运行Python项目的EC2实例上的HTTPS [英] HTTPS on EC2 instance running python project

问题描述

我很难在运行Python项目的EC2实例上解析HTTPS.该请求只是超时(ERR_CONNECTION_TIMED_OUT). HTTP运行正常，但是.我已采取的步骤如下.

I'm having considerable difficulty getting HTTPS to resolve on my EC2 instance, which runs a python project. The request just times out (ERR_CONNECTION_TIMED_OUT). HTTP runs ok, however. The steps I've taken are as follows.

1. 我已经在ACM中为以下域创建了证书:* .mywebsite.com和mywebsite.com

1. 我已经按照以下步骤设置了Route 53:

A记录的路由策略很简单.

Routing policy on the A records is Simple.

1. 我已进入EC2实例的Load Balancer的侦听器，并将端口从80(HTTP)更改为443(HTTPS)，并已更改，并添加了我的证书.

1. I've gone into the Listener for my Load Balancer for my EC2 instance and CHANGED the port from 80 (HTTP) TO 443 (HTTPS) and added my certificate.

注意:转发至"是在端口80(HTTP)上运行的目标组.我已经知道这是正确的.

Note: the "Forward To" is a Target Group running on port 80 (HTTP). I've read that this is correct.

1. 然后我进入了安全性"组的入站规则"，并添加了HTTPS

在这一点上，我有以下问题:

At this point, I've got the following questions:

a)鉴于这是一个python/Django项目，是否可以通过aws网站启用HTTPS for EC2或我是否需要添加配置文件并将其部署到我的实例?

a) Given that this is a python/Django project, is enabling HTTPS for EC2 possible to do this through the aws website or do I need to add config files and deploy to my instance?

b)我需要创建一个在HTTPS上运行的目标组吗?

b) Do I need to create a target group running on HTTPS?

c)我是否需要在端口80和443或仅端口443的负载平衡上使用侦听器?

c) Do I need listeners on my load balance for port 80 and port 443 or just port 443?

d)在我的安全组上，我是否需要将端口80转到0.0.0.0/0和:: 0/?

d) On my security group, do I need port 80 to go to 0.0.0.0/0 and ::0/?

e)A记录应该是负载均衡器的DNS名称，还是应该是我的环境的CNAME?

e) Should the A record by the DNS name of the load balancer or should it be the CNAME of my environment?

感谢您的帮助！一旦我们在这里得到答案，我将写一个指南并将其发布在youtube上.

Thanks for your help! Once we get the answer here, I'm going to write a guide and post it on youtube.

推荐答案

让我首先简要介绍一下这种情况下请求的流向.

Let me start by giving you a little bit of overview of how a request flows in this case.

正如您正确地猜测的那样，特定的负载均衡器，应用程序负载均衡器可以处理SSL流量.这也意味着在这种情况下，从负载均衡器到原始服务器(即上述目标组)，只有HTTP流量会流，而不是https.因此，您不必担心在服务器上处理证书.然后，来自原始服务器的响应将再次包装在SSL隧道中，并由ALB发送回客户端.

As you have rightly guessed, the Load Balancer, Application Load Balancer to be specific can handle SSL traffic. This also means that from the Load Balancer to the origin server, the mentioned target group in this case, only http traffic will flow and not https. So You don't have to worry about handling certificates on the server. The response from the origin server is then again wrapped up in an SSL tunnel and send back to the client by the ALB.

这意味着您的最终用户应该能够至少同时连接到负载均衡器端口443和端口80(可以重定向到443).

This means that your end user should be able to connect to the Load Balancer port 443 atleast and also on port 80 (which can redirect to 443).

这意味着您的负载均衡器的安全组应具有向世界或您的用户开放的端口443(可选地80).

This means the security group of your load balancer should have port 443 (and optionally 80) open to the world, or to your users.

在原始服务器和ALB之间，流量在您的应用程序运行的端口中流动，这就是服务器的安全组应允许访问ALB的原因.

As between the origin server and the ALB, the traffic flows in the port that your app is running, that is what the security group of the server should allow the access to the ALB.

换句话说，服务器(EC2)安全组应允许在应用程序正在运行的任何端口上使用ALB.

注意:不必是80或443，也可以是8080，只要您的目标组知道它并在该端口上转发请求即可.

Note: This doesn't have to be 80 or 443, it can also be 8080, as long as your target group knows about it and is forwarding the request on that port.

现在回答您的问题:

a)鉴于这是一个python/Django项目，是否可以通过aws网站启用HTTPS for EC2或我是否需要添加配置文件并将其部署到我的实例?
您不必这样做.正如我提到的，加密/解密可以卸载到ALB.在文档此处上了解有关此内容的更多信息>.

a) Given that this is a python/Django project, is enabling HTTPS for EC2 possible to do this through the aws website or do I need to add config files and deploy to my instance?
You don't have to do this. As I mentioned, the encryption/decryption can be offloaded to ALB. Read more about it int he docs here.

b)我需要创建一个在HTTPS上运行的目标组吗?
这建立在上一个问题的基础上，不，您不必这样做.应用服务器/EC2实例不应与此有关.

b) Do I need to create a target group running on HTTPS?
This builds up on the previous question, no you don't have to. The app server/EC2 instance should not be concerned with this.

c)我是否需要在端口80和443或仅端口443的负载平衡上使用侦听器?
这取决于您的用例.基本必要条件是只有443.如果要允许用户仍然登陆http网站，然后将其重定向到更安全的https版本，则可以再次使用ALB. 此处

c) Do I need listeners on my load balance for port 80 and port 443 or just port 443?
This depends on your use case. The base necessity is to have only 443. If you want to allow users to still land on the http site and then be redirected to a more secure https version, you can again make use of the ALB for this. More about it here.

d)在我的安全组上，我是否需要端口80转到0.0.0.0/0和:: 0/?
对于ALB，是的，但对于EC2实例不是.请记住，Ec2绝不会直接与用户通信，而只能与ALB进行通信.这样您就可以更严格地控​​制EC2上的流量.

d) On my security group, do I need port 80 to go to 0.0.0.0/0 and ::0/?
For ALB, yes but not for the EC2 instances. Remember that Ec2 never communicates directly with users, only with the ALB. So you can control the traffic on EC2 more tightly.

e)A记录应该是负载均衡器的DNS名称，还是我环境的CNAME?
使用别名记录.它们更易于管理，AWS将负责映射.

在此处.

e) Should the A record by the DNS name of the load balancer or should it be the CNAME of my environment?
Use Alias records. They are much easier to manage, and AWS will take care of the mapping. More about this here.

这篇关于运行Python项目的EC2实例上的HTTPS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！