在Amazon EC2 ELB上安装SSL证书 [英] Installing SSL cert on Amazon EC2 ELB
问题描述
我是Amazon Web Services的新手,并且一直在尝试在EC2实例上安装SSL证书。我尝试了AWS文档,但发现它令人费解。然后我按照 http: //www.robertbrewitz.com/2014/09/aws-and-setting-up-a-custom-ssl-certificate/ 。
I'm new to Amazon Web Services and have been trying to install a SSL certificate on the EC2 instance. I tried following AWS documentation, but found it baffling. I then followed the guide at http://www.robertbrewitz.com/2014/09/aws-and-setting-up-a-custom-ssl-certificate/.
我用Go Daddy购买了我的SSL证书,并使用openssl生成了2个文件:
I bought my SSL cert with Go Daddy, and generated 2 files using openssl:
server.key
server.csr
指南说我应该期待3个证书:
The guide said I should expect 3 certificates:
DigiCertCA.crt
TrustedRoot.crt
star_yourdomain_com.crt
相反,我很容易收到2个名为的文件:
Instead, I confusingly received 2 files named:
f6f65901b1708ae5.crt
gd_bundle-g2-g1.crt
I假设 f6f65901b1708ae5.crt 是我的域名证书(但我不确定)。无论如何,指南说我需要一个Elastic Load Balancer来安装SSL证书,所以我创建了一个。
I assume f6f65901b1708ae5.crt is my domain cert (but I'm not certain). Anyway, the guide says I need an Elastic Load Balancer in order to install an SSL cert so I created one.
我使用以下内容生成私钥:
I generated the private key with:
openssl rsa -in server.key -text
和公钥证书:
openssl x509 -inform PEM -in f6f65901b1708ae5.crt
我还被要求进入证书链。我不确定这是什么以及如何获得它,所以我猜到了命令:
I was also required to enter a Certificate Chain. I wasn't sure what this was and how to get it, so I guessed the command:
openssl x509 -inform PEM -in gd_bundle-g2-g1.crt
并输入以---开头的结果证书密钥--BEGIN CERTIFICATE -----
and entered the resulting certificate key that began with "-----BEGIN CERTIFICATE-----"
指南继续,说我需要设置Cloudfront。我安装了aws命令行工具,为了生成我运行的PEM:
The guide continues, saying I then need to set up Cloudfront. I installed the aws command line tool and in order to generate the PEMs I ran:
openssl rsa -in server.key -text > aws_private.pem
openssl x509 -inform PEM -in f6f65901b1708ae5.crt > aws_public.pem
openssl x509 -inform PEM -in gd_bundle-g2-g1.crt > aws_public.pem
我上传了SSL证书:
aws iam upload-server-certificate --server-certificate-name mydomain_com \
--certificate-body file://aws_public.pem --private-key file://aws_private.pem \
--certificate-chain file://aws_chain.pem --path /cloudfront/mydomain_com/
这是成功的。
然后我必须创建一个Cloudfront发行版,我选择了SSL证书。
I then had to create a Cloudfront distribution, which I did, choosing the SSL cert.
但是当我转到我的https网址时( https:// www.example.org/ ),它不起作用。但是, http://www.example.org/ 可行。
However when I go to my https url (https://www.example.org/), it's not working. http://www.example.org/ however does work.
由于安装SSL证书的步骤非常多,我怀疑在此过程中我犯了一个错误。问题是,我不知道在哪里。有人指点吗?
As there are an extraordinarily large amount of steps just for installing an SSL cert, I suspect I've made a mistake along the way. The problem is, I don't know where. Has anybody any pointers?
