带有SSL的Elastic Beanstalk上的烧瓶显示403禁止 [英] Flask on Elastic Beanstalk with SSL gives 403 Forbidden
问题描述
这是应用程序目录结构.
Here is the application directory structure.
- app/__ init_.py
- app/static/
- app/models/
- app/views/
- application.py
- requirements.txt
- .elasticbeanstalk/config
- .elasticbeanstalk/optionsettings.application_name
- .ebextensions/python.config
- .ebextensions/https.config
- app/__init_.py
- app/static/
- app/models/
- app/views/
- application.py
- requirements.txt
- .elasticbeanstalk/config
- .elasticbeanstalk/optionsettings.application_name
- .ebextensions/python.config
- .ebextensions/https.config
以下是.elasticbeanstalk内部文件的摘要
Here are the snippets of files inside .elasticbeanstalk
#config
EnvironmentTier=WebServer::Standard::1.0
EnvironmentType=SingleInstance
Region=us-west-1
ServiceEndpoint=https://elasticbeanstalk.us-west-1.amazonaws.com
SolutionStack=64bit Amazon Linux 2014.03 v1.0.3 running Python
#optionsettings.application_name
[aws:elasticbeanstalk:container:python]
NumProcesses=1
NumThreads=15
StaticFiles=/static/=app/static/
WSGIPath=application.py
[aws:elasticbeanstalk:container:python:staticfiles]
/static/=app/static/
这是我从CheapSSL创建SSL证书所采取的步骤
Here is the steps I took to create SSL certificate from CheapSSL
- openssl genrsa 2048> privatekey.pem
- openssl req-新-key privatekey.pem -out csr.pem
- 向Comodo发出了SSL证书请求,并收到了三个文件
- 根CA证书-AddTrustExternalCARoot.crt
- 中级CA证书-PositiveSSLCA2.crt
- 您的PositiveSSL证书-server.crt
- openssl genrsa 2048 > privatekey.pem
- openssl req -new -key privatekey.pem -out csr.pem
- Made SSL certificate request to Comodo and received three files
- Root CA Certificate - AddTrustExternalCARoot.crt
- Intermediate CA Certificate - PositiveSSLCA2.crt
- Your PositiveSSL Certificate - server.crt
注意:我将服务器指定为Apache/OpenSSL
Note: I specified the server to be Apache/OpenSSL
最后,这是.ebextensions内部文件的片段
Lastly, here are the snippets of files inside .ebextensions
#https.config Resources: sslSecurityGroupIngress: Type: AWS::EC2::SecurityGroupIngress Properties: GroupName: {Ref : AWSEBSecurityGroup} IpProtocol: tcp ToPort: 443 FromPort: 443 CidrIp: 0.0.0.0/0 packages: yum: mod24_ssl : [] files: /etc/httpd/conf.d/ssl.conf: mode: 000777 owner: ec2-user group: ec2-user content: | LoadModule ssl_module modules/mod_ssl.so Listen 443 <VirtualHost *:443> <Proxy *> Order deny,allow Allow from all </Proxy> SSLEngine on SSLCertificateFile "/etc/pki/tls/certs/server.crt" SSLCertificateKeyFile "/etc/pki/tls/certs/server.key" Alias /static /opt/python/current/app/ <Directory /opt/python/current/app/> Order allow,deny Allow from all </Directory> WSGIScriptAlias / /opt/python/current/app/python/application.py <Directory /opt/python/current/app/> Order allow,deny Allow from all </Directory> WSGIDaemonProcess wsgi-ssl processes=1 threads=15 display-name=%{GROUP} \ python-path=/opt/python/current/app:/opt/python/run/venv/lib/python2.6/site-packages user=wsgi group=wsgi \ home=/opt/python/current/app WSGIProcessGroup wsgi </VirtualHost> /etc/pki/tls/certs/server.crt: mode: 000777 owner: ec2-user group: ec2-user content: | -----BEGIN CERTIFICATE----- #contents from server.crt -----END CERTIFICATE----- /etc/pki/tls/certs/server.key: mode: 000777 owner: ec2-user group: ec2-user content: | -----BEGIN RSA PRIVATE KEY----- #contents from privatekey.pem -----END RSA PRIVATE KEY-----此配置是AWS Elastic Beanstalk文档中的一小段内容. http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/SSLPython.SingleInstance.html
This config is a snippet from AWS Elastic Beanstalk documentation with small changes. http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/SSLPython.SingleInstance.html
- mod_ssl-> mod24_ssl由于百胜安装错误.我很幸运能从Github找到此修复程序 排除了
- 01killhttpd.在多次部署应用程序之后,杀死httpd对该应用程序造成了永久性损害.
症状如下.
- 可以访问http:
- 禁止输入403您无权访问此服务器上的/.对于https:
如有必要,我会透露站点地址.
I will disclose the site address if necessary.
我已采取AWS文档中指定的所有步骤,但仍未能实现一个目标;用https钩住我的网站.网上没有足够的帖子可以帮助我解决这个问题.我之所以远离Load Balancer,是因为我使用GoDaddy购买了域,而且为lb设置域太复杂了(这是另一个故事).
I have taken every step specified in AWS Documentation but still failed to achieve a single goal; hooking my site with https. There aren't enough posts available online to help me figure this out. I stayed away from Load Balancer because I purchased domain using GoDaddy and it's too complicated to set up domain for lb (That's another story).
这是Elastic Beanstalk日志快照的链接.
Here is the link to the snapshot of Elastic Beanstalk Log.
https://dl.dropboxusercontent.com/u/23288606/Log.txt
谢谢.
