我正在通过 Elastic Beanstalk 在 Docker 容器中部署 Expressjs。我的应用程序检查req.secure
每个请求以确保它使用的是 HTTPS。如果不是 HTTPS,它将不允许访问该应用程序。我已按照 AWS 文档中的所有说明配置我的负载均衡器以接受 HTTPS,并使其通过 HTTPS 与我的 EC2 实例进行通信。
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-endtoend.html
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance-docker.html
我设法让 HTTPS 在负载均衡器上运行,但它似乎没有使用 HTTPS 与我的 Docker 容器通信。有人有什么想法吗?
我的负载均衡器中的监听器是:
option_settings:
aws:elb:listener:443:
InstancePort: 443
InstanceProtocol: HTTPS
aws:elasticbeanstalk:application:
Application Healthcheck URL: HTTPS:443/
和
option_settings:
aws:elb:listener:443:
SSLCertificateId: arn:aws:iam::######:server-certificate/cert_name
ListenerProtocol: HTTPS
编辑:
我不知道这是否有帮助,但这是我设置 EC2 实例的方式:
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
AWSEBAutoScalingGroup:
Metadata:
AWS::CloudFormation::Authentication:
S3Auth:
type: "s3"
buckets: ["elasticbeanstalk-us-east-1-#########"]
roleName:
"Fn::GetOptionSetting":
Namespace: "aws:autoscaling:launchconfiguration"
OptionName: "IamInstanceProfile"
DefaultValue: "aws-elasticbeanstalk-ec2-role"
files:
/etc/nginx/conf.d/https.conf:
mode: "000644"
owner: root
group: root
content: |
# HTTPS Server
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /etc/pki/tls/certs/server.crt;
ssl_certificate_key /etc/pki/tls/certs/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://docker;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
/etc/pki/tls/certs/server.crt:
mode: "000400"
owner: root
group: root
authentication: "S3Auth"
source: https://s3.amazonaws.com/<url_to_private_key>
/etc/pki/tls/certs/server.key:
mode: "000400"
owner: root
group: root
authentication: "S3Auth"
source: https://s3.amazonaws.coom/<url_to_cert>