使用来自 ACM 的证书强制在 elasticbeanstalk 中使用 https [英] Forcing https in elasticbeanstalk with certificate from ACM

问题描述

我已经配置了一个可扩展的 EB(Elasticbeanstalk) rails(puma) 实例.我已经通过 ACM(Amazon Certificate Manager) 申请了 https 并将其应用于我的负载均衡器.我的网站现在启用了 HTTPS.但是如何强制重定向到 https?我在网上尝试了许多解决方案，建议通过 .ebextensions 手动进行 nginx 配置设置，但我不确定在哪里可以从 ACM 获取证书?(我假设现在 ACM 无法做到这一点?).如何强制使用 HTTPS?

I have provisioned a scalable EB(Elasticbeanstalk) rails(puma) instance. I have applied for https through ACM(Amazon Certificate Manager) and applied it to my load balancer. HTTPS is enabled for my website now. But how do I force redirect to https? I have tried a number of solutions online where it was suggested to make a nginx configuration setting manually through .ebextensions and I am not sure where to get the certificate from ACM for this?(I am assuming that is not possible with ACM right now?). How do I force HTTPS?

推荐答案

当前的 AWS EB Rails 和 Node.js 设置都使用 nginx(如果您的 Web 服务器是 apache，请参阅 这个答案)，所以以下应该可以工作(改编自这个问题):

The current AWS EB Rails and Node.js setups both use nginx (if your web server is apache see this answer), so the following should work (adapted from this question):

创建文件 .ebextensions/01-force-https.config(.config 很重要，而不是 .conf)以下内容.

Create the file .ebextensions/01-force-https.config (the .config is important, not .conf) with the following content.

如果您的环境是单个实例:

If your environment is a single instance:

files:
  "/etc/nginx/conf.d/01-force-https.conf":
    owner: root
    group: root
    mode: "000644"
    content: |
      server {
          listen 8080;
          return 301 https://$host$request_uri;
      }

如果您的环境是负载平衡的，很遗憾您不能简单地添加到现有配置中，而是需要使用 sed 对其进行修改:

If your environment is load balanced, you unfortunately cannot simply add to the existing config but need to modify it with sed:

files:
  "/tmp/45_nginx_https_rw.sh":
    owner: root
    group: root
    mode: "000644"
    content: |
      #! /bin/bash

      CONFIGURED=`grep -c "return 301 https" /opt/elasticbeanstalk/support/conf/webapp_healthd.conf`

      if [ $CONFIGURED = 0 ]
        then
          sed -i '/listen 80;/a     if ($http_x_forwarded_proto = "http") { return 301 https://$host$request_uri; }
' /opt/elasticbeanstalk/support/conf/webapp_healthd.conf
          logger -t nginx_rw "https rewrite rules added"
          exit 0
        else
          logger -t nginx_rw "https rewrite rules already set"
          exit 0
      fi

container_commands:
  00_appdeploy_rewrite_hook:
    command: cp -v /tmp/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/appdeploy/enact
  01_configdeploy_rewrite_hook:
    command: cp -v /tmp/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact
  02_rewrite_hook_perms:
    command: chmod 755 /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh
  03_rewrite_hook_ownership:
    command: chown root:users /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh

然后将其添加到您的 git repo 或应用程序包和 eb deploy.这会创建 /etc/nginx/conf.d/01-force-https.conf，它会自动包含在 /etc/nginx/nginx.conf 中.请注意，如果您稍后从 .ebextensions 中删除相应的文件，eb deploy 不会删除服务器上的文件.此外，我发现以下有助于通过 eb ssh 进行调试:

Then add it to your git repo or app bundle and eb deploy. This creates /etc/nginx/conf.d/01-force-https.conf which is automatically included from /etc/nginx/nginx.conf. Note that eb deploy won't delete the file on the server if you later remove the corresponding file from .ebextensions. Also, I found the following helpful in debugging through eb ssh:

sudo service nginx configtest
sudo service nginx restart

这篇关于使用来自 ACM 的证书强制在 elasticbeanstalk 中使用 https的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！