AWS负载平衡器+ Nginx + Gunicorn-如何使用SSL

时间:2018-11-07 09:38:33

标签: amazon-web-services nginx

我正在尝试使用docker-machine用堆栈nginx + gunicorn + django创建ec2实例。我有一个面向互联网的应用程序负载均衡器,其中有两个目标组(绿色/蓝色),以防止新部署中出现任何停机(新部署部署到未使用的组中,并且在所有内容检出时更改负载均衡器组)

一切都可以在端口80上完美运行,但是当我尝试使用该域的Amazon Issued Cert为端口443添加侦听器时,我无法使其正常工作。我还需要从Nginx内部获取证书吗?我需要Nginx监听端口443吗?目标?

Loadbalancer:

+------------+-----------------------------+----------------+
| Listener ID|            Rules.           | SSL Certificate|
+------------+-----------------------------+----------------+
| HTTP: 80   | Default: forwarding to blue.| N/A.           |
+------------+-----------------------------+----------------+
| HTTPS: 443 | Default: forwarding to blue.|Default: (ACM). |
+------------+-----------------------------+----------------+

目标:

+------------+--------------+--------------+--------------+---------------+
|    Name    |     Port     |   Protocol   |  Target type | Load Balancer |
+------------+--------------+--------------+--------------+---------------+
| Blue       | 80           | HTTP         | instance     | loadbalancer  |
+------------+--------------+--------------+--------------+---------------+
| Green      | 80           | HTTP         | instance     |               |
+------------+--------------+--------------+--------------+---------------+

我的Nginx conf:

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
  worker_connections  1024;
}

http {
  include       /etc/nginx/mime.types;
  default_type  application/octet-stream;

  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
  '$status $body_bytes_sent "$http_referer" '
  '"$http_user_agent" "$http_x_forwarded_for"';

  access_log  /var/log/nginx/access.log  main;

  sendfile        on;
  #tcp_nopush     on;

  keepalive_timeout  65;

  upstream app {
    server django:5000;
  }

  server {
    listen 80;
    charset utf-8;

    location = /favicon.ico {
        return 204;
        access_log     off;
        log_not_found  off;
    }

    location / {
        try_files $uri @proxy_to_app;
    }

    # django app
     location @proxy_to_app {
        proxy_redirect     off;
        proxy_set_header   Host $host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Host $server_name;
        proxy_pass http://app;
    }
  }
}

1 个答案:

答案 0 :(得分:1)

如果其他任何人遇到此问题,请写我自己的答案。

用于创建Ec2实例的安全组需要打开传入端口443。如果您的docker-compose文件未公开端口443,它将不会自动将端口添加为在安全组上打开的端口。您可以在ac控制台中的“网络和安全性”下手动打开Ec2的端口。

相关问题
最新问题