我正在Docker容器中使用uWSGI运行Django应用程序。该容器是通过CLI从Elastic Beanstalk启动的,它使用负载均衡器(1到4个实例)。我修改了nginx配置以处理SSL层和基本的HTTP身份验证,这是.ebextensions / 01ssl.config内容的开始:
Resource
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupName: {Ref : AWSEBSecurityGroup}
# GroupId: {Ref : AWSEBSecurityGroup}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
files:
/etc/nginx/sites-available/elasticbeanstalk-nginx-docker-proxy.conf:
mode: "000644"
owner: root
group: root
content: |
# HTTPS Server
server {
listen 443;
server_name .mydomain.com;
ssl on;
ssl_certificate /etc/pki/tls/certs/server.crt;
ssl_certificate_key /etc/pki/tls/certs/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_prefer_server_ciphers on;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
location / {
proxy_pass http://docker;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
问题是该应用程序可通过eb(ec2-x-x-x-x.eu-west-1.compute.amazonaws.com)创建的EC2实例访问,但不能通过负载平衡器URL(foobar-dev.elasticbeanstalk.com)访问。当我直接访问EC2实例时,nginx(负载均衡器,对吗?)正确处理了SSL和身份验证。
我的目标是与此应用程序一起使用Route53,但是当前,如果我按文档所述指定了负载均衡器URL,它将无法正常工作。
我错过了什么 ?
编辑1
谢谢Rico,但不幸的是,它没有用,至少,它帮助我深入研究了权限内容。 TCP端口443已经对EC2实例上的所有人开放(由于第一个.ebextensions块)。
如果在EB控制台>配置>网络层>负载平衡中添加带有证书的安全端口443,则由于存在HTTP身份验证,因此无法访问运行状况检查URL(错误401,状态检查为红色)。
我尝试在nginx配置中创建两个服务器,第一个侦听端口80并始终返回200,第二个重定向到我的应用程序并处理SSL和HTTP身份验证内容:
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupName: {Ref : AWSEBSecurityGroup}
# GroupId: {Ref : AWSEBSecurityGroup}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
files:
/etc/nginx/sites-available/elasticbeanstalk-nginx-docker-proxy.conf:
mode: "000644"
owner: root
group: root
content: |
map $http_upgrade $connection_upgrade {
default "upgrade";
"" "";
}
server {
listen 80;
location / {
return 200 'OK';
}
}
/etc/nginx/sites-enabled/docker_server.conf:
mode: "000644"
owner: root
group: root
content: |
# HTTPS Server
server {
listen 443;
server_name .example.com;
ssl on;
ssl_certificate /etc/pki/tls/certs/server.crt;
ssl_certificate_key /etc/pki/tls/certs/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_prefer_server_ciphers on;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
location / {
proxy_pass http://docker;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
在这种配置下,即使我连接到https://www.example.com,也无法访问第二台服务器,而是收到200 OK的消息。如何在端口443上重定向到我的应用程序?
最佳答案
200,有效。
重现步骤 :
aws elb create-load-balancer-listeners --load-balancer-name <my load balancer name> --listeners "Protocol=HTTPS,LoadBalancerPort=443,InstanceProtocol=HTTPS,InstancePort=443,SSLCertificateId=arn:aws:iam::<my uploaded certificate>"(它无法从EB控制台>配置>网络层>负载均衡运行,因为负载均衡器端口443已转发到实例端口80)对我而言,下一步是创建一个脚本,该脚本将自动执行这些步骤。