VPC SSL/HTTPS环境 [英] VPC SSL/HTTPS environment

问题描述

我使用AWS Elastic Beanstalk进行了以下VPC设置:

I have the following VPC setup with AWS Elastic Beanstalk:

1. 我的域(通过cloudflare代理)指向的Web App Public Load Balancer(在私有子网中具有EC2实例).
2. 具有内部访问权限的私有内部API负载均衡器已通过安全组授予上述EC2实例
3. 专用子网中的数据库，可由API负载平衡器后面的EC2实例访问.

我想启用端到端HTTPS，AWS在这里提供了很好的文档( https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-endtoend.html ).

I would like to enable end to end HTTPS, AWS has good documentation here (https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-endtoend.html).

尽管我提供了免费的Cloudflare域证书，但我一直遵循.在我收到以下错误之前，这似乎没问题:当我的网络应用尝试通过 https://internal-aweseb-dns.amazonaws.com (用于内部API负载平衡器的DNS).

I have followed this, albeit with my free Cloudflare domain certs. This seemed ok until I get the following error: 'SELF_SIGNED_CERT_IN_CHAIN' when my web app tries to connect to the internal API via https://internal-aweseb-dns.amazonaws.com (DNS for internal API Load Balancer).

问题

1. 这是端到端HTTPS的正确方法吗?和

1. Is this the correct way get end to end HTTPS?; and

如何解决以上错误? (由Node JS返回)

How do I resolve the above error? (returned by Node JS)

谢谢

推荐答案

最后我得出以下结论:当我的实例位于私有子网中时，我不需要端到端HTTPS，因为:-

In the end I came to this conclusion: I don't need end to end HTTPS when my instances are in a private subnet because:-

1. 一旦HTTPS在负载均衡器处终止，内部请求将通过HTTP发出，但不会通过公共Internet发出.他们的请求无法被AWS网络之外的任何人看到.

1. Once HTTPS is terminated at the Load Balancer, the internal requests are over HTTP but are not over the public internet. They requests cannot be seen by anyone outside the AWS network.

我正在传输的数据不是太敏感(只是电子邮件和用户首选项)，因此没有合规/法规上的理由在专用网络中强制实施端到端HTTPS.

The data I am transmitting is not overly sensitive (just emails and user preferences) so there is no Compliance/Regulatory reason to enforce end to end HTTPS in a private network.

使用HTTPS作为SSL握手时，会降低性能，这是一项开销.

There is a small performance hit when using HTTPS as an SSL handshake must occur, which is an overhead.

我通过安全组具有更高的安全性，只允许来自负载均衡器的内部流量.

I have additional security via Security Groups, only allowing internal traffic originating from the Load Balancer.

有许多建议可以指导您配置应用程序，以使其在通过HTTPS连接时忽略证书...，但这会破坏HTTPS(安全加密连接)的整个观点.您也可以只使用HTTP而不是这样做.

There are many suggestions that would guide you to configure your application to ignore the certificate when connecting via HTTPS... but that defeats the whole point of HTTPS (secure encrypted connection). You may as well just HTTP instead of doing this.

经过与AWS的大量研究和讨论，我认为在内部网络上使用HTTP对于99％的用例来说是足够安全的，并且在许多设置中都是非常标准的，因此除非您实际上需要进行端到端加密您的用例，我建议您改为这样做.

After much research and discussion with AWS, I think using HTTP over an internal network is secure enough for 99% of use cases and is pretty standard with a lot of setups and so unless you actually need end-to-end encryption for your use case, I would advise doing this instead.

希望这会有所帮助.

这篇关于VPC SSL/HTTPS环境的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！