更新:
有人阅读了日志并指出了一条错误消息,说明了这一点.
Someone read the logs and pointed out an error message stating this.
[ssl:warn] [pid 1989] AH01909: [ec2-address].compute.amazonaws.com:443:0 server certificate does NOT include an ID which matches the server name是的,SSL证书是指我的自定义域,而服务器仍将其视为ec2的默认公共DNS(我认为).
So yeah, SSL certificate refers to my custom domain while the server still thinks of it as ec2's default Public DNS (I think).
仅供参考,自定义域是从Godaddy购买的.我这样做是为了让A Record指向我的ec2 ip地址.
FYI, the custom domain is purchased from Godaddy. I made it so that A Record points to my ec2 ip address.
简而言之,我该如何做,以便当我的ec2服务器设置ssl时,它知道其fqdn是我的自定义域,而不是ec2提供的域?
In short, how do I make it so that when my ec2 server sets up ssl, it knows its fqdn is my custom domain, not the one provided by ec2?
推荐答案
警告:我是开发人员,而不是系统管理员,我不知道自己在做什么.
这周我遇到了完全相同的问题.包括域一.这是对我有用的配置.自从我刚破解了这个togheter以来,欢迎您提供反馈.
This week I had the exact same problems. Including the domain one. Here is a configuration that worked for me. Feedback is welcomed since I just hacked this togheter.
Resources: sslSecurityGroupIngress: Type: AWS::EC2::SecurityGroupIngress Properties: GroupName: {Ref : AWSEBSecurityGroup} IpProtocol: tcp ToPort: 443 FromPort: 443 CidrIp: 0.0.0.0/0 packages: yum: mod24_ssl : [] files: /etc/httpd/conf.d/ssl.conf: mode: "000755" owner: root group: root content: | LoadModule ssl_module modules/mod_ssl.so Listen 443 <VirtualHost *:443> <Proxy *> Require all granted </Proxy> SSLEngine on SSLCertificateFile "/etc/pki/tls/certs/server.crt" SSLCertificateChainFile "/etc/pki/tls/certs/inter.crt" SSLCertificateKeyFile "/etc/pki/tls/certs/server.key" Alias /static /opt/python/current/app/printwithme/static <Directory /opt/python/current/app/> Order allow,deny Allow from all </Directory> WSGIScriptAlias / /opt/python/current/app/application.py <Directory /opt/python/current/app/> Require all granted </Directory> WSGIDaemonProcess wsgi-ssl processes=1 threads=15 display-name=%{GROUP} \ python-path=/opt/python/current/app:/opt/python/run/venv/lib/python2.6/site-packages user=wsgi group=wsgi \ home=/opt/python/current/app WSGIProcessGroup wsgi-ssl </VirtualHost> /etc/pki/tls/certs/server.crt: mode: "000400" owner: root group: root content: | -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- /etc/pki/tls/certs/server.key: mode: "000400" owner: root group: root content: | -----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY----- /etc/pki/tls/certs/inter.crt: mode: "000400" owner: root group: root content: | -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- container_commands: 01killhttpd: command: "killall httpd" 02waitforhttpddeath: command: "sleep 3"首先添加我认为禁止的问题与文件权限有关.我认为这就是为什么OP将其权限设置为
777的原因.就我而言,它与Apache版本有关.亚马逊在其示例中使用Apache 2.2,但服务器中使用2.4.通过运行httpd -v确认.如果是这样,请参见此链接.这给了我<Proxy *>和<Directory /opt/python/current/app/>的更改.我不知道Order deny,allow和Order allow,deny之间的区别,我现在知道这被称为访问控制.如果我改错了,请告诉我.然后我收到了404错误.Add first I thought the forbidden problems had to do with file permissions. Which I think is why OP has his permissions set to
777. In my case it had to do with Apache versions. Amazon uses Apache 2.2 in their example but have 2.4 in the servers. Confirm that by runninghttpd -v. If this is true then see this link. Which gave me my changes in<Proxy *>and<Directory /opt/python/current/app/>. I don't know the difference betweenOrder deny,allowandOrder allow,deny, which I now know are called access controls. If I changed them wrong please let me know. Then I received404errors.更改后,我必须更改:
WSGIScriptAlias / /opt/python/current/app/python/application.py到
WSGIScriptAlias / /opt/python/current/app/application.py这应该指向您在其中创建应用程序对象的文件.您的可能会有所不同.
This should point to the file where you create your application object. Your's might be different.
然后必须更改:
Alias /static /opt/python/current/app/到
Alias /static /opt/python/current/app/my-app-name/static因为在我的应用中,静态文件位于嵌套文件夹中.这应该指向您的目录.注意
my-app-name是您需要更改的变量.because in my app the static files are in nested folder. This should point to the directory with your. Notice
my-app-nameis a variable to be changed by you if needed.最后我添加了一个
chain文件.这是由SSL人员将我的证书提供给我的.您可能还需要添加它.以我的理解,它可能是可选的,但不是真的.Lastly I added a
chainfile. This was given to me by the SSL people with my certificate. You might need to add it too. In my understanding it might be optional but not really.对不起,如果我错过了任何事情.
Sorry if I missed anything.
我在文件模式方面遇到问题.我不得不引用它们: 模式:"000755" 模式:"000400"
I had issues with the file modes. I had to quote them: mode: "000755" mode: "000400"
我将更新配置以反映这些更改.
I will update the configuration to reflect these changes.
这篇关于带有SSL的Elastic Beanstalk上的烧瓶显示403禁止的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