此外,是否有更简单的方法来安装SSL证书?对于这么常见的事情来说,这似乎是非常复杂的。我愿意付钱给专家为我做这件事(我是一个软件开发人员,几乎不知道任何与SSL相关的知识),但是很难找到任何人完成这样的任务(并且有必要的问题)交出登录详细信息等)。任何帮助非常感谢。
Also, are there not any simpler ways for installing an SSL cert? It seems to be ridiculously complex for something so common. I'd be willing to pay an expert to do it for me (I'm a software developer with almost no knowledge of anything SSL related), but its difficult to find anyone for such a task (and there is the problem of having to hand over login details etc). Any help greatly appreciated.
编辑
以下建议是我应该使用 AWS Certificate Manager 。我看了一眼,这似乎是一个更加轻松的选择。但是,我确实花了86欧元购买Go Daddy的SSL证书,所以我更愿意,如果这不浪费。我的任何作品都可以挽救吗?是否有意转售SSL证书?
The suggestion below is that I should use AWS Certificate Manager. I've had a look and this seems like a far more painless option. However, I did spend 86 euro on an SSL cert from Go Daddy so I'd prefer if that didn't go to waste. Is any of my work salvageable? Are there mean to resell SSL certs?
编辑
我仍然没有'找到了一个真正的解决方案。为了澄清,我有一个非常小众的网站,访客很少。我在EC2实例上有该站点。我按照上面的网站建议使用Load Balancer和Cloudfront来加密SSL。然而,它不起作用,无论如何它可能是矫枉过正的。谁能帮我这个?我想使用我支付的SSL证书,但如果没有,我应该使用像Lets Encrypt这样的东西吗?
I still haven't found a real solution to this. To clarify, I have a very niche site that will have very few visitors. I have the site on a EC2 instance. I followed the site above which advised using a Load Balancer and Cloudfront in order to encrypt with SSL. However, it's not working and it's probably overkill anyway. Can anyone help me with this? I'd like to use the SSL cert I paid for, but if not, should I use something like Lets Encrypt?
推荐答案
您提到指南说要预期3个文件,包括DigiCertCA.crt文件;听起来它是用DigiCert作为您的证书提供商而不是GoDaddy写的。
You mentioned the guide saying to expect 3 files, including a "DigiCertCA.crt" file; sounds like it was written with DigiCert as your cert provider in mind, rather than GoDaddy.
首先,以确保f6f65901b1708ae5.crt包含您所要求的证书(并留下任何疑问)。为此,您可以在server.csr文件(即证书签名请求)中比较数据(例如公共名称(CN),DNS主题备用名称(SAN)等)什么是f6f65901b1708ae5.crt文件:
First, to make sure that that "f6f65901b1708ae5.crt" contains your requested certificate (and lay to rest any doubts there). To do this, you can compare the data (e.g. Common Name (CN), DNS Subject Alternative Names (SANs), etc) in your "server.csr" file (that's the Certificate Signing Request) with what's in that "f6f65901b1708ae5.crt" file:
$ openssl req -noout -text < server.csr
这应该在CSR文件中显示关于域的详细信息的人类可读文本。与之相比:
This should display human-readable text about the details for your domain in the CSR file. Compare that with:
$ openssl x509 -noout -text < f6f65901b1708ae5.crt
这应该显示类似的人类可读文本,填写更多细节/字段。但是他们应该大致有你期望的。 注意如果您看到与此类似的错误:
This should display similar human-readable text, with more details/fields filled in. But they should roughly have what you expect. Note that if you see an error similar to this:
51299:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/crypto/pem/pem_lib.c:648:Expecting: TRUSTED CERTIFICATE
然后它表明您的f6f65901b1708ae5.crt文件是DER格式,而不是PEM格式。如果没有,那么您已经有了一个PEM文件,这是AWS ELB所期望的。如果你有一个DER格式的证书,很容易转换为PEM格式,使用:
Then it suggests that your "f6f65901b1708ae5.crt" file is in DER format, not PEM format. If not, then you already have a PEM file, which is what AWS ELBs expect. If you have a DER formatted cert, it's easy to convert to PEM format, using:
$ openssl x509 -in f6f65901b1708ae5.crt -inform DER -out f6f65901b1708ae5.pem -outform PEM
我只是想通过提及这部分来彻底。
I just wanting to be thorough by mentioning this part.
