在 AWS Elastic Beanstalk 中的 EC2 实例上启用 HTTPS

在 AWS Elastic Beanstalk 中的 EC2 实例上启用 HTTPS

我正在通过 Elastic Beanstalk 在 Docker 容器中部署 Expressjs。我的应用程序检查req.secure每个请求以确保它使用的是 HTTPS。如果不是 HTTPS,它将不允许访问该应用程序。我已按照 AWS 文档中的所有说明配置我的负载均衡器以接受 HTTPS,并使其通过 HTTPS 与我的 EC2 实例进行通信。

http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-endtoend.html

http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance-docker.html

我设法让 HTTPS 在负载均衡器上运行,但它似乎没有使用 HTTPS 与我的 Docker 容器通信。有人有什么想法吗?

我的负载均衡器中的监听器是:

option_settings:
  aws:elb:listener:443:
    InstancePort: 443
    InstanceProtocol: HTTPS
  aws:elasticbeanstalk:application:
    Application Healthcheck URL: HTTPS:443/

option_settings:
 aws:elb:listener:443:
  SSLCertificateId: arn:aws:iam::######:server-certificate/cert_name
  ListenerProtocol: HTTPS

编辑:

我不知道这是否有帮助,但这是我设置 EC2 实例的方式:

Resources:
  sslSecurityGroupIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0
  AWSEBAutoScalingGroup:
    Metadata:
      AWS::CloudFormation::Authentication:
        S3Auth:
          type: "s3"
          buckets: ["elasticbeanstalk-us-east-1-#########"]
          roleName:
            "Fn::GetOptionSetting":
              Namespace: "aws:autoscaling:launchconfiguration"
              OptionName: "IamInstanceProfile"
              DefaultValue: "aws-elasticbeanstalk-ec2-role"

files:
  /etc/nginx/conf.d/https.conf:
    mode: "000644"
    owner: root
    group: root
    content: |
      # HTTPS Server

      server {
        listen 443;
        server_name localhost;

        ssl on;
        ssl_certificate /etc/pki/tls/certs/server.crt;
        ssl_certificate_key /etc/pki/tls/certs/server.key;

        ssl_session_timeout 5m;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
        ssl_prefer_server_ciphers on;

        location / {
          proxy_pass http://docker;
          proxy_http_version 1.1;

          proxy_set_header Connection "";
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
      }

  /etc/pki/tls/certs/server.crt:
    mode: "000400"
    owner: root
    group: root
    authentication: "S3Auth"
    source: https://s3.amazonaws.com/<url_to_private_key>

 /etc/pki/tls/certs/server.key:
    mode: "000400"
    owner: root
    group: root
    authentication: "S3Auth"
    source: https://s3.amazonaws.coom/<url_to_cert>

相关内容