我有一个指向ALB的Cname。当我直接点击ALB DNS时,我得到了一个连接,但是它抱怨SSL证书,如下所示-
curl https://tek-q-appli.eu-west-1.elb.amazonaws.com/hello
curl: (51) SSL: no alternative certificate subject name matches target host name 'tek-q-appli.eu-west-1.elb.amazonaws.com'
因此,如果忽略此SSL错误,那么一切都很好-
curl -k https://tek-q-appli.eu-west-1.elb.amazonaws.com/hello
<!DOCTYPE html>
<html>
<body>
<h1>World</h1>
</body>
</html>
当我点击指向ALB的Cname时,将生成拒绝连接。我已经在ALB和托管运行Apache的Docker的EC2上检查了ACL和SG,如下所示-
curl https://example.com/hello
curl: (7) Failed to connect to example.com port 443: Connection refused
任何提示或指示,将不胜感激。
答案 0 :(得分:1)
第一个错误是正常现象,而且是预期的-平衡器不为其AWS分配的主机名提供SSL证书。
第二个提示您的DNS错误或所做的更新尚不全局可见。 Curl应该向您显示它用于example.com的IP地址,并且每次连接时都应该与平衡器的地址之一匹配。
使用dig查找平衡器分配的主机名的IP,以及为您的自定义域返回的IP。除非/直到它们匹配,否则就指向DNS问题。
答案 1 :(得分:0)
Thank you for the heads up Michael.
I think the issue had to do with the httpd-vhosts.conf, as I followed this article
On end to end encryption behind an AWS ALB and the key points which got it going for me were -
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule .* https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]
</IfModule>
And
<IfModule mod_headers.c>
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
</IfModule>
And plus - I had a local DNS entry for testing in the /etc/hosts file. In order to test the live domain using Curl, I needed to also remove the local hosts file.
All is good!