带有Load Balancer的AWS Elastic Beanstalk如何使用自签名证书对客户端进行身份验证

时间:2019-12-02 19:23:34

标签: node.js amazon-web-services ssl amazon-ec2

我正在尝试使用负载均衡器在AWS Elastic Beanstalk中进行客户端服务器设置,客户端使用证书身份验证。我创建了自己的证书颁发机构的自签名证书。我自己的CA是我创建的服务器密钥,服务器证书,客户端密钥和客户端证书的根。该服务器是一个nodejs应用程序,它在自定义端口4433上侦听HTTPS协议。整个设置在单个实例的Elastic Beanstalk中运行,其中EC2终止HTTPS,安全组将nodejs端口4433打开。 / p>

问题是我想让EB与负载均衡器一起工作。我配置了一个应用程序负载平衡器,添加了一个HTTPS侦听器来侦听端口443,并使用了导入到ACM的自签名服务器证书。我遵循AWS文档并创建了一个文件https-lb-passthrough.config,将其放在nodejs应用程序下的.ebextensions文件夹中,并部署到Elastic Beanstalk中。这是内容:

option_settings:   aws:elb:listener:443:     侦听器协议:TCP     实例端口:4433     InstanceProtocol:TCP

当我尝试从发出HTTPS GET请求的C#客户端发出请求时,出现502 Bad Gateway错误。这是负载均衡器日志: http 2019-12-02T16:46:05.480445Z app / awseb-AWSEB-1GSGKA6I5BBLS / c401b470346aaa57 223.25.98.106:41582 172.30.10.106:80 0.001 0.001 0.000 502 502152182716“ GET http://23.23.41.94:80/ HTTP / 1.1”“ Mozilla /5.0(Windows NT 6.1; WOW64)AppleWebKit / 537.36(KHTML,例如Gecko)Chrome / 51.0.2704.103 Safari / 537.36“--arn:aws:elasticloadbalancing:us-east-1:224205300280:targetgroup / awseb-AWSEB-19IDNTK0JS0Q7 / dadcc745cce88970“ Root = 1-5de53fcd-d198a9a8b4279570aae691a4”“-”“-” 0 2019-12-02T16:46:05.479000Z“转发”“-”“-”“ 172.30.10.106:80”“ 502”

从curl尝试时,出现400错误请求错误。这是负载均衡器日志: https 2019-12-02T16:39:17.990190Z app / awseb-AWSEB-1GSGKA6I5BBLS / c401b470346aaa57 173.251.70.131:18400--1 -1 -1 400-0 288“-https://awseb-awseb-1gsgka6i5bbls-765901116.us-east-1.elb.amazonaws.com:443--”“-” ECDHE- RSA-AES128-GCM-SHA256 TLSv1.2-“-”“ services-dev-sec..com”“ arn:aws:acm:us-east-1:224205300280:certificate / 75636aaa-90b0-4a5c-b6d7-2dd6db594d95 “-2019-12-02T16:39:17.969000Z”-“”-“”-“”-“”-“

这是服务器代码:

const 
    express = require('express'),
    https = require("https"),
    fs = require("fs");

const options = {
  key: fs.readFileSync('certs/server/services-dev-sec.key'),
  cert: fs.readFileSync('certs/server/services-dev-sec.crt'),
  ca: fs.readFileSync('certs/ca/ca.crt'), // authority chain for the clients
  requestCert: true, // ask for a client cert
  //rejectUnauthorized: false, // act on unauthorized clients at the app level
  enableTrace : true,
};


const app = express();

app.use((req, res) => {
    console.log(new Date(),'client authorized:',req.client.authorized, 'client CN:',req.socket.getPeerCertificate().subject.CN,'Method:',req.method);
    res.writeHead(200);
    res.end("hello world\n");
});

app.listen(8000);

const httpsPort = 4433;
console.log(new Date(),'Creating an HTTPS server');
https.createServer(options, app).listen(httpsPort, function() {
  console.log(new Date(),'listening on port:' + httpsPort);
});

nodejs.log文件为空,这使我相信请求没有传递到nodejs应用程序中。我在EC2的nginx access.log或error.log中看不到请求

我的问题是,如何使负载均衡器将HTTPS:443请求转发到EC2:4433?

0 个答案:

没有答案
相关问题
最新问题