=`grep -c "return 301 https" /opt/elasticbeanstalk/support/conf/webapp_healthd.conf`

  if [ $CONFIGURED = 0 ]
    then
      sed -i '/listen 80;/a \    if ($http_x_forwarded_proto = "http")  return 301 https://$host$request_uri; \n' /opt/elasticbeanstalk/support/conf/webapp_healthd.conf
      logger -t nginx_rw "https rewrite rules added"
      exit 0
    else
      logger -t nginx_rw "https rewrite rules already set"
      exit 0
  fi

container_commands:
  00_appdeploy_rewrite_hook:
    command: cp -v /tmp/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/appdeploy/enact
  01_configdeploy_rewrite_hook:
    command: cp -v /tmp/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact
  02_rewrite_hook_perms:
    command: chmod 755 /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh
  03_rewrite_hook_ownership:
    command: chown root:users /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh
  04_reload_nginx:
    command: "sudo service nginx reload"

我使用该 conf 文件部署了我的 Spring Boot 应用程序,并且还在 Beanstalk 中执行了“重新启动应用程序服务器”,但它仍然不会从 HTTP 重定向到 HTTPS

我也对我的 conf 文件进行了尝试,但它也不起作用:

listen 80;

# ELB stores the protocol used between the client
# and the load balancer in the X-Forwarded-Proto request header.
# Check for 'https' and redirect if not
if ($http_x_forwarded_proto != 'https') 
   rewrite ^ https://$host$request_uri? permanent;



server_name mothersquad.com www.mothersquad.com

这是我放置 conf 文件的位置:

当我尝试访问我的网站的 HTTP 版本时,这些是我的 Nginx access.log:

172.31.42.155 - - [28/Sep/2017:07:38:53 +0000] "GET /health_check HTTP/1.1" 200 2 "-" "ELB-HealthChecker/1.0" "-"
172.31.42.155 - - [28/Sep/2017:07:39:03 +0000] "GET /health_check HTTP/1.1" 200 2 "-" "ELB-HealthChecker/1.0" "-"
172.31.42.155 - - [28/Sep/2017:07:39:13 +0000] "GET /health_check HTTP/1.1" 200 2 "-" "ELB-HealthChecker/1.0" "-"
172.31.42.155 - - [28/Sep/2017:07:39:23 +0000] "GET /health_check HTTP/1.1" 200 2 "-" "ELB-HealthChecker/1.0" "-"
172.31.42.155 - - [28/Sep/2017:07:39:23 +0000] "GET / HTTP/1.1" 200 93279 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (Khtml, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:23 +0000] "GET /css/landing.css HTTP/1.1" 200 13132 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:23 +0000] "GET /css/landing_bootstrap.css HTTP/1.1" 200 134640 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:23 +0000] "GET /js/landing.js HTTP/1.1" 200 5627 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/logo.png HTTP/1.1" 200 6830 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/tracery.png HTTP/1.1" 200 23045 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/squad-photo-4.jpg HTTP/1.1" 200 17441 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/squad-photo-1.jpg HTTP/1.1" 200 24258 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/squad-photo-2.jpg HTTP/1.1" 200 20504 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/squad-photo-5.jpg HTTP/1.1" 200 18711 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/squad-photo-3.jpg HTTP/1.1" 200 20686 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/virtualgroup.jpg HTTP/1.1" 200 46406 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/squad-photo-6.jpg HTTP/1.1" 200 21364 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/squad-photo-7.jpg HTTP/1.1" 200 18472 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/tracery-red.png HTTP/1.1" 200 2500 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/bg1.jpg HTTP/1.1" 200 48181 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"
172.31.42.155 - - [28/Sep/2017:07:39:24 +0000] "GET /images/landing/bg2.jpg HTTP/1.1" 200 116554 "http://www.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36" "172.113.254.101"

我在errors.log中没有看到任何错误

我还错过了什么?谢谢

【问题讨论】:

【参考方案1】:

如果您已将证书安装到负载均衡器上,我建议您在 LB 处终止 SSL(假设您的 VPC 是安全的)。尝试将应用程序属性中的参数server.use-forward-headers 设置为true。这将导致您的启动应用遵循 X-Forwarded-Proto 和 X-Forward-For 标头。

完成此操作后,删除 LB 上的端口 80 侦听器,以便您的应用只能通过 443 访问。

【讨论】:

嗨,Lane,谢谢,所以如果我让这个 server.use-forward-headers 发生变化,这意味着我应该恢复我所有的 .enextensions nginx 变化吗?只是为了确保我正确理解这一点,当我只保持端口 443 而不是 80 时,所有 http 调用都会自动重定向到 https? 如果您想要重定向,请保留扩展名和端口。另请注意,您必须在属性文件或您拥有的任何外部属性源中设置该属性。由于连字符,您无法在 EBS 属性中设置它。 问题是我的 nginx conf 似乎还没有进行 http 重定向,我想先解决这个问题。我的 conf 文件中有什么不正确的地方吗? 我不相信 ebextensions 会根据它们在 jar 中的位置被 EBS 拾取。 .ebextensions 文件夹需要位于 jar 的根目录下,因此除非您在组装过程中移动它们,否则它们将位于 BOOT-INF/classes 下。 知道了,这很奇怪,因为我在网上看到 .ebextensions 文件夹可以位于 src/main/resources 下,而 gradle build 会将其正确打包到 jar 的根目录中。那么我应该将 .ebextensions 文件夹移到哪里?

以上是关于在 Spring Boot 应用程序中为 AWS Beanstalk 的 nginx 设置 HTTP 到 HTTPS 重定向的主要内容,如果未能解决你的问题,请参考以下文章

为啥必须在 spring-boot 中为 web 应用程序提供单独的 @Controller 类文件?

为啥 spring-boot 应用程序无法在 AWS 中运行,但在本地运行良好?

使用 AWS Elastic Beanstalk 在 AWS 上部署 Spring Boot 应用程序

如何运行部署在 AWS 上的 Spring Boot 程序 [关闭]

关闭 Spring Boot AWS 自动配置

Spring Boot 应用程序在 AWS 上的自动缩减