应用错误收集

如何为安全的websockets配置Elastic Beanstalk nginx代理？

时间：2016-12-17 23:34:25

标签： ruby-on-rails websocket elastic-beanstalk

我正在使用Elastic Beanstalk来部署我的Ruby on Rails（databaseURL）应用程序，试图通过不安全（5.0.1）和安全（{{1}来支持websockets（ActionCable）连接。如果做不到这一点，我会对安全性感到满意，但我只能在工作中变得不安全。我一直关注this tutorial;我的ws://文件与他们的文件完全匹配，我的负载均衡器设置（wss://，.ebextensions/proxy.config等）也是如此。

我可以成功使用不安全的websockets。我也可以通过TCP和SSL成功连接，因此证书很好。仅不起作用的是安全的websockets（http）：

https 正常工作
wss:// 正常工作
http://api.skill.guide 正常工作
https://api.skill.guide 不起作用

通过this online websocket tester进行测试，我在控制台中看到ws://api.skill.guide/cable。以下是服务器日志，首先显示成功的不安全升级，然后是失败的安全升级。请注意安全参数中丢失的wss://api.skill.guide/cable，这让我相信我的反向代理配置有问题。

Error during WebSocket handshake: Unexpected response code: 404

为了完整起见，这是我的设置。

负载均衡器：

`HTTP_UPGRADE`

[2016-12-17T23:16:41.230931 #9482]  INFO -- : [5d63e807-6df7-4044-af9c-656b25db9065] Started GET "/cable/?encoding=text" for 172.31.26.218 at 2016-12-17 23:16:41 +0000
I, [2016-12-17T23:16:41.252495 #9482]  INFO -- : [5d63e807-6df7-4044-af9c-656b25db9065] Started GET "/cable/?encoding=text" [WebSocket] for 172.31.26.218 at 2016-12-17 23:16:41 +0000
I, [2016-12-17T23:16:41.252578 #9482]  INFO -- : [5d63e807-6df7-4044-af9c-656b25db9065] Successfully upgraded to WebSocket (REQUEST_METHOD: GET, HTTP_CONNECTION: Upgrade, HTTP_UPGRADE: websocket)
I, [2016-12-17T23:16:44.643256 #9482]  INFO -- : Finished "/cable/?encoding=text" [WebSocket] for 172.31.26.218 at 2016-12-17 23:16:44 +0000
I, [2016-12-17T23:16:47.786466 #9498]  INFO -- : [3e502e9b-2773-4ab8-8e7e-d6e46b137ac2] Started GET "/cable/?encoding=text" for 73.222.141.98 at 2016-12-17 23:16:47 +0000
I, [2016-12-17T23:16:47.804715 #9498]  INFO -- : [3e502e9b-2773-4ab8-8e7e-d6e46b137ac2] Started GET "/cable/?encoding=text"[non-WebSocket] for 73.222.141.98 at 2016-12-17 23:16:47 +0000
E, [2016-12-17T23:16:47.804789 #9498] ERROR -- : [3e502e9b-2773-4ab8-8e7e-d6e46b137ac2] Failed to upgrade to WebSocket (REQUEST_METHOD: GET, HTTP_CONNECTION: keep-alive, HTTP_UPGRADE: )
I, [2016-12-17T23:16:47.804832 #9498]  INFO -- : [3e502e9b-2773-4ab8-8e7e-d6e46b137ac2] Finished "/cable/?encoding=text"[non-WebSocket] for 73.222.141.98 at 2016-12-17 23:16:47 +0000

`.elasticbeanstalk/proxy.config`

files:
  /etc/nginx/conf.d/proxy.conf:
    mode: "000644"
    owner: root
    group: root
    content: |
      upstream rails {
        server 127.0.0.1:3000;
        keepalive 256;
      }

      server {
        listen 8080;

        if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})T(\d{2})") {
            set $year $1;
            set $month $2;
            set $day $3;
            set $hour $4;
        }
        access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd;
        access_log  /var/log/nginx/access.log  main;

        location / {
            proxy_pass  http://rails;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_http_version 1.1;
            proxy_set_header        Host            $host;
            proxy_set_header        X-Real-IP       $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        }

        gzip on;
        gzip_comp_level 4;
        gzip_types text/html text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

        location /static {
            alias /var/app/current/static;
        }

      }

container_commands:
 removeconfig:
    command: "rm -f /tmp/deployment/config/#etc#nginx#conf.d#00_elastic_beanstalk_proxy.conf /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf"

0 个答案:

没有答案