AWS Elastic Load Balancer有选择地启用SSL
[英]AWS Elastic Load Balancer selectively enable SSL
问题描述
I currently have a rails-based web app that requires a small subset of pages to be served over HTTP - but prefer to serve the rest over HTTPS. 
我目前有一个基于Rails的Web应用程序,该应用程序需要一小部分页面才能通过HTTP进行服务-但希望通过HTTPS来提供其余的页面。 In my current AWS setup, SSL terminates at the elastic load balancer and all communication with my app servers is over HTTP. 在我当前的AWS设置中,SSL在弹性负载均衡器处终止,并且与我的应用程序服务器的所有通信都是通过HTTP进行的。 Because of this, solutions like Rack SSL Enforcer aren't appropriate. 因此,不适合使用机架式SSL Enforcer之类的解决方案。 Currently, I'm serving the following JS snippet in each page to handle the redirect: 目前,我在每个页面中提供以下JS代码段以处理重定向:
<% if should_be_ssl? %>
<script>
if (window.location.protocol != "https:"){
window.location.href = "https:" + window.location.href.substring(window.location.protocol.length);
}
</script>
<% else %>
<script>
if (window.location.protocol != "http:"){
window.location.href = "http:" + window.location.href.substring(window.location.protocol.length);
}
</script>
<% end %>
This results in a relatively significant performance hit each time one of these pages is accessed. 每次访问其中一个页面时,这都会导致相对显着的性能下降。 Does anyone know of a way to selectively serve certain pages over SSL and control this at the load balancer level? 有谁知道一种通过SSL选择性地提供某些页面并在负载均衡器级别进行控制的方法吗?
1 个解决方案
解决方案1
1 已采纳 2014-08-29 14:50:47
This isn't currently supported in the ELB itself, however the ELBs provide an X-Forwarded-Proto header. ELB本身当前不支持此功能,但是ELB提供了X-Forwarded-Proto标头。 You can check this to see whether the request from the client was over HTTPS. 您可以检查此内容以查看来自客户端的请求是否通过HTTPS。 You can then serve a redirect response rather than the page content if necessary. 然后,如有必要,您可以提供重定向响应,而不是页面内容。 See this blog post from the AWS guys for more information. 有关更多信息,请参阅AWS专家的博客文章 。
You'll have to implement this logic either 您要么必须实现此逻辑
with middleware, eg rack-ssl-enforcer
带有中间件,例如,rack-ssl-enforcer Looking at the documentation for rack ssl enforcer , it appears to support the
X-Forwarded-Protoout of the box, so you may not need to do anything at all.查看关于机架ssl强制执行器的文档,它似乎支持开箱即用的X-Forwarded-Proto,因此您可能根本不需要执行任何操作。 You can see in the source that the header is respected.您可以在源代码中看到标头受到尊重。 in your application (probably with a redirect response rather than on the client)
在您的应用程序中(可能带有重定向响应,而不是在客户端上) in a reverse proxy, eg an haproxy between your app server and the ELB
在反向代理中,例如您的应用服务器和ELB之间的代理 acl is_http hdr(X-Forwarded-Proto) http acl account_login url_beg /account/login redirect scheme https code 301 if account_login is_http
Depending on your configuration, if you have any other reverse proxies between the ELB and whatever's checking the header, you may need to configure those to pass the X-Forwarded-Proto header correctly. 根据您的配置,如果ELB与正在检查标头的对象之间还有其他反向代理,则可能需要配置它们以正确传递X-Forwarded-Proto标头。 See this issue , for instance. 例如,参见此问题 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.