现在假设我们知道f6f65901b1708ae5.crt包含您域名的PEM格式证书,我们已做好准备处理证书链部分。
Assuming, now, that we know that that "f6f65901b1708ae5.crt" contains the PEM formatted certificate for your domain, we're ready to handle the "certificate chain" part.
我查看了GoDaddy的在线证书库,看看你提到的gd_bundle-g2-g1.crt文件是否存在,它是。 (这些文件可以公开获取,因为它们包含供任何人/每个人使用的公共证书。)查看 gd_bundle-g2-g1.crt 文件,我发现它包含多个证书。这很重要。
I looked at GoDaddy's online certificate repository, to see if the "gd_bundle-g2-g1.crt" file you mentioned was there, and it was. (It's OK for these files to be publicly available, as they contain the public certificates which are meant for anyone/everyone to use.) Looking at that gd_bundle-g2-g1.crt file, I found that it contains multiple certificates. This is important.
请参阅证书链是提供信任路径(或链)的文件列表,从那个f6f65901b1708ae5.crt证书,您必须获得受信任的根GoDaddy CA证书。每个证书都有主题(发布到的人)和颁发者(发布者)。这意味着您可以从证书到发行人的证书向后走到该证书的颁发者证书等。向后走是证书链。
See, a "certificate chain" is a list of files which provide a trust path (or "chain"), from that "f6f65901b1708ae5.crt" certificate you have to the trusted root GoDaddy CA certificate. Each certificate has a subject (who it was issued to), and an issuer (who issued it). This means that you can walk "backward", from your certificate to the issuer's certificate, to that certificate's issuer's certificate, etc. This walking backward is the "certificate chain".
gd_bundle-g2-g1.crt文件包含多个证书这一事实意味着该文件包含证书链你需要。这也意味着您不想要这样做:
The fact that that "gd_bundle-g2-g1.crt" file contains multiple certificates implies that that file contains the certificate chain you need. It also means that you do not want to do this:
$ openssl x509 -inform PEM -in gd_bundle-g2-g1.crt > aws_public.pem
因为 openssl x509 只读指定文件中的第一个证书,您需要所有。
because openssl x509 only reads the first certificate in the specified file, and you need all of them.
考虑到上述所有情况,您可能只需要以下内容(以确保您的私钥是PEM格式化):
Given all of the above, you might need only the following (to make sure that your private key is PEM formatted):
$ openssl rsa -in server.key -text > aws_private.pem
然后,因为我们假设f6f65901b1708ae5.crt已经是PEM格式(如果没有,你知道如何在上面转换它),并且我们知道gd_bundle-g2-g1.crt已经是PEM格式化的,我们现在准备将这些上传到AWS ELB。
And then, since we'll assume that "f6f65901b1708ae5.crt" is already PEM formatted (and if not, you know how to convert it above), and we know that "gd_bundle-g2-g1.crt" is already PEM formatted, we'll now be ready to upload these to the AWS ELB.
要上传证书和密钥以供ELB使用,请使用类似这个:
To upload the certificates and key for use by the ELB, use something like this:
$ aws iam upload-server-certificate \
--server-certificate-name redmatterapp_com2 \
--certificate-body file://f6f65901b1708ae5.crt \
--private-key file://aws_private.pem \
--certificate-chain file://gd_bundle-g2-g1.crt \
--path /cloudfront/redmatterapp_com/
注意我使用了不同的 - server-certificate-name ,只是为了确保它没有覆盖/与现有配置冲突。作为建议,您可以包括创建上载证书的日期(或者,更好的是,当它将到期时),作为名称的一部分,作为您未来自我的暗示该证书已添加,例如redmatterapp_com-2016-02-18。
Note that I used a different --server-certificate-name, just to make sure it didn't override/conflict with your existing configuration. As a suggestion, you might include the date of when the cert being uploaded was created (or, better, when it will expire), as part of the name, as a hint to your future self of when that cert was added, e.g. "redmatterapp_com-2016-02-18".
