使用来自 ACM 的证书强制在 elasticbeanstalk 中使用 https [英] Forcing https in elasticbeanstalk with certificate from ACM
问题描述
我已经配置了一个可扩展的 EB(Elasticbeanstalk) rails(puma) 实例.我已经通过 ACM(Amazon Certificate Manager) 申请了 https 并将其应用于我的负载均衡器.我的网站现在启用了 HTTPS.但是如何强制重定向到 https?我在网上尝试了许多解决方案,建议通过 .ebextensions 手动进行 nginx 配置设置,但我不确定在哪里可以从 ACM 获取证书?(我假设现在 ACM 无法做到这一点?).如何强制使用 HTTPS?
I have provisioned a scalable EB(Elasticbeanstalk) rails(puma) instance. I have applied for https through ACM(Amazon Certificate Manager) and applied it to my load balancer. HTTPS is enabled for my website now. But how do I force redirect to https? I have tried a number of solutions online where it was suggested to make a nginx configuration setting manually through .ebextensions and I am not sure where to get the certificate from ACM for this?(I am assuming that is not possible with ACM right now?). How do I force HTTPS?
推荐答案
当前的 AWS EB Rails 和 Node.js 设置都使用 nginx(如果您的 Web 服务器是 apache,请参阅 这个答案),所以以下应该可以工作(改编自这个问题):
The current AWS EB Rails and Node.js setups both use nginx (if your web server is apache see this answer), so the following should work (adapted from this question):
创建文件 .ebextensions/01-force-https.config
(.config
很重要,而不是 .conf
)以下内容.
Create the file .ebextensions/01-force-https.config
(the .config
is important, not .conf
) with the following content.
如果您的环境是单个实例:
If your environment is a single instance:
files:
"/etc/nginx/conf.d/01-force-https.conf":
owner: root
group: root
mode: "000644"
content: |
server {
listen 8080;
return 301 https://$host$request_uri;
}
如果您的环境是负载平衡的,很遗憾您不能简单地添加到现有配置中,而是需要使用 sed 对其进行修改:
If your environment is load balanced, you unfortunately cannot simply add to the existing config but need to modify it with sed:
files:
"/tmp/45_nginx_https_rw.sh":
owner: root
group: root
mode: "000644"
content: |
#! /bin/bash
CONFIGURED=`grep -c "return 301 https" /opt/elasticbeanstalk/support/conf/webapp_healthd.conf`
if [ $CONFIGURED = 0 ]
then
sed -i '/listen 80;/a if ($http_x_forwarded_proto = "http") { return 301 https://$host$request_uri; }
' /opt/elasticbeanstalk/support/conf/webapp_healthd.conf
logger -t nginx_rw "https rewrite rules added"
exit 0
else
logger -t nginx_rw "https rewrite rules already set"
exit 0
fi
container_commands:
00_appdeploy_rewrite_hook:
command: cp -v /tmp/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/appdeploy/enact
01_configdeploy_rewrite_hook:
command: cp -v /tmp/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact
02_rewrite_hook_perms:
command: chmod 755 /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh
03_rewrite_hook_ownership:
command: chown root:users /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh
然后将其添加到您的 git repo 或应用程序包和 eb deploy
.这会创建 /etc/nginx/conf.d/01-force-https.conf
,它会自动包含在 /etc/nginx/nginx.conf
中.请注意,如果您稍后从 .ebextensions
中删除相应的文件,eb deploy
不会删除服务器上的文件.此外,我发现以下有助于通过 eb ssh
进行调试:
Then add it to your git repo or app bundle and eb deploy
. This creates /etc/nginx/conf.d/01-force-https.conf
which is automatically included from /etc/nginx/nginx.conf
. Note that eb deploy
won't delete the file on the server if you later remove the corresponding file from .ebextensions
. Also, I found the following helpful in debugging through eb ssh
:
sudo service nginx configtest
sudo service nginx restart
这篇关于使用来自 ACM 的证书强制在 elasticbeanstalk 中使用 https的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!