使用来自ACM的证书强制在elasticbeanstalk中使用https

时间:2016-05-25 04:41:20

标签: ruby-on-rails amazon-web-services nginx ssl-certificate elastic-beanstalk

我已经配置了可扩展的EB(Elasticbeanstalk)rails(puma)实例。我已通过ACM(亚马逊证书管理器)申请https并将其应用于我的负载均衡器。现在为我的网站启用了HTTPS。但是如何强制重定向到https?我已经尝试了一些在线解决方案,建议通过.ebextensions手动进行nginx配置设置,我不知道从哪里获得ACM证书?(我假设现在ACM不可能做到这一点? )。如何强制HTTPS?

2 个答案:

答案 0 :(得分:5)

当前的AWS EB Rails和Node.js设置都使用nginx(如果您的Web服务器是apache,请参阅this answer),因此以下内容应该有效(改编自this question):

使用以下内容创建文件.ebextensions/01-force-https.config.config非常重要,而不是.conf)。

如果您的环境是单个实例:

files:
  "/etc/nginx/conf.d/01-force-https.conf":
    owner: root
    group: root
    mode: "000644"
    content: |
      server {
          listen 8080;
          return 301 https://$host$request_uri;
      }

如果你的环境是负载平衡的,你遗憾的是不能简单地添加到现有的配置,但需要用sed修改它:

files:
  "/tmp/45_nginx_https_rw.sh":
    owner: root
    group: root
    mode: "000644"
    content: |
      #! /bin/bash

      CONFIGURED=`grep -c "return 301 https" /opt/elasticbeanstalk/support/conf/webapp_healthd.conf`

      if [ $CONFIGURED = 0 ]
        then
          sed -i '/listen 80;/a \    if ($http_x_forwarded_proto = "http") { return 301 https://$host$request_uri; }\n' /opt/elasticbeanstalk/support/conf/webapp_healthd.conf
          logger -t nginx_rw "https rewrite rules added"
          exit 0
        else
          logger -t nginx_rw "https rewrite rules already set"
          exit 0
      fi

container_commands:
  00_appdeploy_rewrite_hook:
    command: cp -v /tmp/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/appdeploy/enact
  01_configdeploy_rewrite_hook:
    command: cp -v /tmp/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact
  02_rewrite_hook_perms:
    command: chmod 755 /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh
  03_rewrite_hook_ownership:
    command: chown root:users /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh

然后将其添加到您的git repo或应用包和eb deploy。这会创建/etc/nginx/conf.d/01-force-https.conf/etc/nginx/nginx.conf会自动包含该eb deploy。请注意,如果您稍后从.ebextensions删除相应的文件,eb ssh将无法删除服务器上的文件。此外,我发现以下内容有助于通过sudo service nginx configtest sudo service nginx restart 进行调试:

Scheduler[] schedulers = new Schedulers[10];
for (int i = 0; i < 10; i++) {
  schedulers[i] = Schedulers.newSingle();
}

public Flux<T> wrapIntoSingleThread(Scheduler scheduler) {
  return this.flux.publishOn(scheduler);
}

答案 1 :(得分:0)

AWS 在此处提供了有关 HTTP 到 HTTPS 重定向的帮助文章: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-httpredirect.html

它涵盖了 2 种主要方法,并提供了指向相关脚本的链接,您可以使用这些脚本为您完成所有工作(他们在更新 Elastic Beanstalk 平台时维护这些脚本)。