HTTPS 网站的 ELB 和 Apache 配置 [英] ELB and Apache configuration for HTTPS website

问题描述

我正在为 https 网站设置 ELB，但我对端口配置有疑问...

I'm setting up ELB for a https website and I have questions concerning the ports configuration...

现在我在 ELB 上有这个端口配置:

Right now I have this port configuration on the ELB:

• 80 (HTTP) 转发到 80 (HTTP)
• 443 (HTTPS) 转发到 80(HTTP)

在我的实例上，我有这个 Apache 配置:

And on my instance I have this Apache configuration:

• 对 *:80 的请求重定向到 https://www.mywebsite
• *:443 已配置

显然它有效，但这是正确的做法吗?

Apparently it's working but is it the right way to do?

感谢您的帮助

席琳

PS:当我开始配置 ELB 时，我指示 443 转发到 443 但后来我不得不回答奇怪的问题以进行身份​​验证...

PS: When I started to configure the ELB I indicated 443 forwarding to 443 but then I had to answer strange questions for the authentication...

推荐答案

问题中描述的配置不起作用，因为它创建了一个永无止境的重定向:443(ELB) forwarding to 80(Apache) forwarding to 443(ELB) 转发到 80(Apache) 转发到 443(ELB) 等

The configuration as described in the question didn't work because it created a never ending redirection: 443(ELB) forwarding to 80(Apache) forwarding to 443(ELB) forwarding to 80(Apache) forwarding to 443(ELB), etc.

所以，我修改了 ELB 配置:

So, I modified the ELB configuration to have:

• 443 (HTTPS) 转发到 443 (HTTPS)
• 80 (HTTP) 转发到 80 (HTTP)

当我创建侦听器 443 (HTTPS) 转发到 443 (HTTPS) 时，我没有回答有关身份验证的问题.当我查看 ELB 描述时，我可以看到后端身份验证:已禁用"

When I created the listener 443 (HTTPS) forwarding to 443 (HTTPS), I didn't get to answer questions concerning the authentication. When I look on the ELB description I can see "Backend Authentication: Disabled"

健康检查在 HTTPS:443 上完成

The Health Check is done on HTTPS:443

(我还修改了实例安全组:只有负载均衡器可以访问80和443端口的实例)

(I also modified the instance security group: only the load balancer can access the instance on ports 80 and 443)

更新:

另一种解决方案是在实例上只打开端口 80:

Another solution is to have only port 80 open on the instance:

• 80 (HTTP) 转发到 80 (HTTP)
• 443 (HTTPS) 转发到 80 (HTTP)

但是使用X-Forwarded-Proto来判断客户端是使用HTTP还是HTTPS，只有在X-Forwarded-Proto = http时才转发到HTTPS

but to use X-Forwarded-Proto to determine if the client used HTTP or HTTPS and forward to HTTPS only if X-Forwarded-Proto = http

Apache 示例:

<VirtualHost *:80>
    ...
    RewriteEngine On
    RewriteCond %{HTTP:X-Forwarded-Proto} !https
    RewriteCond %{HTTP_USER_AGENT} !^ELB-HealthChecker
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
    ...
</VirtualHost>

行 RewriteCond %{HTTP_USER_AGENT} !^ELB-HealthChecker 已添加，因此不会重定向 ELB 检查.请参阅 https://serverfault.com/questions/470015/how-should-i-configure-my-elb-health-check-when-using-namevirtualhosts-and-redir 其他关于健康检查的解决方案

The line RewriteCond %{HTTP_USER_AGENT} !^ELB-HealthChecker has been added so the ELB check is not redirected. See https://serverfault.com/questions/470015/how-should-i-configure-my-elb-health-check-when-using-namevirtualhosts-and-redir for other solutions concerning the health check

有关 X-Forwarded-Proto 的 AWS 文档:http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/x-forwarded-headers.html#x-forwarded-proto

AWS Documentation concerning X-Forwarded-Proto: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/x-forwarded-headers.html#x-forwarded-proto

这篇关于HTTPS 网站的 ELB 和 Apache 配置的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！