无法为在Elastic Beanstalk AWS上运行ASP.NET的网站强制使用HTTPS(使用经典负载均衡器) [英] Unable to force HTTPS for website running ASP.NET on Elastic Beanstalk AWS (With classic Load Balancer)
问题描述
因此,我终于能够成功创建一个https网站.它只是运行模板ASP.NET Web项目.我有一个证书,并且已将其添加到AWS中的ELB(弹性负载均衡器-经典).我的环境可以正常运行,因为我可以浏览到 https://www.mvc.cloudy-skies.org ,它是安全的.棒极了!但是,仍然存在两个问题:
So I've finally been able to successfully create a https website. It is just running the template ASP.NET web project. I have a certificate, and this is added to the ELB (Elastic Load Balancer - classic) in AWS. My environment works in that I can browse to https://www.mvc.cloudy-skies.org and it is secure. That's awesome! However, two issues remain:
1-您仍然可以浏览到http://,并且可以使用.不理想. 2-我通过OWIN中间件具有Azure AD身份验证.这很好用,但是尽管登录后在重定向URL中指定了HTTPS,但我仍被重定向回该站点的HTTP版本.
1 - you can still just browse to http:// and it works. Not ideal. 2 - I have Azure AD authentication via OWIN middleware. This works great, but despite specifying HTTPS in the redirect URL after sign in, I am redirected back to the HTTP version of the site.
有人可以在这里帮忙吗?我很茫然.这就是我在Elastic Beanstalk环境(负载均衡器)上配置侦听器的方式
Can anyone help here please? I'm at a loss. This is how I have the listeners configured on the Elastic Beanstalk environment (Load Balancer)
我尝试将重定向添加到Web.Config中(例如)
I have tried adding redirects into the Web.Config (e.g.)
<!--<rewrite>
<rules>
<rule name="Redirect to HTTPS" enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTP_X_FORWARDED_PROTO}" pattern="https" negate="true" />
<add input="{REMOTE_HOST}" pattern="localhost" negate="true" />
<add input="{REMOTE_ADDR}" pattern="127.0.0.1" negate="true" />
<add input="{HTTP_HOST}" pattern="localhost" negate="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
</rules>
</rewrite>-->
但是,由于运行状况检查失败,这会导致Elastic Beanstalk部署更新失败.我什至尝试在解决方案的根目录中创建一个基本的HTML页面并将其用于运行状况检查,但仍然失败.关于在web.config中指定重定向的操作无法正常进行.
However this causes the Elastic Beanstalk deployment to fail on update, due to the fact that the healthcheck fails. I have even tried creating a basic HTML page in the root of the solution and using that for health checks but it still fails. Something about specifying the redirect in the web.config does not play well.
肯定要强制用户遵守HTTPS真的很简单吗?
Surely this is really simple to force the user to conform to HTTPS?
推荐答案
我发现最好添加设置了将HTTP重定向到HTTPS"的CloudFront发行版.尽管公共互联网用户会自动重定向到HTTPS端点,但CloudFront会使用您的证书终止TLS会话,然后使用http与Elastic Beanstalk的ELB进行对话.
I find it best to add a CloudFront Distribution, with "Redirect HTTP to HTTPS" set. CloudFront terminates the TLS session with your cert, then talks to your Elastic Beanstalk's ELB using http, though public internet users are automatically redirected to the HTTPS endpoint.
这可以通过以下步骤实现:
This can be achieved following these steps:
- 转到CloudFront>创建分配> Web
- 选择ELB来源
- 选择查看器策略:将HTTP重定向到HTTPS
- 选择基于标题的缓存:全部(这允许每个用户缓存,尽管您以后可能需要对其进行优化)
- 对象缓存:自定义(禁用默认缓存,稍后再进行查看以进行优化)
- 输入最小,最大和默认TTL为0
- 全部使用Cookie和QueryString
- 选择合适的价格等级,更少的地区更便宜.
- 备用域名:添加要定向到此发行版的所有域名
- 自定义SSL证书(该证书必须是us-east-1中的证书,并且上面输入的所有域名都作为备用名称.
- 创建分发后,您需要更新DNS CNAME以指向您指定的___.cloudfront.net地址.
- Go to CloudFront > Create Distribution > Web
- Select the ELB Origin
- Select Viewer Policy: Redirect HTTP to HTTPS
- Select Cache Based on Headers: All (this allows caching per user, though you may want to refine this later)
- Object Caching : Customize (disables default caching, review later to optimize)
- Enter Minimum, Maximum and Default TTL as 0
- Cookies and QueryString to All
- Select appropriate Price Class, less regions are cheaper.
- Alternative Domain Names: add all domain names that you want to be directed at this Distribution
- Custom SSL Certificate (this needs to be a certificate in us-east-1 with all the domain names entered above as alternative names.
- Once the Distribution has been created, you need to update your DNS CNAME to point to the ___.cloudfront.net address that you are given.
这篇关于无法为在Elastic Beanstalk AWS上运行ASP.NET的网站强制使用HTTPS(使用经典负载均衡器)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
