HTTPS网站的ELB和Apache配置
[英]ELB and Apache configuration for HTTPS website
问题描述
I'm setting up ELB for a https website and I have questions concerning the ports configuration... 
我正在为https网站设置ELB,我对端口配置有疑问......
Right now I have this port configuration on the ELB: 现在我在ELB上有这个端口配置:
- 80 (HTTP) forwarding to 80 (HTTP) 80(HTTP)转发到80(HTTP)
- 443 (HTTPS) forwarding to 80 (HTTP) 443(HTTPS)转发到80(HTTP)
And on my instance I have this Apache configuration: 在我的实例上,我有这个Apache配置:
- requests to *:80 redirected to https://www.mywebsite 请求*:80重定向到https://www.mywebsite
- *:443 configured *:443已配置
Apparently it's working but is it the right way to do? 显然它正在工作,但这是正确的方法吗?
Thank you for your help 谢谢您的帮助
Celine 席琳
PS: When I started to configure the ELB I indicated 443 forwarding to 443 but then I had to answer strange questions for the authentication... PS:当我开始配置ELB时,我指示443转发到443,但后来我不得不回答奇怪的问题进行身份验证......
2 个解决方案
解决方案1
15 已采纳 2013-06-19 15:28:06
The configuration as described in the question didn't work because it created a never ending redirection: 443(ELB) forwarding to 80(Apache) forwarding to 443(ELB) forwarding to 80(Apache) forwarding to 443(ELB), etc. 问题中描述的配置不起作用,因为它创建了一个永无止境的重定向:443(ELB)转发到80(Apache)转发到443(ELB)转发到80(Apache)转发到443(ELB)等。
So, I modified the ELB configuration to have: 所以,我修改了ELB配置:
- 443 (HTTPS) forwarding to 443 (HTTPS) 443(HTTPS)转发到443(HTTPS)
- 80 (HTTP) forwarding to 80 (HTTP) 80(HTTP)转发到80(HTTP)
When I created the listener 443 (HTTPS) forwarding to 443 (HTTPS), I didn't get to answer questions concerning the authentication. 当我创建侦听器443(HTTPS)转发到443(HTTPS)时,我没有回答有关身份验证的问题。 When I look on the ELB description I can see "Backend Authentication: Disabled" 当我查看ELB描述时,我可以看到“后端身份验证:已禁用”
The Health Check is done on HTTPS:443 运行状况检查在HTTPS上完成:443
(I also modified the instance security group: only the load balancer can access the instance on ports 80 and 443) (我还修改了实例安全组:只有负载均衡器可以访问端口80和443上的实例)
Update: 更新:
Another solution is to have only port 80 open on the instance: 另一种解决方案是在实例上只打开端口80:
- 80 (HTTP) forwarding to 80 (HTTP) 80(HTTP)转发到80(HTTP)
- 443 (HTTPS) forwarding to 80 (HTTP) 443(HTTPS)转发到80(HTTP)
but to use X-Forwarded-Proto to determine if the client used HTTP or HTTPS and forward to HTTPS only if X-Forwarded-Proto = http 但是要使用X-Forwarded-Proto来确定客户端是使用HTTP还是HTTPS并且只有在X-Forwarded-Proto = http时转发到HTTPS
Example with Apache: Apache的示例:
<VirtualHost *:80>
...
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTP_USER_AGENT} !^ELB-HealthChecker
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
...
</VirtualHost>
The line RewriteCond %{HTTP_USER_AGENT} !^ELB-HealthChecker has been added so the ELB check is not redirected. 已添加RewriteCond %{HTTP_USER_AGENT} !^ELB-HealthChecker因此不会重定向ELB检查。 See https://serverfault.com/questions/470015/how-should-i-configure-my-elb-health-check-when-using-namevirtualhosts-and-redir for other solutions concerning the health check 有关健康检查的其他解决方案,请参阅https://serverfault.com/questions/470015/how-should-i-configure-my-elb-health-check-when-using-namevirtualhosts-and-redir
AWS Documentation concerning X-Forwarded-Proto: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/x-forwarded-headers.html#x-forwarded-proto 有关X-Forwarded-Proto的AWS文档: http : //docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/x-forwarded-headers.html#x-forwarded-proto
解决方案2
0 2013-06-18 20:51:21
This is a valid way to do it. 这是一种有效的方法。 You can have the ELB handle SSL termination. 您可以让ELB处理SSL终止。
In some compliance cases the entire path has to be encrypted all the way to the instance. 在某些合规情况下,整个路径必须一直加密到实例。 If this doesn't apply to you, then you don't have to make any changes. 如果这不适用于您,则您不必进行任何更改。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.