单实例 Elastic Beanstalk、Amazon Linux 2023、Apache、PHP8 上的 SSL

问题描述 投票:0回答:1

我在 AWS Elastic Beanstalk 中有一些单实例环境。它们都通过 eb 扩展安装了 SSL 证书,而不是使用负载均衡器。

它们都是 PHP,并且在 Amazon Linux 1 上运行 PHP 7。

它们或多或少是根据AWS的指南进行配置的:https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance-php.html

我正在尝试迁移到运行 Amazon Linux 2023 和 PHP 8.2 的实例

我应该注意,我使用的是 Apache,而不是 ngix。

到目前为止,我已将 

mod24_ssl : []
更改为 
mod_ssl : []
并且能够加载环境。常规 HTTP 工作正常,HTTPS 会收到“无法连接到服务器”和“连接被拒绝”的信息,具体取决于客户端。

我的ebextensions文件如下:

packages:
  yum:
    mod_ssl : []

files:
  /etc/httpd/conf.d/ssl.conf:
    mode: "000644"
    owner: root
    group: root
    content: |
      LoadModule ssl_module modules/mod_ssl.so
      Listen 443
      <VirtualHost *:443>
        <Proxy *>
          Order deny,allow
          Allow from all
        </Proxy>

        SSLEngine             on
        SSLCertificateFile    "/etc/pki/tls/certs/server.crt"
        SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
        SSLCipherSuite        EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
        SSLProtocol           All -SSLv2 -SSLv3
        SSLHonorCipherOrder   On
        SSLSessionTickets     Off

        Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
        Header always set X-Frame-Options DENY
        Header always set X-Content-Type-Options nosniff

        ProxyPass / http://localhost:80/ retry=0
        ProxyPassReverse / http://localhost:80/
        ProxyPreserveHost on
        RequestHeader set X-Forwarded-Proto "https" early

      </VirtualHost>

  /etc/pki/tls/certs/server.crt:
    mode: "000400"
    owner: root
    group: root
    content: |
      -----BEGIN CERTIFICATE-----
      ~~~~~~~
      -----END CERTIFICATE-----


Resources:
  AWSEBAutoScalingGroup:
    Metadata:
      AWS::CloudFormation::Authentication:
        S3Auth:
          type: "s3"
          buckets: ["elasticbeanstalk-us-east-2-xxx"]
          roleName:
            "Fn::GetOptionSetting":
              Namespace: "aws:autoscaling:launchconfiguration"
              OptionName: "IamInstanceProfile"
              DefaultValue: "aws-elasticbeanstalk-ec2-role"
files:
  # Private key
  "/etc/pki/tls/certs/server.key":
    mode: "000400"
    owner: root
    group: root
    authentication: "S3Auth"
    source: https://s3.us-east-2.amazonaws.com/elasticbeanstalk-us-east-2-xxx/xxx.pem


Resources:
  sslSecurityGroupIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

我已重新颁发证书,并多次重新滚动环境。我花了几个小时在网上搜索答案但没有运气。我没有看到任何针对 Amazon Linux 2023 进行设置的指南。

php amazon-web-services apache ssl amazon-elastic-beanstalk
1个回答
0
投票

从这里:https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.migration-al.generic.from-al1.html

在 AL2023/AL2 平台上,您可以像以前一样使用配置文件,并且所有部分的工作方式相同。但是,特定设置的工作方式可能与之前的 Amazon Linux AMI 平台上的工作方式不同。例如:

  • 使用配置文件安装的某些软件包可能在 AL2023/AL2 上不可用,或者它们的名称可能已更改。
  • 一些特定于平台的配置选项已从特定于平台的命名空间转移到不同的、与平台无关的命名空间。
  • .ebextensions/nginx 目录中提供的代理配置文件应移动到 .platform/nginx 平台 hooks 目录。有关详细信息,请展开扩展 Elastic Beanstalk Linux 平台中的反向代理配置部分。

进一步讨论:https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/platforms-linux-extend.html

解决方案:

将eb扩展文件中创建的ssl.conf文件的内容移动到

.platform/httpd/conf.d/ssl.conf

现在的配置是:

.ebextensions/https-instance.config

  yum:
    mod_ssl : []

files:
  /etc/pki/tls/certs/server.crt:
    mode: "000400"
    owner: root
    group: root
    content: |
      -----BEGIN CERTIFICATE-----
      ~~~~~~
      -----END CERTIFICATE-----


.ebextensions/https-instance-single.config

Resources:
  sslSecurityGroupIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0


.ebextensions/privatekey.config

Resources:
  AWSEBAutoScalingGroup:
    Metadata:
      AWS::CloudFormation::Authentication:
        S3Auth:
          type: "s3"
          buckets: ["elasticbeanstalk-us-east-2-025310008910"]
          roleName:
            "Fn::GetOptionSetting":
              Namespace: "aws:autoscaling:launchconfiguration"
              OptionName: "IamInstanceProfile"
              DefaultValue: "aws-elasticbeanstalk-ec2-role"
files:
  # Private key
  "/etc/pki/tls/certs/server.key":
    mode: "000400"
    owner: root
    group: root
    authentication: "S3Auth"
    source: https://s3.us-east-2.amazonaws.com/elasticbeanstalk-us-east-2-xxxxx/xxx.pem


.platform/httpd/conf.d/ssl.conf

LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
  <Proxy *>
    Order deny,allow
    Allow from all
  </Proxy>

  SSLEngine             on
  SSLCertificateFile    "/etc/pki/tls/certs/server.crt"
  SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
  SSLCipherSuite        EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
  SSLProtocol           All -SSLv2 -SSLv3
  SSLHonorCipherOrder   On
  SSLSessionTickets     Off

  Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
  Header always set X-Frame-Options DENY
  Header always set X-Content-Type-Options nosniff

  ProxyPass / http://localhost:80/ retry=0
  ProxyPassReverse / http://localhost:80/
  ProxyPreserveHost on
  RequestHeader set X-Forwarded-Proto "https" early

</VirtualHost>

一旦一切正常,您还应该检查并加强安全性。更多信息请参见:https://docs.aws.amazon.com/linux/al2023/ug/SSL-on-amazon-linux-2023.html

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.