同样注意如果你如果不使用CloudFront,那么您应该不使用 - path 选项。如果 使用CloudFront然后删除它,我强烈建议再次执行上面的 aws iam upload-server-certificate 命令一个不同的 - server-certificate-name 而没有 - path 选项(并删除以前的名称)。这可能意味着重新配置任何现有的ELB HTTPS侦听器以使用新的证书名称,但可能有必要,因为 - path 会影响SSL处理。
Also note that if you are not using CloudFront, then you should not use the --path option. If you were using CloudFront and then removed it, I'd highly recommend doing the above aws iam upload-server-certificate command again, only with a different --server-certificate-name and no --path option (and removing the previous name). This may mean re-configuring any existing ELB HTTPS listeners to use the new certificate name, but it may be necessary, as that --path affects SSL handling.
完成上述操作后,使用例如 AWS控制台,您应该能够配置您的AWS ELB,并在监听器选项卡下单击编辑。为https添加一个监听器例如。添加任何支持SSL的侦听器时,您会在SSL证书列/选项卡下看到更改链接。单击更改,然后选择现有证书按钮。在证书名称下拉列表中,您应该看到上面使用的 - server-certificate-name 字符串/标签的条目。选择该条目,然后单击保存。现在,您的AWS ELB上与该Listener的连接应正确配置为浏览器可信任的SSL / TLS连接。
Once the above is done, using the e.g. AWS Console, you should be able to configure your AWS ELB, and under the "Listeners" tab, click "Edit". Add a Listener e.g. for "https". When adding any SSL-capable listener, you'll see a "Change" link appear under the "SSL Certificate" column/tab. Click that "Change", and choose the "existing certificate" button. Under the "Certificate Name" dropdown, then, you should see an entry for the --server-certificate-name string/label you used above. Choose that entry, then click "Save". Now connections to that Listener, on your AWS ELB, should be properly configured for SSL/TLS connections that browsers will trust.
因此,HTTPS Listener配置如下所示:
Thus the HTTPS Listener configuration would look something like:
- 负载均衡器协议:HTTPS
- 负载均衡器端口:443
- 实例协议:HTTP
- 实例端口:80
- 密码:(默认策略)
- SSL证书:(
- server-certificate-namename)
- Load Balancer Protocol: HTTPS
- Load Balancer Port: 443
- Instance Protocol: HTTP
- Instance Port: 80
- Cipher: (default policy)
- SSL Certificate: (
--server-certificate-namename)
请注意,您不也希望将端口443用于实例端口;如果你这样做,那就说你想要从ELB到你的实例的HTTPS ,这通常不需要 。 (一些安全站点需要这个,但这是一个不同的主题/存储。)因此,上面配置ELB来处理SSL终止;到实例上的Node.js服务器,它只接收端口80上的纯HTTP请求:
Note that you do not want to use port 443 for the instance port as well; if you do, that says that you want HTTPS from the ELB to your instance, which is not usually needed. (Some secure sites want this, but that's a different topic/store.) Thus the above configures the ELB to handle the SSL termination; to your Node.js server on the instance, it only ever receives plain HTTP requests on port 80:
client ---> HTTP ---> ELB port 80 ---> HTTP ---> server port 80
client ---> HTTPS --> ELB port 443 --> HTTP ---> server port 80
如果您的服务器需要知道原始请求是HTTP还是HTTPS,请查找对于的X-Forwarded-For (以及其他请求标头),AWS ELB将自动添加到请求中。
If your server needs to know whether the original request was HTTP or HTTPS, look for the X-Forwarded-For (and other request headers) that the AWS ELB will automatically add to the request.
