无法从自定义域HTTPS访问Elastic Beanstalk(单个实例)

问题描述 投票:0回答:1

问候SO社区,

我正在尝试将单实例Elastic Beanstalk应用程序配置为使用自定义域和HTTPS。自定义域证书和SSL证书均从第三方获得,并使用其DNS服务器(而不是Route 53)。

我已添加每个AWS文档的.ebextensions/https-instance-securitygroup.confighttps://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance.html)以及Node应用程序的文件(https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance-nodejs.html)。最后一步的唯一区别是,在将代码推送到GitHub并使用CodePipeline构建代码时,我没有创建.ebextensions/https-instance.config文件。因此,https.conf和证书是手动创建的,并上传到EC2实例。

此外,我已经检查了实例的入站规则,以确保在EB实例以及关联的安全组上打开了80和443。

Elastic Beanstalk EC2 Instance Inbound Rules

proxy.conf

upstream nodejs {
  server 127.0.0.1:5000;
  keepalive 256;
}

server {
  listen 8080;

  if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})T(\d{2})") {
      set $year $1;
      set $month $2;
      set $day $3;
      set $hour $4;
  }
  access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd;
  access_log  /var/log/nginx/access.log  main;

  location / {
      proxy_pass  http://nodejs;
      proxy_set_header   Connection "";
      proxy_http_version 1.1;
      proxy_set_header        Host            $host;
      proxy_set_header        X-Real-IP       $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
  }

  gzip on;
  gzip_comp_level 4;
  gzip_types text/html text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

  location /static {
      alias /var/app/current/client/build/static;
  }

}

https.conf

# HTTPS server

server {
  listen       443      ssl;
  server_name  localhost;

  ssl_certificate      /etc/pki/tls/certs/server.crt;
  ssl_certificate_key  /etc/pki/tls/certs/server.key;

  ssl_session_timeout  5m;

  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers   on;

  # For enhanced health reporting support, uncomment this block:

  #if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})T(\d{2})") {
  #    set $year $1;
  #    set $month $2;
  #    set $day $3;
  #    set $hour $4;
  #}
  #access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd;
  #access_log  /var/log/nginx/access.log  main;

  location / {
          proxy_pass  http://nodejs;
          proxy_set_header   Connection "";
          proxy_http_version 1.1;
          proxy_set_header        Host            $host;
          proxy_set_header        X-Real-IP       $remote_addr;
          proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header        X-Forwarded-Proto https;
  }
}
node.js amazon-web-services ssl nginx amazon-elastic-beanstalk
1个回答
0
投票

因此,在重新阅读了第100次AWS文档之后,我终于能够解决我的问题。并且因为我没有严格使用首选的.ebextensions文件夹方法,所以我不得不在Elastic Beanstalk创建的EC2实例上直接摆弄Nginx代理。

简而言之,我在/etc/nginx/conf.d/proxy.conf文件中缺少以下部分:

location / {
   ### START MISSING ###
   set $redirect 0;
   if ($http_x_forwarded_proto != "https") {
     set $redirect 1;
   }
   if ($http_user_agent ~* "ELB-HealthChecker") {
     set $redirect 0;
   }
   if ($redirect = 1) {
     return 301 https://$host$request_uri;
   }
   ### END OF MISSING ###

   proxy_pass  http://nodejs;
   proxy_set_header   Connection "";
   proxy_http_version 1.1;
   proxy_set_header        Host            $host;
   proxy_set_header        X-Real-IP       $remote_addr;
   proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
}

此文档在此处:https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-httpredirect.html

特别是,这是来自NodeJS的代码段,默认为Nginx代理配置文件:https://github.com/awsdocs/elastic-beanstalk-samples/blob/master/configuration-files/aws-provided/security-configuration/https-redirect/nodejs/https-redirect-nodejs.config

© www.soinside.com 2019 - 2024. All rights reserved.