Elastic Beanstalk 单实例 SSL .ebextensions 配置文件不起作用
Posted
技术标签:
【中文标题】Elastic Beanstalk 单实例 SSL .ebextensions 配置文件不起作用【英文标题】:Elastic Beanstalk Single Instance SSL .ebextensions config file not working 【发布时间】:2015-04-23 10:55:02 【问题描述】:我试图在我的单个实例上使用 SSL。我想我设法正确地生成了密钥和证书,经过一番摸索后,我设法找到了配置实例以使用它的说明。
所以我在***目录中创建了一个 .ebextensions 文件夹,里面有一个我命名为 singlessl.config 的文件
我在下面包含了我上传的文件。它不起作用,有人知道错误可能是什么吗?
(至少发生了一些事情,因为现在我收到“无法连接”消息)
我已经用其他字符替换了一些字符串,比如键,但除此之外它完全相同
环境是没有负载均衡器的单实例 Node.js,文件如下:
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupName: Ref : awseb-e-10randchar-stack-AWSEBSecurityGroup-NOW13RANDCHARS
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
files:
/etc/nginx/conf.d/ssl.conf:
mode: "000755"
owner: root
group: root
content: |
# HTTPS server
upstream nodejs
server 127.0.0.1:8443;
keepalive 256;
server
listen 443;
server_name localhost;
ssl on;
ssl_certificate /etc/pki/tls/certs/server.crt;
ssl_certificate_key /etc/pki/tls/certs/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location /
proxy_pass http://nodejs;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
/etc/pki/tls/certs/server.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
Thisisnotmyactualcertificatethisisnotmyactualcertificatethisisno
Thisisnotmyactualcertificatethisisnotmyactualcertificatethisisno
Thisisnotmyactualcertificatethisisnotmyactualcertificatethisisno
Thisisnotmyactualcertificatethisisnotmyactualcertificatethisisno
Thisisnotmyactualcertificatethisisnotmyactualcertificatethisisno
Thisisnotmyactualcertificatethisisnotmyactualcertificatethisisno
Thisisnotmyactualcertificatethisisnotmyactualcertificatethisisno
Thisisnotmyactualcertificatethisisnotmyactualcertificatethisisno
Thisisnotmyactualcertificatethisisnotmyactualcertificatethisisno
Thisisnotmyactualcertificatethisisnotmyactualcertificatethisisno
Thisisnotmyactualcertificatethisisnotmyactualcertificatethisisno
Thisisnotmyactualcertificatethisisnotmyactualcertificatethisisno
Thisisnotmyactualcertificatethisisnotmyactualcertificatethisisno
Thisisnotmyactualcertificatethisisnotmyactualcertificatethisisno
Thisisnotmyactualcertificatethisisnotmyactualcertificatethisisno
Thisisnotmyactualcertificatethisisnotmyactualcertificatethisisno
Thisisnotmyactualcertificatethisisnotmyactualcertificatethisisno
Thisisnotmyactualcertificatethisisnotmyactualcertificatethisisno
Thisisnotmyactualcertificatethisisnotmyactualcertificate
-----END CERTIFICATE-----
/etc/pki/tls/certs/server.key:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN RSA PRIVATE KEY-----
Thisisnotmyactualkeythisisnotmyactualkeythisisnotmyactualkeythis
Thisisnotmyactualkeythisisnotmyactualkeythisisnotmyactualkeythis
Thisisnotmyactualkeythisisnotmyactualkeythisisnotmyactualkeythis
Thisisnotmyactualkeythisisnotmyactualkeythisisnotmyactualkeythis
Thisisnotmyactualkeythisisnotmyactualkeythisisnotmyactualkeythis
Thisisnotmyactualkeythisisnotmyactualkeythisisnotmyactualkeythis
Thisisnotmyactualkeythisisnotmyactualkeythisisnotmyactualkeythis
Thisisnotmyactualkeythisisnotmyactualkeythisisnotmyactualkeythis
Thisisnotmyactualkeythisisnotmyactualkeythisisnotmyactualkeythis
Thisisnotmyactualkeythisisnotmyactualkeythisisnotmyactualkeythis
Thisisnotmyactualkeythisisnotmyactualkeythisisnotmyactualkeythis
Thisisnotmyactualkeythisisnotmyactualkeythisisnotmyactualkeythis
Thisisnotmyactualkeythisisnotmyactualkeythisisnotmyactualkeythis
Thisisnotmyactualkeythisisnotmyactualkeythisisnotmyactualkeythis
Thisisnotmyactualkeythisisnotmyactualkeythisisnotmyactualkeythis
Thisisnotmyactualkeythisisnotmyactualkeythisisnotmyactualkeythis
Thisisnotmyactualkeythisisnotmyactualkeythisisnotmyactualkeythis
Thisisnotmyactualkeythisisnotmyactualkeythisisnotmyactualkeythis
Thisisnotmyactualkeythisisnotmyactualkeythisisnotmyactualkeythis
Thisisnotmyactualkeythisisnotmyactualkeythisisnotmyactualkeythis
Thisisnotmyactualkeythisisnotmyactualkeythisisnotmyactualkeythis
Thisisnotmyactualkeythisisnotmyactualkeythisisnotmyactualkeythis
Thisisnotmyactualkeythisisnotmyactualkeythisisnotmyactualkeythis
Thisisnotmyactualkeythisisnotmyactualkeythisisnotmyactualkeythis
Thisisnotmyactualkeythisisnotmyactualkeythisisnotmya
-----END RSA PRIVATE KEY-----
我不确定我做错了什么。任何见解都会有所帮助?
【问题讨论】:
好吧,我仍然不知道我做错了什么,但我切换到了具有 1 个实例的弹性 beanstalk 的负载平衡版本。更容易配置。到目前为止似乎工作正常。 【参考方案1】:是的。在单实例上配置 SSL 比使用 loadBalance 设置 ElasticBeansTalk 并定义 max instances = 1 更难
为简单起见,步骤在http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https.html
【讨论】:
这可能是另一种方式,但肯定不是正确的答案。缺点是使用负载平衡器服务会产生额外费用。【参考方案2】:请记住,缩进在此文件中非常重要。 我刚刚完成了这个文件中的配置,我很难正确缩进所有内容。 另外,请记住,当您使用负载均衡器时,您每月花费大约 18 美元。如果您不介意在预算中使用此功能,我建议您使用负载平衡器。 还有一件事,如果您使用的是 VPC,您需要将 GroupName 属性更改为 GroupId
【讨论】:
【参考方案3】:这是一个简单的配置文件,可自动在单实例 Elastic Beanstalk 服务器上安装免费的 LetsEncrypt 证书。
http://bluefletch.com/blog/domain-agnostic-letsencrypt-ssl-config-for-elastic-beanstalk-single-instances/
它基本上使用容器命令来下载 certbot、获取证书和配置 nginx。证书的域名来自一个环境变量,因此无需从一台服务器到另一台服务器进行大量调整即可使用它。
【讨论】:
以上是关于Elastic Beanstalk 单实例 SSL .ebextensions 配置文件不起作用的主要内容,如果未能解决你的问题,请参考以下文章
无法从自定义域 HTTPS 访问 Elastic Beanstalk(单实例)
Elastic beanstalk 实例无法访问私有 S3 文件
您可以通过 .ebextensions 文件配置 Elastic Beanstalk 负载平衡 SSL 证书吗?