使用 AWS 弹性 beanstalk 负载均衡器在 Rails 上实施 https 连接
Posted
技术标签:
【中文标题】使用 AWS 弹性 beanstalk 负载均衡器在 Rails 上实施 https 连接【英文标题】:Enforce https connection on Rails using AWS elastic beanstalk load balancer 【发布时间】:2018-07-21 06:55:45 【问题描述】:我有一个使用 AWS 弹性 beanstalk 负载均衡器在 puma 和 nginx 上运行的 rails 应用程序。我配置了 AWS 证书,它在 http 和 https 上都能正常工作。
但是,如果我在 config/environments/production.rb
上启用 config.force_ssl = true
,我开始收到以下错误:
在 http:连接已重置
在 https 上:安全连接失败。页面加载时,与服务器的连接已重置。
这是我从 awslabs/elastic-beanstalk-samples here 获得的 nginx 配置文件的内容:
.ebextensions/nginx.config
files:
"/opt/elasticbeanstalk/support/conf/webapp_healthd.conf":
owner: root
group: root
mode: "000644"
content: |
upstream my_app
server unix:///var/run/puma/my_app.sock;
server
listen 80;
server_name _ localhost; # need to listen to localhost for worker tier
location /
set $redirect 0;
if ($http_x_forwarded_proto != "https")
set $redirect 1;
if ($http_user_agent ~* "ELB-HealthChecker")
set $redirect 0;
if ($redirect = 1)
return 301 https://$host$request_uri;
proxy_pass http://my_app; # match the name of upstream directive which is defined above
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location /assets
alias /var/app/current/public/assets;
gzip_static on;
gzip on;
expires max;
add_header Cache-Control public;
location /public
alias /var/app/current/public;
gzip_static on;
gzip on;
expires max;
add_header Cache-Control public;
container_commands:
99_restart_nginx:
command: "service nginx restart || service nginx start"
【问题讨论】:
【参考方案1】:我在其他地方找到了我的答案,这个问题与同一问题相关,但使用的是 Node.js
只需将其添加到 .ebextensions 文件夹内的文件中,我将其命名为 enforce-ssl.config
files:
"/tmp/45_nginx_https_rw.sh":
owner: root
group: root
mode: "000644"
content: |
#! /bin/bash
CONFIGURED=`grep -c "return 301 https" /opt/elasticbeanstalk/support/conf/webapp_healthd.conf`
if [ $CONFIGURED = 0 ]
then
sed -i '/listen 80;/a \ if ($http_x_forwarded_proto = "http") return 301 https://$host$request_uri; \n' /opt/elasticbeanstalk/support/conf/webapp_healthd.conf
logger -t nginx_rw "https rewrite rules added"
service nginx restart
exit 0
else
logger -t nginx_rw "https rewrite rules already set"
exit 0
fi
container_commands:
00_appdeploy_rewrite_hook:
command: cp -v /tmp/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/appdeploy/enact
01_configdeploy_rewrite_hook:
command: cp -v /tmp/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact
02_rewrite_hook_perms:
command: chmod 755 /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh
03_rewrite_hook_ownership:
command: chown root:users /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh
原答案:https://***.com/a/34619855/2454036
更新:我发现原来的答案并不总是有效,因为在文件更新之前可能会触发 nginx 重启,所以我将添加的 service nginx restart
放到脚本中
【讨论】:
【参考方案2】:HTTP -> HTTPS 重定向是一种非常常见的做法,AWS 在此处记录了如何实现它: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-httpredirect.html
您拥有的解决方案与下面列出的他们自己提供的配置非常相似,涵盖了一系列不同的环境平台: https://github.com/awsdocs/elastic-beanstalk-samples/tree/master/configuration-files/aws-provided/security-configuration/https-redirect
【讨论】:
以上是关于使用 AWS 弹性 beanstalk 负载均衡器在 Rails 上实施 https 连接的主要内容,如果未能解决你的问题,请参考以下文章
如何使 DNS ARecord 指向 AWS 弹性 beanstalk 负载均衡器?
通过 ACM 和负载均衡器为 aws Nodejs 弹性 beanstalk 设置了 HTTPS,我如何在 s3 存储桶中为 Angular 设置 HTTPS
aws 弹性负载均衡器可以将端口 443 转发到端口 443 以获取弹性 beantalk 实例吗?