HTTPS 仅适用于本地主机 [英] HTTPS only works on localhost
问题描述
我正在尝试在我的一个 EC2 实例上设置 https.我已经这样做了很多次,但出于某种原因,在这个例子中,它拒绝工作.
I am trying to setup https on one of my EC2 instances. I've done this many times, but for some reason, for this instance, it refuses to work.
问题
当我通过本地 ip 连接到域时,https 工作正常.当我通过公共 ip 连接到域时,https 不起作用,浏览器响应为 ERR CONNECTION REFUSED"
When I connect to the domain via the local ip, the https works fine. When I connect to the domain via the public ip, the https does not work and the browser repsonse is "ERR CONNECTION REFUSED"
我有时候reload的时候,可以看到它接受了https,然后马上就屏蔽了,好像有防火墙规则,但是没有.
When I reload sometimes, you can see it accepted the https, and then it blocks it immediately, almost as if there is a firewall rule, but there isnt.
普通 http 100% 本地和公共工作.
normal http works 100% local and public.
现阶段我没有通过亚马逊上的安全组阻止任何端口.我没有关于 ip 表的规则,我已经禁用了 ufw.
I am not blocking any ports at this stage via Security groups on amazon. I have no rules on ip tables and I have disabled ufw.
我为 apache 启用了 SSL,测试密钥在本地运行良好.
I have enabled SSL for apache and the test keys works fine locally.
这是 sudo netstat -tlnp 的输出
This is the output of sudo netstat -tlnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 937/sshd
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1060/mysqld
tcp6 0 0 :::22 :::* LISTEN 937/sshd
tcp6 0 0 :::443 :::* LISTEN 2798/apache2
tcp6 0 0 :::80 :::* LISTEN 2798/apache2
这是我的/etc/apache2/ports.conf 文件:
This is my /etc/apache2/ports.conf file:
Listen 80
Listen 443
我已启用 default-ssl 站点,没有任何错误.
I have enabled the default-ssl site without any errors.
这是我的/etc/hosts 文件:
This is my /etc/hosts file:
127.0.0.1 localhost
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
我也尝试使用 0.0.0.0 而不是 127.0.0.0,但它什么也没做.
I also tried using 0.0.0.0 instead of 127.0.0.0 and it did nothing.
这是我网站的 apache conf 文件(出于安全目的,我用mysite.com"替换了我的真实站点名称):
This is my website's conf file for apache (I replaced my real site name with "mysite.com" for security purposes):
<VirtualHost *:80>
DocumentRoot /var/www/html/mysite.com
ServerName mysite.com
ServerAlias www.mysite.com
<Directory /var/www/html/mysite.com>
AllowOverride All
RewriteEngine On
Require all granted
Options -Indexes +FollowSymLinks
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /var/www/html/mysite.com
ServerName mysite.com
ServerAlias www.mysite.com
SSLEngine on
SSLCertificateFile /usr/local/ssl/public.crt
SSLCertificateKeyFile /usr/local/ssl/private/private.key
SSLCACertificateFile /usr/local/ssl/intermediate.crt
</VirtualHost>
这个完全相同的 conf 文件正在另一个实例上工作,这告诉我问题不在于这个文件.
This exact same conf file was working on another instance, which is telling me that the problem is not with this file.
我错过了什么?请任何帮助.提前致谢
What am I missing ? Any help please. Thanks in advance
这是我为 apache 加载的模块:
Here are my loaded modules for apache:
sudo apache2ctl -M
Loaded Modules:
core_module (static)
so_module (static)
watchdog_module (static)
http_module (static)
log_config_module (static)
logio_module (static)
version_module (static)
unixd_module (static)
access_compat_module (shared)
alias_module (shared)
auth_basic_module (shared)
authn_core_module (shared)
authn_file_module (shared)
authz_core_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
deflate_module (shared)
dir_module (shared)
env_module (shared)
filter_module (shared)
mime_module (shared)
mpm_prefork_module (shared)
negotiation_module (shared)
php5_module (shared)
rewrite_module (shared)
setenvif_module (shared)
socache_shmcb_module (shared)
ssl_module (shared)
status_module (shared)
wsgi_module (shared)
编辑 2
一些有趣的 apache error.log 条目,不是在我重新启动服务时,只是在几分钟前随机出现(这可能是导致问题的原因吗?):
EDIT 2
Some interesting apache error.log entries, not when I restarted the service, just randomly a few minutes earlier (could this be whats causing the problems ?):
[Wed Feb 17 21:04:48.478106 2016] [ssl:warn] [pid 3629] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Wed Feb 17 21:04:48.507277 2016] [ssl:warn] [pid 3630] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Wed Feb 17 21:04:48.507324 2016] [:warn] [pid 3630] mod_wsgi: Compiled for Python/3.4.0.
