HTTPS仅适用于本地主机 [英] HTTPS only works on localhost
问题描述
我想安装HTTPS在我的EC2实例之一。我做过很多次,但由于某些原因,此实例,它拒绝工作。
I am trying to setup https on one of my EC2 instances. I've done this many times, but for some reason, for this instance, it refuses to work.
问题
当我通过本地IP连接到域的HTTPS工作正常。
当我通过公网IP连接到域,在 HTTPS不起作用并在浏览器repsonse为ERR连接被拒绝
When I connect to the domain via the local ip, the https works fine. When I connect to the domain via the public ip, the https does not work and the browser repsonse is "ERR CONNECTION REFUSED"
当我重装有时候,你可以看到它接受了HTTPS,然后它会阻止它立刻,仿佛有一个防火墙规则,但心不是。
When I reload sometimes, you can see it accepted the https, and then it blocks it immediately, almost as if there is a firewall rule, but there isnt.
普通的HTTP工程100%的本地和公众。
normal http works 100% local and public.
我并不是在这个阶段通过安全组在Amazon阻止任何端口。
我对IP表没有规则,我有残疾UFW。
I am not blocking any ports at this stage via Security groups on amazon. I have no rules on ip tables and I have disabled ufw.
我已经启用了SSL的Apache和测试工作按键在本地正常。
I have enabled SSL for apache and the test keys works fine locally.
这是须藤netstat的-tlnp
This is the output of sudo netstat -tlnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 937/sshd
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1060/mysqld
tcp6 0 0 :::22 :::* LISTEN 937/sshd
tcp6 0 0 :::443 :::* LISTEN 2798/apache2
tcp6 0 0 :::80 :::* LISTEN 2798/apache2
这是我的/etc/apache2/ports.conf文件:
This is my /etc/apache2/ports.conf file:
Listen 80
Listen 443
我已经启用默认的SSL网站没有任何错误。
I have enabled the default-ssl site without any errors.
这是我的/ etc / hosts文件:
This is my /etc/hosts file:
127.0.0.1 localhost
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
我也用0.0.0.0代替127.0.0.0尝试,它什么也没做。
I also tried using 0.0.0.0 instead of 127.0.0.0 and it did nothing.
这是Apache我的网站的conf文件(我取代我的真实的网站名称以mysite.com为安全起见):
This is my website's conf file for apache (I replaced my real site name with "mysite.com" for security purposes):
<VirtualHost *:80>
DocumentRoot /var/www/html/mysite.com
ServerName mysite.com
ServerAlias www.mysite.com
<Directory /var/www/html/mysite.com>
AllowOverride All
RewriteEngine On
Require all granted
Options -Indexes +FollowSymLinks
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /var/www/html/mysite.com
ServerName mysite.com
ServerAlias www.mysite.com
SSLEngine on
SSLCertificateFile /usr/local/ssl/public.crt
SSLCertificateKeyFile /usr/local/ssl/private/private.key
SSLCACertificateFile /usr/local/ssl/intermediate.crt
</VirtualHost>
这完全一样的conf文件正在研究另一个实例,它告诉我,这个问题是不是与此文件。
This exact same conf file was working on another instance, which is telling me that the problem is not with this file.
我在想什么?任何帮助,请。
在此先感谢
What am I missing ? Any help please. Thanks in advance
下面是我已加载模块的Apache:
Here are my loaded modules for apache:
sudo apache2ctl -M
Loaded Modules:
core_module (static)
so_module (static)
watchdog_module (static)
http_module (static)
log_config_module (static)
logio_module (static)
version_module (static)
unixd_module (static)
access_compat_module (shared)
alias_module (shared)
auth_basic_module (shared)
authn_core_module (shared)
authn_file_module (shared)
authz_core_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
deflate_module (shared)
dir_module (shared)
env_module (shared)
filter_module (shared)
mime_module (shared)
mpm_prefork_module (shared)
negotiation_module (shared)
php5_module (shared)
rewrite_module (shared)
setenvif_module (shared)
socache_shmcb_module (shared)
ssl_module (shared)
status_module (shared)
wsgi_module (shared)
编辑2
一些有趣的Apache error.log中的条目,而不是当我重新启动该服务,只是随机几分钟前(难道这是什么造成的问题?):
EDIT 2
Some interesting apache error.log entries, not when I restarted the service, just randomly a few minutes earlier (could this be whats causing the problems ?):
[Wed Feb 17 21:04:48.478106 2016] [ssl:warn] [pid 3629] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Wed Feb 17 21:04:48.507277 2016] [ssl:warn] [pid 3630] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Wed Feb 17 21:04:48.507324 2016] [:warn] [pid 3630] mod_wsgi: Compiled for Python/3.4.0.
