AWS - 负载均衡器上的 SSL/HTTPS [英] AWS - SSL/HTTPS on load balancer

问题描述

我在将 https 添加到我的 EC2 实例时遇到问题，也许你们可以找到答案以使其正常工作.

I have a problem to add https to my EC2 instance and maybe you guys can have the answer to make it work.

我有一个负载均衡器，它将连接转发到我的 EC2 实例，我已将 SSL 证书添加到负载均衡器，一切正常，我已向端口 443 添加了一个侦听器，该侦听器将转发到该端口我的实例的 443 和我已将 Apache 配置为侦听端口 443 和 80，现在这里是我的负载均衡器的屏幕截图:

I have a load balancer that is forwarding the connection to my EC2 instance, I've add the SSL certificate to the load balancer and everything went fine, I've add a listener to the port 443 that will forward to the port 443 of my instance and I've configured Apache to listen on both port 443 and 80, now here the screenshot of my load balancer:

SSL 证书有效并且在端口 80 (HTTP) 上一切正常，但是如果我尝试使用 https 请求没有通过.

The SSL certificate is valid and on port 80 (HTTP) everything is fine, but if I try the with https the request does not got through.

有什么想法吗?

干杯

推荐答案

Elastic Load Balancer 无法将您的 HTTPS 请求转发到服务器.这就是 SSL 存在的原因:防止中间人攻击(以及其他)

Elastic Load Balancer can not forward your HTTPS requests to the server. This is why SSL is there : to prevent a man in the middle attack (amongst others)

您可以使用以下方法进行操作:

The way you can get this working is the following :

• 将您的 ELB 配置为接受 443 TCP 连接并通过 IAM 安装 SSL 证书(就像您所做的那样)
• 将 TCP 80 上的流量中继到您的网络服务器群
• 将您的网络服务器配置为接受 TCP 80 上的流量(也支持负载平衡器和网络服务器之间的 SSL，但大多数情况下不需要)

• 将您的网络服务器安全组配置为仅接受来自负载均衡器的流量.

• configure your ELB to accept 443 TCP connection and install an SSL certificate through IAM (just like you did)
• relay traffic on TCP 80 to your fleet of web servers
• configure your web server to accept traffic on TCP 80 (having SSL between the load balancer and the web servers is also supported, but not required most of the time)

• configure your web servers Security Group to only accept traffic from the load balancer.

(可选)确保您的 Web 服务器在私有子网中运行，即只有私有 IP 地址并且没有到 Internet 网关的路由

(optional) be sure your Web Servers are running in a private subnet, i.e. with only private IP addressed and no route to the Internet Gateway

如果您确实需要在客户端和后端服务器之间建立端到端 SSL 隧道(例如，执行客户端 SSL 身份验证)，那么您必须将负载均衡器配置为 TCP 模式，不处于 HTTP 模式(参见 支持双向 TLS/HTTPS with ELB 了解更多详情)

If you really need to have an end-to-end SSL tunnel between your client and you backend servers (for example, to perform client side SSL authentication), then you'll have to configure your load balancer in TCP mode, not in HTTP mode (see Support for two-way TLS/HTTPS with ELB for more details)

更多细节:

• SSL 负载均衡器:http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/US_SettingUpLoadBalancerHTTPS.html
• VPC 中的负载均衡器:http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/UserScenariosForVPC.html

这篇关于AWS - 负载均衡器上的 SSL/HTTPS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！