Apache 不在 443 (aws) 上为 Django 提供服务
Posted
技术标签:
【中文标题】Apache 不在 443 (aws) 上为 Django 提供服务【英文标题】:Apache not serving Django on 443 (aws) 【发布时间】:2019-10-03 06:45:36 【问题描述】:我有一个 django 应用程序,我正在尝试通过 HTTPS 提供服务并且正在苦苦挣扎。我不擅长 Apache 配置并试图将其拼凑在一起。希望有人能指出看似简单的疏忽。
我的证书已设置,当我在http://
访问我的网站时,它会重定向到https://
,并带有亚马逊颁发的有效证书。所以,这似乎是正确的。
我的问题
我只看到一个页面:
/的索引
编辑#1:
更多的实验表明,没有任何额外的.conf
文件,我在http
和https
上得到了预期的django。如果我只启用*.80
重定向,我总是会得到https
,但只是上面提到的没有django 的apache 索引页面。
这是我使用容器命令编写的配置:
/etc/httpd/conf.d/wsgi.conf(每次部署都会被 aws 重写)
LoadModule wsgi_module modules/mod_wsgi.so
WSGIPythonHome /opt/python/run/baselinenv
WSGISocketPrefix run/wsgi
WSGIRestrictEmbedded On
<VirtualHost *:80>
Alias /static/ /opt/python/current/app/www/static/
<Directory /opt/python/current/app/www/static/>
Order allow,deny
Allow from all
</Directory>
WSGIScriptAlias / /opt/python/current/app/proof/proof/wsgi.py
<Directory /opt/python/current/app/>
Require all granted
</Directory>
WSGIDaemonProcess wsgi processes=3 threads=20 display-name=%GROUP \
python-home=/opt/python/run/venv/ \
python-path=/opt/python/current/app user=wsgi group=wsgi \
home=/opt/python/current/app
WSGIProcessGroup wsgi
</VirtualHost>
LogFormat "%h (%X-Forwarded-Fori) %l %u %t \"%r\" %>s %b \"%Refereri\" \"%User-Agenti\"" combined
/etc/httpd/conf.d/virtualhost_http.conf
<VirtualHost *:80>
RewriteEngine On
RewriteCond %HTTP:X-Forwarded-Proto =http
RewriteRule .* https://%HTTP:Host%REQUEST_URI [L,R=permanent]
</VirtualHost>
/etc/httpd/conf.d/virtualhost_https.conf(可选。不管有没有这个文件,我都会得到相同的结果)
<VirtualHost *:443>
Alias /static/ /opt/python/current/app/www/static/
<Directory /opt/python/current/app/www/static/>
Order allow,deny
Allow from all
</Directory>
WSGIScriptAlias / /opt/python/current/app/proof/proof/wsgi.py process-group=wsgi
<Directory /opt/python/current/app/>
Require all granted
</Directory>
</VirtualHost>
编辑#2:
这是我掌握的关于 VHost 正在发生的事情的最佳证据
[ec2-user@ip-000-00-00-000 conf.d]$ ls -l
total 16
-rw-r--r-- 1 root root 1024 May 16 06:56 enable_mod_deflate.conf
-rw-r--r-- 1 root root 162 May 15 23:10 healthd.conf
-rw-r--r-- 1 root root 104 May 15 23:10 mod_reqtimeout.conf
-rw-r--r-- 1 root root 783 May 16 06:56 wsgi.conf
[ec2-user@ip-000-00-00-000 conf.d]$ apachectl -S
[Thu May 16 07:22:36.788065 2019] [so:warn] [pid 24579] AH01574: module wsgi_module is already loaded, skipping
VirtualHost configuration:
*:80 is a NameVirtualHost
default server ip-000-00-00-000.us-west-2.compute.internal (/etc/httpd/conf.d/virtualhost_http.conf:1)
port 80 namevhost ip-000-00-00-000.us-west-2.compute.internal (/etc/httpd/conf.d/virtualhost_http.conf:1)
port 80 namevhost ip-000-00-00-000.us-west-2.compute.internal (/etc/httpd/conf.d/wsgi.conf:7)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex lua-ivm-shm: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex default: dir="/var/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex cache-socache: using_defaults
PidFile: "/var/run/httpd/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48 not_used
Group: name="apache" id=48 not_used
这是证书正常工作但未连接到 Django 的证据
(v-env) My-MacBook-Pro$ curl -v https://www.proofapp.io
* Rebuilt URL to: https://www.proofapp.io/
* Trying 50.112.160.41...
* TCP_NODELAY set
* Connected to www.proofapp.io (50.112.160.41) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=www.proofapp.io
* start date: May 15 00:00:00 2019 GMT
* expire date: Jun 15 12:00:00 2020 GMT
* subjectAltName: host "www.proofapp.io" matched cert's "www.proofapp.io"
* issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: www.proofapp.io
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: text/html;charset=ISO-8859-1
< Date: Thu, 16 May 2019 07:28:17 GMT
< Server: Apache/2.4.39 (Amazon) mod_wsgi/3.5 Python/3.6.8
< Vary: Accept-Encoding,User-Agent
< Content-Length: 161
< Connection: keep-alive
<
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /</title>
</head>
<body>
<h1>Index of /</h1>
<ul></ul>
</body></html>
* Connection #0 to host www.proofapp.io left intact
【问题讨论】:
“每次部署都被 aws 重写”是什么意思,什么部署? 当您运行eb deploy
并且 Elastic Beanstalk 复制您的应用程序包并部署它时,此默认 wsgi.py 将被复制到目录中。我不认为它可以改变?
哦,不好意思,弹力豆茎帮不了我,等更懂的人吧
是的,它忽略了 wsgi.conf。原因是您有两个虚拟主机,并且只应用了第一个(最上面的)一个。如果它们在不同的文件中,则来自(按字母顺序)第一个文件。但是你真的不需要 wsgi.conf :80,因为你不想通过普通的 http 服务 django
让我们continue this discussion in chat。
【参考方案1】:
Scott,不确定你是否已经解决了这个问题,但如果你还没有解决这个问题,我会分享更多的观点和策略——或者为了未来的读者。
解决此问题的一种便捷方法是使用负载均衡器来终止 SSL。这意味着无需在应用程序级别进行复杂的配置,还可以通过将 HTTPS 加密/解密过程卸载到其他 AWS 资源来提高性能(并可能节省成本)。
您可以在下面的链接中阅读有关这些策略和实施的更多信息。如果您还有其他问题,我很乐意提供有关具体步骤的更多详细信息。
AWS Load Balancer Best Practices
AWS SSL Termination Docs
【讨论】:
以上是关于Apache 不在 443 (aws) 上为 Django 提供服务的主要内容,如果未能解决你的问题,请参考以下文章
aws 弹性负载均衡器可以将端口 443 转发到端口 443 以获取弹性 beantalk 实例吗?