现在,一旦配置了ELB,这是验证它是否正常工作的一个很好的步骤。首先,您可以使用 openssl s_client 来验证SSL握手是否有效:
Now, once you have the ELB configured, it's a good step to verify that it's working properly. First, you can use openssl s_client to verify that the SSL handshake works:
$ openssl s_client -connect example.com:443
CONNECTED(00000003)
depth=3 /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=redmatterapp.com
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=example.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
---
SSL handshake has read 4929 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
...
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
上面显示我们成功完成了SSL握手,您可以看到它显示带有GoDaddy名称的证书链; 服务器证书部分应与您加载的f6f65901b1708ae5.crtPEM文件匹配。
The above shows that we successfully completed an SSL handshake, and you can see that it shows the cert chain with the GoDaddy names; the "Server certificate" section should match the "f6f65901b1708ae5.crt" PEM file you loaded.
现在测试 HTTPS 部分;为此,我喜欢使用 curl ,如下所示:
Now to test the HTTPS part; for this, I like to use curl, like so:
$ curl -kv https://example.com/
-v 选项显示更多信息,特别是证书是否与DNS名称匹配; -k 告诉 curl 忽略任何证书不匹配/问题,以便我们可以看到有关事物的详细信息。
The -v option display more information, in particular whether the certificate matches the DNS name or not; the -k tells curl to ignore any certificate mismatches/issues, so that we can then see the verbose information about things.
这是需要更多配置的地方。 如果您在 curl 命令(或浏览器)中使用自动生成的ELB DNS名称,那么您很可能会看到安全警告/的问题。为什么?由于HTTPS的一部分正在验证您在URL 中使用的DNS名称是否与服务器证书中的域/主机名匹配,或者作为证书中的公用名(CN),或作为DNS主题备用名称(SAN)之一。您可能没有在GoDaddy的证书签名请求(CSR)中包含ELB DNS名称。
This is where a little more configuration is necessary. If you use the auto-generated ELB DNS name in your curl command (or in your browser), then you will most likely see security warnings/issues. Why? Because part of HTTPS is verifying that the DNS name you use in your URL matches the domain/host name in your server certificate, either as the Common Name (CN) in your certificate, or as one of the DNS Subject Alternative Names (SANs). And you probably didn't include the ELB DNS name in your Certificate Signing Request (CSR) to GoDaddy.
这意味着,下一步是配置一个指向AWS ELB名称的DNS CNAME记录,例如:
This means, then, that the next step is to configure a DNS CNAME record that points to the AWS ELB name, e.g.:
www.example.com CNAME to aws-elb-1.elb.amazonaws.com
如果您使用AWS进行DNS,那么您可以使用例如 Route 53.然后你重试 curl 命令(或浏览器):
If you're using AWS for DNS, then you could do this using e.g. Route 53. Then you retry your curl command (or browser):
curl -kv https://www.example.com/
另一个需要注意的重要事项(你可以在 curl -v 输出中看到这一点)是主机请求标题。一些HTTP服务器(即在后端实例上运行的服务器)对那里的值非常挑剔;他们希望主机标头匹配其配置中的内容,如果不匹配,他们可能会拒绝该请求。
Another important thing to watch for (and you can see this in the curl -v output) is the contents of the Host request header. Some HTTP servers (i.e. the one running on your backend instance) are very picky about the value there; they want the Host header to match something in their configuration, and if it doesn't, they may refuse the request.
另一个常见的问题是:
- HTTP 503服务不可用:后端服务器处于容量
如果您从ELB获得此响应,通常意味着您的后端服务器没有响应或无法响应ELB healtcheck 。仔细检查用于ELB healtcheck的端口和路径/ URL是否正确,和,任何防火墙或AWS安全组都允许从ELB到您的实例的连接。
If you get this response from your ELB, it usually means that your backend servers are not responding or are failing to respond to the ELB healtcheck. Double-check that the port and path/URL used for the ELB healtcheck are correct, and that any firewalls or AWS Security Groups allow connectivity from the ELB to your instances.
