使用来自ACM的证书在Elasticbeanstalk中强制使用https [英] Forcing https in elasticbeanstalk with certificate from ACM

问题描述

我已经提供了一个可扩展的EB(Elasticbeanstalk)rails(puma)实例.我已经通过ACM(Amazon Certificate Manager)申请了https，并将其应用于我的负载均衡器.我的网站已启用HTTPS.但是，如何强制重定向到https?我已经尝试了许多在线解决方案，建议通过.ebextensions手动进行nginx配置设置，但是我不确定从何处获得ACM的证书?(我假设现在ACM无法实现? ).如何强制使用HTTPS?

I have provisioned a scalable EB(Elasticbeanstalk) rails(puma) instance. I have applied for https through ACM(Amazon Certificate Manager) and applied it to my load balancer. HTTPS is enabled for my website now. But how do I force redirect to https? I have tried a number of solutions online where it was suggested to make a nginx configuration setting manually through .ebextensions and I am not sure where to get the certificate from ACM for this?(I am assuming that is not possible with ACM right now?). How do I force HTTPS?

推荐答案

当前的AWS EB Rails和Node.js设置都使用nginx(如果您的Web服务器是apache，请参见此问题):

The current AWS EB Rails and Node.js setups both use nginx (if your web server is apache see this answer), so the following should work (adapted from this question):

创建具有以下内容的文件.ebextensions/01-force-https.config(.config很重要，而不是.conf).

Create the file .ebextensions/01-force-https.config (the .config is important, not .conf) with the following content.

如果您的环境是单个实例:

If your environment is a single instance:

files:
  "/etc/nginx/conf.d/01-force-https.conf":
    owner: root
    group: root
    mode: "000644"
    content: |
      server {
          listen 8080;
          return 301 https://$host$request_uri;
      }

如果您的环境是负载平衡的，那么很遗憾，您不能简单地添加到现有配置中，而需要使用sed对其进行修改:

If your environment is load balanced, you unfortunately cannot simply add to the existing config but need to modify it with sed:

files:
  "/tmp/45_nginx_https_rw.sh":
    owner: root
    group: root
    mode: "000644"
    content: |
      #! /bin/bash

      CONFIGURED=`grep -c "return 301 https" /opt/elasticbeanstalk/support/conf/webapp_healthd.conf`

      if [ $CONFIGURED = 0 ]
        then
          sed -i '/listen 80;/a \    if ($http_x_forwarded_proto = "http") { return 301 https://$host$request_uri; }\n' /opt/elasticbeanstalk/support/conf/webapp_healthd.conf
          logger -t nginx_rw "https rewrite rules added"
          exit 0
        else
          logger -t nginx_rw "https rewrite rules already set"
          exit 0
      fi

container_commands:
  00_appdeploy_rewrite_hook:
    command: cp -v /tmp/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/appdeploy/enact
  01_configdeploy_rewrite_hook:
    command: cp -v /tmp/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact
  02_rewrite_hook_perms:
    command: chmod 755 /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh
  03_rewrite_hook_ownership:
    command: chown root:users /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh

然后将其添加到您的git repo或应用程序包和eb deploy中.这将创建/etc/nginx/conf.d/01-force-https.conf，该文件将自动从/etc/nginx/nginx.conf中包含.请注意，如果您以后从.ebextensions中删除相应的文件，则eb deploy不会删除服务器上的文件.此外，我发现以下对通过eb ssh进行调试很有帮助:

Then add it to your git repo or app bundle and eb deploy. This creates /etc/nginx/conf.d/01-force-https.conf which is automatically included from /etc/nginx/nginx.conf. Note that eb deploy won't delete the file on the server if you later remove the corresponding file from .ebextensions. Also, I found the following helpful in debugging through eb ssh:

sudo service nginx configtest
sudo service nginx restart

这篇关于使用来自ACM的证书在Elasticbeanstalk中强制使用https的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！