Question

我有一个在puma＆amp; amp; nginx使用AWS弹性beanstalk负载均衡器。我配置了AWS证书，它在http和https上都能正常工作。

但是，如果我在config.force_ssl = true上启用config/environments/production.rb，我就会遇到以下错误：

在http：连接已重置

在https上：安全连接失败。在页面加载时重置了与服务器的连接。

这是我的nginx配置文件的内容，我从awslabs / elastic-beanstalk-samples here获得：

.ebextensions/nginx.config

files:
   "/opt/elasticbeanstalk/support/conf/webapp_healthd.conf":
     owner: root
     group: root
     mode: "000644"
     content: |
       upstream my_app {
         server unix:///var/run/puma/my_app.sock;
       }

       server {
         listen 80;
         server_name _ localhost; # need to listen to localhost for worker tier

         location / {
           set $redirect 0;
           if ($http_x_forwarded_proto != "https") {
             set $redirect 1;
           }
           if ($http_user_agent ~* "ELB-HealthChecker") {
             set $redirect 0;
           }
           if ($redirect = 1) {
             return 301 https://$host$request_uri;
           }
           proxy_pass http://my_app; # match the name of upstream directive which is defined above
           proxy_set_header Host $host;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         }

         location /assets {
           alias /var/app/current/public/assets;
           gzip_static on;
           gzip on;
           expires max;
           add_header Cache-Control public;
         }

         location /public {
           alias /var/app/current/public;
           gzip_static on;
           gzip on;
           expires max;
           add_header Cache-Control public;
         }
       }

container_commands:
  99_restart_nginx:
    command: "service nginx restart || service nginx start"

Answer 1

我在一个与同一问题相关但使用Node.js

的问题的其他地方找到了答案

只需将其添加到.ebextensions文件夹中的文件中，我称之为enforce-ssl.config

files:
  "/tmp/45_nginx_https_rw.sh":
    owner: root
    group: root
    mode: "000644"
    content: |
      #! /bin/bash

      CONFIGURED=`grep -c "return 301 https" /opt/elasticbeanstalk/support/conf/webapp_healthd.conf`

      if [ $CONFIGURED = 0 ]
        then
          sed -i '/listen 80;/a \    if ($http_x_forwarded_proto = "http") { return 301 https://$host$request_uri; }\n' /opt/elasticbeanstalk/support/conf/webapp_healthd.conf
          logger -t nginx_rw "https rewrite rules added"
          service nginx restart
          exit 0
        else
          logger -t nginx_rw "https rewrite rules already set"
          exit 0
      fi

container_commands:
  00_appdeploy_rewrite_hook:
    command: cp -v /tmp/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/appdeploy/enact
  01_configdeploy_rewrite_hook:
    command: cp -v /tmp/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact
  02_rewrite_hook_perms:
    command: chmod 755 /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh
  03_rewrite_hook_ownership:
    command: chown root:users /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh

原始答案：https://stackoverflow.com/a/34619855/2454036

更新：我发现原始答案不会一直有效，因为在文件更新之前可能会触发nginx重启，所以我将添加的service nginx restart放到了脚本

Answer 2

HTTP -> HTTPS 重定向是一种非常常见的做法，AWS 在此处记录了如何实现它： https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-httpredirect.html

您拥有的解决方案与下面列出的他们自己提供的配置非常相似，涵盖了一系列不同的环境平台： https://github.com/awsdocs/elastic-beanstalk-samples/tree/master/configuration-files/aws-provided/security-configuration/https-redirect

使用AWS弹性beanstalk负载均衡器在Rails上实施https连接

2 个答案: