使用 AWS 弹性 beanstalk 负载均衡器在 Rails 上实施 https 连接

Posted 2023-03-04

【中文标题】使用 AWS 弹性 beanstalk 负载均衡器在 Rails 上实施 https 连接

【英文标题】：Enforce https connection on Rails using AWS elastic beanstalk load balancer

【发布时间】：2018-07-21 06:55:45

【问题描述】：

我有一个使用 AWS 弹性 beanstalk 负载均衡器在 puma 和 nginx 上运行的 rails 应用程序。我配置了 AWS 证书，它在 http 和 https 上都能正常工作。

但是，如果我在 config/environments/production.rb 上启用 config.force_ssl = true，我开始收到以下错误：

在 http：连接已重置

在 https 上：安全连接失败。页面加载时，与服务器的连接已重置。

这是我从 awslabs/elastic-beanstalk-samples here 获得的 nginx 配置文件的内容：

.ebextensions/nginx.config

files:
   "/opt/elasticbeanstalk/support/conf/webapp_healthd.conf":
     owner: root
     group: root
     mode: "000644"
     content: |
       upstream my_app 
         server unix:///var/run/puma/my_app.sock;
       

       server 
         listen 80;
         server_name _ localhost; # need to listen to localhost for worker tier

         location / 
           set $redirect 0;
           if ($http_x_forwarded_proto != "https") 
             set $redirect 1;
           
           if ($http_user_agent ~* "ELB-HealthChecker") 
             set $redirect 0;
           
           if ($redirect = 1) 
             return 301 https://$host$request_uri;
           
           proxy_pass http://my_app; # match the name of upstream directive which is defined above
           proxy_set_header Host $host;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         

         location /assets 
           alias /var/app/current/public/assets;
           gzip_static on;
           gzip on;
           expires max;
           add_header Cache-Control public;
         

         location /public 
           alias /var/app/current/public;
           gzip_static on;
           gzip on;
           expires max;
           add_header Cache-Control public;
         
       

container_commands:
  99_restart_nginx:
    command: "service nginx restart || service nginx start"

【参考方案1】：

我在其他地方找到了我的答案，这个问题与同一问题相关，但使用的是 Node.js

只需将其添加到 .ebextensions 文件夹内的文件中，我将其命名为 enforce-ssl.config

files:
  "/tmp/45_nginx_https_rw.sh":
    owner: root
    group: root
    mode: "000644"
    content: |
      #! /bin/bash

      CONFIGURED=`grep -c "return 301 https" /opt/elasticbeanstalk/support/conf/webapp_healthd.conf`

      if [ $CONFIGURED = 0 ]
        then
          sed -i '/listen 80;/a \    if ($http_x_forwarded_proto = "http")  return 301 https://$host$request_uri; \n' /opt/elasticbeanstalk/support/conf/webapp_healthd.conf
          logger -t nginx_rw "https rewrite rules added"
          service nginx restart
          exit 0
        else
          logger -t nginx_rw "https rewrite rules already set"
          exit 0
      fi

container_commands:
  00_appdeploy_rewrite_hook:
    command: cp -v /tmp/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/appdeploy/enact
  01_configdeploy_rewrite_hook:
    command: cp -v /tmp/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact
  02_rewrite_hook_perms:
    command: chmod 755 /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh
  03_rewrite_hook_ownership:
    command: chown root:users /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh

原答案：https://***.com/a/34619855/2454036

更新：我发现原来的答案并不总是有效，因为在文件更新之前可能会触发 nginx 重启，所以我将添加的 service nginx restart 放到脚本中

【参考方案2】：

HTTP -> HTTPS 重定向是一种非常常见的做法，AWS 在此处记录了如何实现它： https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-httpredirect.html

您拥有的解决方案与下面列出的他们自己提供的配置非常相似，涵盖了一系列不同的环境平台： https://github.com/awsdocs/elastic-beanstalk-samples/tree/master/configuration-files/aws-provided/security-configuration/https-redirect