AWS上的多租户应用程序-多种SSL证书安装策略 [英] Multi-Tenant Application on AWS - Multiple SSL Certificate Installation Strategies
问题描述
我正在为Rails多租户应用程序做一些计划,想知道最好的方法是处理自定义域的证书.应用程序是相当糟糕的标准;ELB,应用程序服务器和多租户数据库.
I'm doing some planning for a Rails multi-tenant application, and wondered what the best approach was for handling certificates for custom domains. Application is pretty bog standard; ELB, application servers, and multi-tenant DB.
在我当前的用例中,租户将各自拥有一个唯一的应用程序子域.通常使用通配符证书来处理.
In my current use case, the tenants will each have an application subdomain unique to them. That's routinely handled with a wildcard certificate.
但是,当我展望未来并考虑如何自定义域支持(使用由客户端上传或自行生成并存储在AWS Certificate Manager中的SSL证书)时,我不确定如何最好地处理安装多个证书.假设已经配置了名称服务器,并且我已经通过AWS CM,letencrypt或具有生成/保护了适当的SSL证书.
However when I look ahead and consider how custom domain support (with SSL certificates either uploaded by client or self-generated, and stored in AWS Certificate Manager), I'm not sure how I would best handle installing multiple certificates. Assume that name servers have already been configured and that I've generated/secured the appropriate SSL certificates via AWS CM, letsencrypt, or have .
我可以看到一些选择,并且我希望就如何进行最佳操作提供一些指导:
There's a few options I can see and I'd love some direction on how best to proceed:
在这种情况下,我看到正在使用安装的自定义域证书创建ELB.该ELB充当代理并指向主ELB,然后按正常方式进行负载平衡.我本人赞成这种方法,每个ELB每月额外收取$ 20没关系.
In this scenario, I see an ELB being created with the custom domain certificate installed. That ELB acts as a proxy and points to the main ELB, which then load balances as per normal. I favour this approach myself and the additional $20/month+ per ELB is fine.
问题:您可以链接多个ELB而不丢失重要的头数据(例如主机)吗?我以前没有尝试过.
Question: Can you chain multiple ELBs without losing important header data (like the host?) I have not tried this before.
在这种情况下,每个自定义域都将被安装在具有自定义域证书的ELB上,并且每个服务器实例都将直接注册到它.我认为这不是理想的选择,因为每次我向上/向下旋转实例时,我都必须在每个ELB上自动执行(取消/注册)实例.
In this scenario, each custom domain would be installed on an ELB with the custom domain certificate installed, and would have each server instance registered directly to it. I don't see this being ideal, as I would have to automate (de/)registering instances on each ELB every time I spin up/down an instance.
使用HAProxy或替代方法,可以根据需要加载和添加/删除SSL证书.然后,我需要向HAProxy(取消注册)实例,以及直接管理HAProxy服务器.我不赞成这种方法,因为我正尝试减少需要直接管理的实例数.
Using HAProxy or an alternative, SSL certificates are loaded and added/removed as appropriate. I'll then need to (de/)register instances with HAProxy as well managing the HAProxy server directly. I don't favour this approach as I'm trying to reduce the number of instances I need to directly manage.
这对我来说很丑陋,因为我需要在启动时在每个应用程序服务器上安装每个证书,然后在它们更改时重新启动(?)每个服务器.
This feels pretty ugly to me, as I'd need to install each certificate on each application server at launch time and then restart(?) each server as they change.
我还缺少其他方法吗?我忽略的考虑因素?
Are there any other approaches I'm missing? Considerations I've neglected?
克里斯在下面提到(再次感谢!),AWS Application Load Balancer将最多支持25个证书.那肯定足以让我入门,但是我很好奇这种方法可以扩展到这个范围之外.多个ALB,HAProxy或...?
Chris mentioned below (thanks again!) that AWS Application Load Balancers will support up to 25 certificates. That'll certainly be enough to get me started, however I'm curious what the approaches could be to scale beyond that. Multiple ALBs, HAProxy, or...?
推荐答案
On Oct. 10, 2017, AWS announced support for multiple SSL certs on application load balancers (ALBs).
因此解决方案是使用ALB.您可以将多个目标组与每个ALB关联,并且可以进行基于主机名的路由,因此,即使最终不得不分拆后端,您仍然可以指向单个ALB.
So the solution is to use an ALB. You can have multiple target groups associated with each ALB, and you can do hostname based routing, so even if you end up having to shard your back ends, you can still point at a single ALB.
正如@Michael-sqlbot所说,如果每个ALB需要超过25个证书,您可能想开始使用多个ALB只是为了减小爆炸半径.
Edit 1: As @Michael - sqlbot ponts out, if you need more than 25 certs per ALB, you probably want to start using multiple ALBs just to reduce blast radius.
但是,如果由于某种原因您需要执行此操作,则要查看的另一种选择(注意:我没有尝试过)是使用
But if for some reason you need to do this, one other option to look into (note: I have not tried this) is to use a CloudHSM for SSL/TLS processing. There are two versions: the CloudHSM Classic (one time $5,000 fee, plus $1.88/hr for a dedicated appliance) and a new CloudHSM which is only $1.60/hr.
这篇关于AWS上的多租户应用程序-多种SSL证书安装策略的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
