服务通过HTTPS使用SNI时，CloudFront的错误 [英] CloudFront error when serving over HTTPS using SNI

问题描述

亚马逊最近推出的CloudFront的一项新功能，支持自定义SSL证书在使用SNI（服务器名称指示），不收取任何费用。

Amazon recently rolled out a new feature on CloudFront that supports custom SSL certificates at no charge using SNI (Server Name Indication).

我得到了我的分布设置了从startssl如果一个免费的1级证书，当我注意到，该网站会下降很短的时间它的部署之后一切工作。运行 SSL检查返回我的证书是否正常工作：

I got my distribution set up with a free Class 1 certificate from StartSSL and everything was working when I was noticing that the site would go down a short time after it's deployed. Running SSL Checker returns that my certificate is working properly:

但后来当试图通过HTTPS访问网站（它会工作的第一个请求，然后再往在随后尝试连接）我会打这个错误页面。

But then I would hit this error page when trying to access the site via HTTPS (it would work for the first request then go down in subsequent attempts to connect).

下面是一个冗长的输出接入时使用SSL（成功的指标）：

Here's a verbose output when accessing with ssl (succeeds on index):

$ curl -I -v -ssl https://wikichen.is
* Adding handle: conn: 0x7f9f82804000
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7f9f82804000) send_pipe: 1, recv_pipe: 0
* About to connect() to wikichen.is port 443 (#0)
*   Trying 54.230.141.222...
* Connected to wikichen.is (54.230.141.222) port 443 (#0)
* TLS 1.2 connection using TLS_RSA_WITH_RC4_128_MD5
* Server certificate: www.wikichen.is (6w984WNu7vM5OrdU)
* Server certificate: StartCom Class 1 Primary Intermediate Server CA
* Server certificate: StartCom Certification Authority
> HEAD / HTTP/1.1
> User-Agent: curl/7.30.0
> Host: wikichen.is
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Content-Type: text/html; charset=utf-8
Content-Type: text/html; charset=utf-8
< Content-Length: 1153
Content-Length: 1153
< Connection: keep-alive
Connection: keep-alive
< Date: Sun, 09 Mar 2014 16:09:54 GMT
Date: Sun, 09 Mar 2014 16:09:54 GMT
< Cache-Control: max-age=120
Cache-Control: max-age=120
< Content-Encoding: gzip
Content-Encoding: gzip
< Last-Modified: Wed, 05 Mar 2014 20:40:48 GMT
Last-Modified: Wed, 05 Mar 2014 20:40:48 GMT
< ETag: "34685bc45353d1030d3a515ddba78f3e"
ETag: "34685bc45353d1030d3a515ddba78f3e"
* Server AmazonS3 is not blacklisted
< Server: AmazonS3
Server: AmazonS3
< Age: 4244
Age: 4244
< X-Cache: Hit from cloudfront
X-Cache: Hit from cloudfront
< Via: 1.1 4f672256eaca5524999342dc8678cdd2.cloudfront.net (CloudFront)
Via: 1.1 4f672256eaca5524999342dc8678cdd2.cloudfront.net (CloudFront)
< X-Amz-Cf-Id: h4TEULH44TCi7m2lL42A8lO-5-Gmx8iY2M2C1AOmRlK543zFN6jCtQ==
X-Amz-Cf-Id: h4TEULH44TCi7m2lL42A8lO-5-Gmx8iY2M2C1AOmRlK543zFN6jCtQ==

<
* Connection #0 to host wikichen.is left intact

然后失败上的其他网页：

Then fails on other pages:

$ curl -i -v https://wikichen.is/writing/index.html
* Adding handle: conn: 0x7fa153804000
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7fa153804000) send_pipe: 1, recv_pipe: 0
* About to connect() to wikichen.is port 443 (#0)
*   Trying 54.230.140.160...
* Connected to wikichen.is (54.230.140.160) port 443 (#0)
* TLS 1.2 connection using TLS_RSA_WITH_RC4_128_MD5
* Server certificate: www.wikichen.is (6w984WNu7vM5OrdU)
* Server certificate: StartCom Class 1 Primary Intermediate Server CA
* Server certificate: StartCom Certification Authority
> GET /writing/index.html HTTP/1.1
> User-Agent: curl/7.30.0
> Host: wikichen.is
> Accept: */*
>
< HTTP/1.1 502 Bad Gateway
HTTP/1.1 502 Bad Gateway
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 472
Content-Length: 472
< Connection: keep-alive
Connection: keep-alive
* Server CloudFront is not blacklisted
< Server: CloudFront
Server: CloudFront
< Date: Sun, 09 Mar 2014 17:54:41 GMT
Date: Sun, 09 Mar 2014 17:54:41 GMT
< Age: 6
Age: 6
< X-Cache: Error from cloudfront
X-Cache: Error from cloudfront
< Via: 1.1 9096435f28f91f92bacdf76122de09ee.cloudfront.net (CloudFront)
Via: 1.1 9096435f28f91f92bacdf76122de09ee.cloudfront.net (CloudFront)
< X-Amz-Cf-Id: iAUOQbP8O4A0pI9KGvVz0VgBT1TW-j0yVDa7vdSvIAuxnKOyQghtnw==
X-Amz-Cf-Id: iAUOQbP8O4A0pI9KGvVz0VgBT1TW-j0yVDa7vdSvIAuxnKOyQghtnw==

