问候SO社区,
我正在尝试将单实例Elastic Beanstalk应用程序配置为使用自定义域和HTTPS。自定义域证书和SSL证书均从第三方获得,并使用其DNS服务器(而不是Route 53)。
我已添加每个AWS文档的.ebextensions/https-instance-securitygroup.config
(https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance.html)以及Node应用程序的文件(https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance-nodejs.html)。最后一步的唯一区别是,在将代码推送到GitHub并使用CodePipeline构建代码时,我没有创建.ebextensions/https-instance.config
文件。因此,https.conf
和证书是手动创建的,并上传到EC2实例。
此外,我已经检查了实例的入站规则,以确保在EB实例以及关联的安全组上打开了80和443。
proxy.conf
upstream nodejs {
server 127.0.0.1:5000;
keepalive 256;
}
server {
listen 8080;
if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})T(\d{2})") {
set $year $1;
set $month $2;
set $day $3;
set $hour $4;
}
access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd;
access_log /var/log/nginx/access.log main;
location / {
proxy_pass http://nodejs;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
gzip on;
gzip_comp_level 4;
gzip_types text/html text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
location /static {
alias /var/app/current/client/build/static;
}
}
https.conf
# HTTPS server
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/pki/tls/certs/server.crt;
ssl_certificate_key /etc/pki/tls/certs/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
# For enhanced health reporting support, uncomment this block:
#if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})T(\d{2})") {
# set $year $1;
# set $month $2;
# set $day $3;
# set $hour $4;
#}
#access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd;
#access_log /var/log/nginx/access.log main;
location / {
proxy_pass http://nodejs;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
因此,在重新阅读了第100次AWS文档之后,我终于能够解决我的问题。并且因为我没有严格使用首选的.ebextensions
文件夹方法,所以我不得不在Elastic Beanstalk创建的EC2实例上直接摆弄Nginx代理。
简而言之,我在/etc/nginx/conf.d/proxy.conf
文件中缺少以下部分:
location / {
### START MISSING ###
set $redirect 0;
if ($http_x_forwarded_proto != "https") {
set $redirect 1;
}
if ($http_user_agent ~* "ELB-HealthChecker") {
set $redirect 0;
}
if ($redirect = 1) {
return 301 https://$host$request_uri;
}
### END OF MISSING ###
proxy_pass http://nodejs;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
此文档在此处:https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-httpredirect.html
特别是,这是来自NodeJS的代码段,默认为Nginx代理配置文件:https://github.com/awsdocs/elastic-beanstalk-samples/blob/master/configuration-files/aws-provided/security-configuration/https-redirect/nodejs/https-redirect-nodejs.config