所以,现在你应该有一个ELB,它将端口80(HTTP)和端口443(HTTPS)转发到你的后端实例。并且您在DNS中有www.example.com的CNAME记录,指向该ELB名称。还剩下什么?
So, now you should have an ELB which forwards port 80 (HTTP) and port 443 (HTTPS) to your backend instances. And you have a CNAME record for "www.example.com" in DNS that points to that ELB name. What's left?
我高度建议将HTTP服务器配置为始终重定向到相同网址的HTTPS等价物。为什么?
I highly recommend configuring your HTTP server to always redirect to the HTTPS equivalent of the same URL. Why?
为了保证客户端和服务器之间的数据安全,现在需要使用SSL / TLS。因此,越来越多的浏览器首先自动尝试HTTPS,并且只是不情愿地使用HTTP作为后备。像Chrome(和其他人)这样的浏览器希望避免这种HTTP后备,以便他们引入像 HTTP Strict这样的机制传输安全:您的网站告诉浏览器只为网站使用HTTPS,而不是HTTP 的一种方式。此外,它总是一个更好的营销故事;事实上,如果你不使用HTTPS,你可能会得到客户/用户的负面反应。
For security of the data between your clients and your server, using SSL/TLS is now expected. So much so that more and more browsers automatically try HTTPS first, and only begrudgingly use HTTP as a fallback. Browsers like Chrome (and others) want to avoid this HTTP fallback so much so that they've introduced mechanisms like HTTP Strict Transport Security: a way for your site to tell the browser to only ever use HTTPS for the site, never HTTP. Plus it's always a better marketing story; in fact, you can expect to get negative reactions from your clients/users if you don't use HTTPS.
还有另一件事情是使用所有网站流量的HTTPS都可以保护您免受:其他人使用其DNS名称和您的ELB。您有www.example.com的CNAME记录,指向aws-elb-1.elb.amazonaws.com。但是如果我还为www.evilco.com创建我自己的CNAME,它指向相同的aws-elb-1.elb.amazonaws.com呢?访问www.evilco.com的人会看到您的网站,并认为这是我的网站!
There's another thing that using HTTPS for all your site's traffic protects you from: someone else using their DNS name and your ELB. You have a CNAME record for "www.example.com" that points to "aws-elb-1.elb.amazonaws.com". But what if I also create my own CNAME for "www.evilco.com", which points to the same "aws-elb-1.elb.amazonaws.com"? Folks going to "www.evilco.com" will see your site, and think it's mine!
强制您网站的所有流量如果是HTTPS,您强制所有HTTPS客户端验证服务器提供的证书(即您的f6f65901b1708ae5.crt文件)包含公用名(CN)或DNS主题备用名称(SAN)匹配客户端在其URL中使用的域名。显然,您的证书不包含www.evilco.com的CN或DNS SAN,因此验证过程将失败 - 并且最终用户会看到某些内容可疑。但是,如果你的网站也允许HTTP流量,这种现象可能会发生 - 你看着你网站的日志就永远不会知道!
By forcing all traffic for your site to be HTTPS, you force all of the HTTPS clients to verify that the certificate presented by the server (i.e. your "f6f65901b1708ae5.crt" file) contains a Common Name (CN) or DNS Subject Alternative Name (SAN) that matches the domain name the client used in its URL. Obviously your certificate does not contain CN or DNS SANs for "www.evilco.com", and thus that verification process would fail -- and the end user would see that something is fishy. But if you allow HTTP traffic as well for your site, this phenomenon could happen -- and you, looking at your site's logs, would never know!
我自己没有使用AWS证书管理器或CloudFront(因此我无法对它们发表评论),但我已经使用了以上内容多个进程,多个进程,用于多个域的多种证书配置。
I've not used the AWS Certificate Manager, or CloudFront, myself (so I can't comment on them), but I have used the above process, multiple times, for various certificate provisioning of multiple domains, at multiple jobs.
希望这会有所帮助!
这篇关于在Amazon EC2 ELB上安装SSL证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
