我试图在我的TOMCAT弹性beanstalk EC2实例中安装SSL证书。我还希望我的应用程序在端口443上侦听HTTPS请求。作为起点,我将解决方案基于this link。
经过一段时间的尝试后,我无法安装我的证书或让端口443听取HTTPS请求。
这是我遵循的步骤:
1)我在src ROOT上用.ebextensions文件夹构建一个WAR,如下所示
ROOT.war
|
WEB-INF
META-INF
.ebextensions
|
https-instance-single.config
https-instance.config
2) https-instance.config 文件内容
packages:
yum:
mod_ssl : []
container_commands:
1killhttpd:
command: "killall httpd"
ignoreErrors: true
2wait:
command: "sleep 3"
files:
# Apache HTTPS configuration
/etc/httpd/conf.d/ssl.conf:
mode: "000644"
owner: root
group: root
content: |
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/server.crt"
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
ProxyPass / http://localhost:8080/ retry=0
ProxyPassReverse / http://localhost:8080/
ProxyPreserveHost on
</VirtualHost>
# Public certificate
/etc/pki/tls/certs/server.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
/etc/pki/tls/certs/server.key:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN RSA PRIVATE KEY-----
XXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END RSA PRIVATE KEY-----
/etc/pki/tls/certs/gd_bundle.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
3) https-instance-single.config 文件内容
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
4)然后我使用弹性beanstalk控制台部署了我的WAR(在此过程中没有抛出任何错误消息,至少在控制台上)。
按照指定部署了我的战争后,我的Web应用程序运行正常,但没有SSL配置,并且HTTPS请求未被重定向到端口443.更糟糕的是,应用程序甚至没有收听HTTPS请求。
任何人都有光明?我不想使用ELB(弹性负载均衡器),因为我正在迁移一堆小应用程序,这会给我带来相当大的成本增加(每个应用程序大约20美元)。
答案 0 :(得分:3)
以下是我为解决问题而采取的所有步骤:
1)我从https-instance.config中删除了/etc/httpd/conf.d/ssl.conf文件声明块
2)我在.ebextensions / httpd / conf.d / ssl.conf中添加了文件本身。文件内容:
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ServerName [YOUR APP ENDPOINT HERE i.e www.mydomain.com]
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/server.crt"
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
ProxyPass / http://localhost:8080/ retry=0
ProxyPassReverse / http://localhost:8080/
ProxyPreserveHost on
</VirtualHost>
重要提示:不要忘记添加一行服务器名称
3)此步骤是可选的,只需执行此操作如果要将所有http请求从端口80重定向到443,则必须添加具有端口80侦听器配置的配置文件。我把它命名为elasticbeanstalk.conf
<VirtualHost *:80>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ServerName [YOUR APP ENDPOINT HERE i.e www.mydomain.com]
Redirect permanent / https://[YOUR APP ENDPOINT HERE i.e www.mydomain.com]/
ErrorLog /var/log/httpd/elasticbeanstalk-error_log
</VirtualHost>
Finnaly,那就是我的战争如何组织其目录:
ROOT.war
|
WEB-INF
META-INF
.ebextensions
|
https-instance-single.config
https-instance.config
|
httpd
|
conf.d
|
elasticbeanstalk.conf
ssl.conf
答案 1 :(得分:1)
我遇到了同样的问题。我在Elastic Beanstalk的Java Tomcat Platform文档中找到了答案。您需要在.ebextensions / httpd / conf.d / ssl.conf中自行创建文件,而不是通过http-instance.config文件中的配置创建ssl.conf文件。