[Wed Feb 17 21:04:48.507329 2016] [:warn] [pid 3630] mod_wsgi: Runtime using Python/3.4.3.
[Wed Feb 17 21:04:48.509502 2016] [mpm_prefork:notice] [pid 3630] AH00163: Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.14 OpenSSL/1.0.1f mod_wsgi/3.4 Python/3.4.3 configured -- resuming normal operations
[Wed Feb 17 21:04:48.509517 2016] [core:notice] [pid 3630] AH00094: Command line: '/usr/sbin/apache2'
我禁用了WSGI模块,以确保公正,这不是我的问题,并重新启动Apache服务,不过,没有运气,同样的问题。
I disabled the wsgi module just to make sure that's not my problem, and restarted apache service, still, no luck, same problem.
我倾我的一些phpinfo()函数来显示更多的信息。 SSL设置为YES。我不知道怎么回事:(
I'm dumping some of my phpinfo() to show more info. SSL is set to YES. I have no idea whats going on :(
![在这里输入的形象描述](\"http://i.stack.imgur.com/2sqEB.png\")
我想我可能需要在负载平衡器任何这种添加SSL certifiacte甚至工作。我想,现在,将让大家知道...
I think that I might need to add the SSL certifiacte on the load balancer for any of this to even work. I'm trying that now, will let everyone know...
推荐答案
要实现HTTPS流量在一个专用子网坐在后面的AWS一个VPC内的负载平衡器的EC2实例的唯一方法,就是要有一个HTTPS监听器负载均衡器(ELB)本身对负载平衡器的特定服务器/域的证书。在我的情况下,即使你有负载平衡器(入站,出站)的安全规则HTTPS 443开放和EC2实例(呼入,呼出)时,ELB仍然让该端口的EC2实例,如果所有的HTTPS流量该ELB没有与有效证书的侦听器。任何地方的文件中,据我已阅读,它明确地说。希望这有助于。
The only way to achieve HTTPS traffic to an EC2 instance in a private subnet sitting behind a load balancer within a VPC on AWS, is to have an HTTPS listener on the load balancer (ELB) itself with the certificate of the specific server/domain on the load balancer. In my case, even if you have HTTPS 443 open in your security rules of the load Balancer (inbound, outbound) and on the EC2 instance (inbound, outbound), the ELB still blocks all HTTPS traffic on that port to the EC2 instance if the ELB does not have a listener with a valid certificate. No where in the documentation, as far as I have read, does it explicitly say that. Hope this helps.
使用AWS CLI从EC2实例提交证书到IAM。
Submit the certificate from the EC2 instance into IAM using AWS cli.
我说我的服务器上的证书文件,不得不将它们上传到IAM像这样(是的,文件://部分是必要的,甚至在Linux上):
I added the certificate files on my server and had to upload them to IAM like so (yes, the file:// part is necessary, even on linux):
aws iam upload-server-certificate --server-certificate-name my-server-cert
--certificate-body file://my-certificate.pem --private-key file://my-private-key.pem
--certificate-chain file://my-certificate-chain.pem
为解释在这里:的http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl-server-cert.html
然后,你需要安装在具有连接到它的EC2实例ELB侦听器。听者然后HTTPS和端口443侦听器会要求一个证书,它可以让你从AWS添加CLI前面的人,已经列出。如果没有列出,注销AWS控制台并重新登录后,这一点,通过HTTPS流量将开始流向你的EC2实例。
Then you need to setup a listener on the ELB which has the EC2 instance attached to it. The listener is then for HTTPS and port 443. The listener will ask for a certificate and it will have the one you added from the aws cli earlier, already listed. If it is not listed, log out of the AWS console and log back in. After, this, traffic via HTTPS will start flowing to your EC2 instance.
我不知道这是必要的,因为我有打开的端口为443的负载均衡器的安全组和无处文档做它的明确说,如果你使用负载平衡器,这是在仅实现的 HTTPS 连接方式。它只是解释说,这是去当你想要一个HTTPS负载均衡器,这可能意味着两种不同事物的方式,不过,我很高兴它整理出来。
I wasn't sure that this was needed, because I had the ports open for 443 on the load balancer's security group and nowhere in the documentation does it explicitly say that if you use a load balancer, this is the ONLY way of achieving an HTTPS connection. It only explains that this is the way to go when you want a HTTPS load balancer, which can mean two different things, however, I'm glad it's sorted out.
这篇关于HTTPS仅适用于本地主机的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
