使用Node.js和Nginx

时间:2019-04-19 02:32:48

标签: amazon-web-services ssl amazon-elastic-beanstalk

我希望有人能帮到我,因为我确实碰壁了。我正在尝试将SSL证书添加到运行Node.js和nginx的Elastic Beanstalk上的单个实例。我已按照有关打开端口443的说明here进行操作。这是添加到.ebextensions文件中的代码。它是从AWS文档中100%复制和粘贴的:

Resources:
  sslSecurityGroupIngress: 
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

然后,我复制/粘贴this,仅修改以红色突出显示的证书部分,并保留私钥用于单独的文件。这是我在.ebextensions中添加到第二个配置文件的链接中的代码:

files:
  /etc/nginx/conf.d/https.conf:
    mode: "000644"
    owner: root
    group: root
    content: |
      # HTTPS server

      server {
          listen       443;
          server_name  localhost;

          ssl                  on;
          ssl_certificate      /etc/pki/tls/certs/server.crt;
          ssl_certificate_key  /etc/pki/tls/certs/server.key;

          ssl_session_timeout  5m;

          ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
          ssl_prefer_server_ciphers   on;

          # For enhanced health reporting support, uncomment this block:

          #if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})T(\d{2})") {
          #    set $year $1;
          #    set $month $2;
          #    set $day $3;
          #    set $hour $4;
          #}
          #access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd;
          #access_log  /var/log/nginx/access.log  main;

          location / {
              proxy_pass  http://nodejs;
              proxy_set_header   Connection "";
              proxy_http_version 1.1;
              proxy_set_header        Host            $host;
              proxy_set_header        X-Real-IP       $remote_addr;
              proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header        X-Forwarded-Proto https;
          }
      }
  /etc/pki/tls/certs/server.crt:
    mode: '000400'
    owner: root
    group: root
    content: |
      -----BEGIN CERTIFICATE----- 
      CERT IS HERE...
      -----END CERTIFICATE-----

最后,按照我发现的here的说明,我将此代码添加到了一个单独的ebextensions文件中:

Resources:
  AWSEBAutoScalingGroup:
    Metadata:
      AWS::CloudFormation::Authentication:
        S3Auth:
          type: "s3"
          buckets: ["elasticbeanstalk-us-west-2-12345678987654321"]
          roleName:
            "Fn::GetOptionSetting":
              Namespace: "aws:autoscaling:launchconfiguration"
              OptionName: "IamInstanceProfile"
              DefaultValue: "aws-elasticbeanstalk-ec2-role"
files:
  # Private key
  "/etc/pki/tls/certs/server.key":
    mode: "000400"
    owner: root
    group: root
    authentication: "S3Auth"
    source: https://s3-us-west-2.amazonaws.com/elasticbeanstalk-us-west-2-12345678987654321/not-real-name.key

一切都已部署,我在CloudWatch中没有看到任何错误,但实例基本上已死。我在EB仪表板上收到一条消息,内容为:“环境运行状况已从“待处理”过渡到“降级”。初始化在23秒前完成,耗时5分钟。所有实例上的服务均受损。”

这就是我要做的所有事情。证书和密钥均已成功添加。该站点在端口80或443上不可用。哦,我也尝试过重新启动和重建,但是没有更改。

在此方面的任何帮助将不胜感激。我感觉好像错过了一步,但是我没有在文档中看到任何内容-也许我以某种方式错过了它?我的直觉告诉我它在第二段代码中,但是除了添加证书之外,我没有进行任何修改。

此外,我知道使用负载平衡器可以轻松得多。我已经知道如何做到这一点,并且正在做这项工作以避免为负载平衡器收费。另外,我已经看过许多教程,使用Let's Encrypt在Elastic Beanstalk上添加SSL,但都没有成功。他们基本上以服务器降级,日志中没有线索或权限错误结束。

0 个答案:

没有答案
相关问题
最新问题