<
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The request could not be satisfied</TITLE>
</HEAD><BODY>
<H1>ERROR</H1>
<H2>The request could not be satisfied.</H2>
<HR noshade size="1px">
</BODY></HTML>

<BR clear="all">
<HR noshade size="1px">
<ADDRESS>
Generated by cloudfront (CloudFront)
</ADDRESS>
* Connection #0 to host wikichen.is left intact
</BODY></HTML>%

也许需要一些指针，以从哪里开始排除故障。

Would love some pointers as to where to start troubleshooting.

推荐答案

从AWS CloudFront的论坛一种代表由阿拉斯泰尔名@ AWS解决了这个对我来说：

A kind rep by the name of Alastair@AWS from the AWS CloudFront forums solved this for me:

我已经确定了你的CloudFront的分布和S3桶   作为起源于这种分布。

I have identified your CloudFront distribution and the S3 bucket acting as the origin for this distribution.

我可以重新创建并解释了间歇性的502错误网关   响应您收到。

I can re-create and explain the intermittent '502 Bad Gateway' response you are receiving.

当您试图访问该响应返回CloudFront的   使用当前不缓存HTTPS协议的URL   CloudFront的。这样做的原因是错误CloudFront的尝试   用你的出身HTTPS协议，这是失败的联系。

This response is returned by CloudFront when you attempt to access a URL using the HTTPS protocol that is not currently cached by CloudFront. The reason for this error is CloudFront is attempting to contact your origin using the HTTPS protocol, and this is failing.

这样做的原因失败，你已经配置了原点为   S3存储桶，但使用的是定制起源型和指导，以   S3的网站网址为这个桶。如果你试图打你的S3   使用HTTPS的网站的网址，你会注意到这是行不通的。 S3网站   托管只支持使用HTTP协议提供内容   （<一href="http://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteEndpoints.html#WebsiteRestEndpointDiff">http://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteEndpoints.html#WebsiteRestEndpointDiff).

The reason for this failure is you have configured your origin as an S3 bucket, but you are using the "Custom Origin" type and directing to the S3 website URL for this bucket. If you attempt to hit your S3 website URL using HTTPS, you will note this does not work. S3 website hosting only supports serving content using the HTTP protocol (http://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteEndpoints.html#WebsiteRestEndpointDiff).

现在，您所看到的间歇页面加载行为是由于   CloudFront的返回它目前在其高速缓存中的网页。您   应该能够重新创建这种情况下，如下所示：

Now, the intermittent page load behavior you are seeing is due to CloudFront returning the pages it currently has in its cache. You should be able to re-create this scenario as follows:

  
1. 在您的网站使用HTTPS打一个页面。你应该得到一个502网关错误消息回来了。
  
2. 点击使用HTTP在同一个页面。您应该看到的页面。
  
3. 在使用HTTPS再次点击网页。您现在应该得到预期的结果，因为CF曾从它的高速缓存中的内容，而不是   试图联系您的原点。
  

1. Hit a page on your site using HTTPS. You should get a '502 Bad Gateway' error back.
2. Hit the same page using HTTP. You should see the page.
3. Hit the page again using HTTPS. You should now get the expected result, as CF has served the content from its cache rather than attempting to contact your origin.

要解决此问题，请尝试以下方法：

To resolve this issue, please try the following:

  
1. 打开CloudFront的管理控制台，打开你的分发。
  
2. 导航到起源选项卡，选择您的由来，然后单击编辑
  
3. 修改原点协议政策到只允许HTTP。
  
4. 保存更改并等待15分钟左右，以使更改生效。
  
5. 测试
  

1. Open the CloudFront Management Console and open your distribution.
2. Navigate to the Origins tab, select your origin and click "Edit"
3. Modify the "Origin Protocol Policy" to "HTTP Only".
4. Save the changes and wait about 15 minutes for the change to take effect.
5. Test

我的期望是，这将迫使CloudFront的与您的由来   只使用HTTP。我已经测试了这个在我的环境与S3   网站托管斗，我可以同时通过成功地加载内容   HTTP和HTTPS。

My expectation is this will force CloudFront to contact your origin using HTTP only. I have tested this in my environment with an S3 Website hosted bucket and I can successfully load content via both HTTP and HTTPS.

下面的链接到原来的论坛主题。

这篇关于服务通过HTTPS使用SNI时，CloudFront的错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！