[Wed Feb 17 21:04:48.507329 2016] [:warn] [pid 3630] mod_wsgi: Runtime using Python/3.4.3.
[Wed Feb 17 21:04:48.509502 2016] [mpm_prefork:notice] [pid 3630] AH00163: Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.14 OpenSSL/1.0.1f mod_wsgi/3.4 Python/3.4.3 configured -- resuming normal operations
[Wed Feb 17 21:04:48.509517 2016] [core:notice] [pid 3630] AH00094: Command line: '/usr/sbin/apache2'
我禁用了 wsgi 模块只是为了确保这不是我的问题,然后重新启动了 apache 服务,但仍然没有运气,同样的问题.
I disabled the wsgi module just to make sure that's not my problem, and restarted apache service, still, no luck, same problem.
我正在转储我的一些 phpinfo() 以显示更多信息.SSL 设置为 YES.我不知道发生了什么:(
I'm dumping some of my phpinfo() to show more info. SSL is set to YES. I have no idea whats going on :(
我认为我可能需要在负载平衡器上添加 SSL 证书才能使任何一个工作正常.我现在正在尝试,会让大家知道...
I think that I might need to add the SSL certifiacte on the load balancer for any of this to even work. I'm trying that now, will let everyone know...
推荐答案
实现到位于 AWS 上 VPC 内负载均衡器后面的私有子网中的 EC2 实例的 HTTPS 流量的唯一方法是在负载均衡器 (ELB) 本身以及负载均衡器上特定服务器/域的证书.就我而言,即使您在负载均衡器的安全规则(入站、出站)和 EC2 实例(入站、出站)中打开了 HTTPS 443,ELB 仍会阻止该端口上到 EC2 实例的所有 HTTPS 流量,如果ELB 没有具有有效证书的侦听器.据我所知,文档中没有任何地方明确说明这一点.希望这会有所帮助.
The only way to achieve HTTPS traffic to an EC2 instance in a private subnet sitting behind a load balancer within a VPC on AWS, is to have an HTTPS listener on the load balancer (ELB) itself with the certificate of the specific server/domain on the load balancer. In my case, even if you have HTTPS 443 open in your security rules of the load Balancer (inbound, outbound) and on the EC2 instance (inbound, outbound), the ELB still blocks all HTTPS traffic on that port to the EC2 instance if the ELB does not have a listener with a valid certificate. No where in the documentation, as far as I have read, does it explicitly say that. Hope this helps.
使用 AWS cli 将证书从 EC2 实例提交到 IAM.
Submit the certificate from the EC2 instance into IAM using AWS cli.
我在服务器上添加了证书文件,不得不像这样将它们上传到 IAM(是的,file://部分是必需的,即使在 linux 上也是如此):
I added the certificate files on my server and had to upload them to IAM like so (yes, the file:// part is necessary, even on linux):
aws iam upload-server-certificate --server-certificate-name my-server-cert
--certificate-body file://my-certificate.pem --private-key file://my-private-key.pem
--certificate-chain file://my-certificate-chain.pem
如此处所述:http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl-server-cert.html
然后您需要在连接了 EC2 实例的 ELB 上设置一个侦听器.侦听器然后用于 HTTPS 和端口 443.侦听器将要求一个证书,它将具有您之前从 aws cli 添加的证书,已列出.如果未列出,请退出 AWS 控制台并重新登录.此后,通过 HTTPS 的流量将开始流向您的 EC2 实例.
Then you need to setup a listener on the ELB which has the EC2 instance attached to it. The listener is then for HTTPS and port 443. The listener will ask for a certificate and it will have the one you added from the aws cli earlier, already listed. If it is not listed, log out of the AWS console and log back in. After, this, traffic via HTTPS will start flowing to your EC2 instance.
我不确定是否需要这样做,因为我在负载均衡器的安全组上为 443 打开了端口,并且文档中没有任何地方明确说如果您使用负载均衡器,这是实现 HTTPS 连接的唯一方式.它只是解释了当您需要 HTTPS 负载平衡器时,这是要走的路,这可能意味着两件事,但是,我很高兴它已解决.
I wasn't sure that this was needed, because I had the ports open for 443 on the load balancer's security group and nowhere in the documentation does it explicitly say that if you use a load balancer, this is the ONLY way of achieving an HTTPS connection. It only explains that this is the way to go when you want a HTTPS load balancer, which can mean two different things, however, I'm glad it's sorted out.
这篇关于HTTPS 仅适用于本地主机的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
