ELB使用带有自签名证书的HTTPS到后端服务器 [英] ELB to backend server using HTTPS with self-signed certificate

问题描述

我正在寻找一个使用HTTPS与后端服务器通信的ELB.我正在尝试使用单个后端服务器设置概念证明，但似乎无法让ELB与服务器进行通信.我几乎可以肯定这是一个证书问题，因为没有SSL的任何设置都可以正常工作.

I am looking to setup an ELB that uses HTTPS to communicate with backend servers. I am trying to setup a proof of concept using a single backend server, but can't seem to get the ELB to communicate with server. I am almost certain this is a certificate issue since any setup without SSL works perfectly.

如何设置?我从多个答案和博客文章中尝试了各种建议，但是没有运气.

How can I set this up? I have tried various suggestions from multiple answers and blog posts, but no luck.

我现在正在使用以下命令来设置自签名证书(来自

What I am doing now is setting a self-signed certificate using the following commands (from AWS ELB -> Backend Server over HTTPS with Self-Signed Certificate):

$ openssl genrsa \
  -out /path/to/ssl.key 2048
$ openssl req \
  -sha256 \
  -new \
  -key /path/to/ssl.key \
  -out /path/to/ssl.csr
$ openssl x509 \
  -req \
  -days 365 \
  -in /path/to/ssl.csr \
  -signkey /path/to/ssl.key \
  -out /path/to/ssl.crt

在签名时，我尝试了多个域名，并且可以使用它们来卷曲:

I have tried multiple domain names, when signing, and I can curl using them:

curl https://[Public DNS, or private DNS or IP used to create the SSL crt]/status --cacert /path/to/ssl.crt

在这里应该使用域/IP/DNS条目吗?至少卷曲有效，我感觉很好.

Is there a domain/IP/DNS entry I should use here? I feel pretty good that curl works at least.

当前，我的nginx配置(在启用了站点的文件中)如下所示:

Currently my nginx config (in a site-enabled file) looks like this:

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    ssl_certificate     /path/to/ssl.crt;
    ssl_certificate_key /path/to/ssl.key;

    server_name <dummy value of "_" or name used to make SSL certs>;
    client_max_body_size 20M;
    access_log  /var/log/nginx/access.log;
    error_log  /var/log/nginx/error.log;

    location / {
        proxy_pass         http://127.0.0.1:8000/;
        proxy_redirect     off;

        proxy_set_header   Host             $host;
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
    }
}

这与上面的curl命令一起使用.

This works with the curl command above.

我尝试了经典负载均衡器和应用程序负载均衡器.对于经典版本，我尝试添加ssl.crt内容-应用程序负载平衡器没有看到类似的选项，尽管我希望尽可能使用它们，因为它们可以非常轻松地转发HTTP-> HTTPS.无论哪种方式，经典负载均衡器或应用程序负载均衡器都无法与服务器通信.

I have tried classic and application load balancers. With classic, I have tried adding the ssl.crt contents - I do not see a similar option with the application load balancers, though I would like to use them if possible because they can forward HTTP->HTTPS really easily. Either way, neither the classic or application load balancer is communicating with the server.

关于缺少什么的任何建议?还是如何确定缺少的东西?

Any suggestions for what is missing? Or how to determine what is missing?

推荐答案

这很接近，只剩下几个小步骤.我让它与ALB ELB一起工作.

This was close, just a few small steps missing. I got this working with an ALB ELB.

首先，我使用了类似于此处描述的脚本:

First, I used a script similar to the one described here: https://myopswork.com/how-to-do-end-to-end-encryption-of-data-in-transit-b-w-aws-alb-and-ec2-3b7fd917cddd

#!/bin/bash

DIR=$(dirname $0)

domain=$(uname -n)
echo "Generating SSL for $domain"
commonname="$domain"
country="US"
state="California"
locality="LA"
organization="My Inc."
organizationalunit="Org"
email="my@email.com"

# Optional
password=dummypassword

echo "Generating key request for $domain"

mkdir -p /etc/ssl/private
chmod 700 /etc/ssl/private
mkdir -p /etc/ssl/certs

# Generate a key
openssl genrsa -des3 -passout pass:$password -out /etc/ssl/private/$domain.key 2048 -noout

# Remove passphrase from the key. Comment the line out to keep the passphrase
echo "Removing passphrase from key"
openssl rsa -in /etc/ssl/private/$domain.key -passin pass:$password -out /etc/ssl/private/$domain.key

# Create the request
echo "Creating CSR"
openssl req -new -key /etc/ssl/private/$domain.key -out /etc/ssl/private/$domain.csr -passin pass:$password \
    -subj "/C=$country/ST=$state/L=$locality/O=$organization/OU=$organizationalunit/CN=$commonname/emailAddress=$email"

# Create the cert
openssl x509 -req -days 365 -in /etc/ssl/private/$domain.csr -signkey /etc/ssl/private/$domain.key -out /etc/ssl/certs/$domain.crt

# Setup nginx config
sed "s/{{hostname}}/${domain}/" < $DIR/template.conf > /etc/nginx/sites-available/site.conf
ln -sf /etc/nginx/sites-available/site.conf /etc/nginx/sites-enabled/site.conf

模板看起来像这样:

server {
    # listen 80 #uncomment to also listen on port 80 - useful for debugging
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name {{hostname}};

    ssl_certificate /etc/ssl/certs/{{hostname}}.crt;
    ssl_certificate_key /etc/ssl/private/{{hostname}}.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header X-Frame-Options sameorigin;
    add_header X-Content-Type-Options nosniff;

    location / {
        ...
    }
}

域看起来像ip-172-10-11-12.

为调试所有内容，我在下面运行了 like 的内容-这是从内存中提取的，因此可能有详细信息.首先，我要确保可以通过单击nginx在本地卷曲服务器:

To debug everything I ran something like the following - this is from memory so it may have details off. I began by making sure I could curl the server locally by hitting nginx:

curl https://ip-172-10-11-12/healthcheck --cacert /etc/ssl/certs/ip-172-10-11-12.crt

然后我得到了ELB地址，并确保可以卷曲它.我不得不去一台可以访问ELB机器的机器.请注意，由于安全规则，ELB不可插拔，但可卷曲.我相信我已经测试了这两种方式.首先，我尝试过:

Then I got the ELB address, and make sure I could curl against that. I had to go on a machine that could access the ELB machine. Note that due to security rules, the ELB was not pinagable, but was curl-able. I believe I tested this 2 ways. First, I tried:

curl https://elb-address/healthcheck --insecure

然后我将ip-172-10-11-12添加到/etc/hosts文件并尝试:

Then I added ip-172-10-11-12 to the /etc/hosts file and tried:

curl https://ip-172-10-11-12/healthcheck --cacert /cert/file/copied/onto/machine

一旦我开始工作，ALB ELB就开始工作.在此最后一个调用起作用之前，我必须检查防火墙规则，AWS安全组等.但是当ELB正常工作时，便开始看到服务器.

Once I got that working, the ALB ELB started working. I had to check firewall rules, AWS security groups, etc. before this last call worked. But when it did work, the ELB started seeing the server.

在调试时，我还有最后的见解:如果从公共Internet访问ELB，则ELB必须仅具有公共子网，并且公共子网应与目标计算机位于同一可用区域中

I also had 1 final insight while debugging this: If the ELB is being accessed from the public internet, the ELB must only have public subnets, and the public subnets should be in the same availability zone as target machines

这篇关于ELB使用带有自签名证书的HTTPS到后端服务器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！