如何为运行 nginx 的 Elastic Beanstalk 将 http 重定向到 https？

Question

I know there are a lot of SO questions on this exact topic. However, none seem to work with the latest version of Elastic Beanstalk / Docker combination.

I am running a Django/Python web app inside a Docker , which I then deploy to Elastic Beanstalk. I want http and https to be active, so I enabled both port 80 and 443 in the AWS EB configuration console. This works great. My site is accessible over both http and https. However, this isn't really what I want. I want port 80 ( http ) automatically forward to port 443 ( https ).

I've followed every piece of advice out there on SO and other forums to debug this, but I think the info out there is too old. (Ie., this no longer works).

I have found where EB sets up its servers (in a file called: /etc/nginx/sites-enabled/elasticbeanstalk-nginx-docker-proxy.conf ), and it's contents are:

map $http_upgrade $connection_upgrade {
  default  "upgrade";
  ""       "";
}

server {
  listen 80;
  location / {
    proxy_pass          http://docker;
    proxy_http_version  1.1;
    proxy_set_header    Connection       $connection_upgrade;
    proxy_set_header    Upgrade          $http_upgrade;
    proxy_set_header    Host             $host;
    proxy_set_header    X-Real-IP        $remote_addr;
    proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
  }
}

When I modify this file from listen 80; to listen 443 ssl; and the try to load my site on https , I get ERR_CONNECTION_REFUSED .

Can someone point me in the correct direction to modify this config file to redirect from http to https ?

Answer 1

As of August 2018, for a Python (Flask) app placed in a Docker container with nginx placed in front and SSL certificate in AWS Certificate Manager.

After configuring the load balancer to listen on both ports 80 and 443 you can configure the redirection from http to https by creating one file. In general, it will add one if statement into an nginx configuration for you:

if ($http_x_forwarded_proto = 'http') {
                  return 301 https://$host$request_uri;
              }

TL;DR: This is done by the following file placed in .ebextensions directory which you create in the parent directory of your Beanstalk app project. Give the file a chosen name, for eg force-https , but remember to use the .config extension. Don't forget to commit the new file if you're using git!

My app/.ebextensions/force-https.config file (YAML - indentation matters!):

files:

  "/etc/nginx/sites-available/elasticbeanstalk-nginx-docker-proxy.conf" :
    mode: "000755"
    owner: root
    group: root
    content: |
      map $http_upgrade $connection_upgrade {
          default        "upgrade";
          ""            "";
      }

      server {
          listen 80;

          gzip on;
              gzip_comp_level 4;
              gzip_types text/html text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

          if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})T(\d{2})") {
              set $year $1;
              set $month $2;
              set $day $3;
              set $hour $4;
          }
          access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd;

          access_log    /var/log/nginx/access.log;

          location / {
              if ($http_x_forwarded_proto = 'http') {
                  return 301 https://$host$request_uri;
              }
              proxy_pass            http://docker;
              proxy_http_version    1.1;

              proxy_set_header    Connection            $connection_upgrade;
              proxy_set_header    Upgrade                $http_upgrade;
              proxy_set_header    Host                $host;
              proxy_set_header    X-Real-IP            $remote_addr;
              proxy_set_header    X-Forwarded-For        $proxy_add_x_forwarded_for;
          }
      }

Explanation: If you want the redirection to work for every new deployment and every new EC2 instance that will be started for your app, you need to modify the nginx configuration through Elastic Beanstalk .ebextensions directory. In theory, this change could be done directly in the app's EC2 instance's nginx configuration file (using ssh to connect to the machine), this however is not a good solution, because the changes will be lost when the instance is terminated or when you deploy a new version of the app.

The file where we intend to add the aforementioned if statement is placed in /etc/nginx/sites-available/elasticbeanstalk-nginx-docker-proxy.conf in the app's EC2 instance. Our file with replacement instructions needs to be created in the .ebextensions directory that you create in the parent directory of your project. It needs to specify which files you want to overwrite ( files: in the code above). Elastic Beanstalk will apply this .config file while deploying your app by overwriting the indicated nginx file in every new machine.

Answer 2

您是否尝试过在 settings.py 中配置它并让 django 处理该过程。

SECURE_SSL_REDIRECT = True

Answer 3

I assumed you used Python 3.4 with uWSGI 2 (Docker) version 1.4.3 . As my answer in here , you need to coustumized your Elastic Beanstalk environment:

• Elastic Load Balancer :
  • Listen on port 80 and proxy it to EC2 instance port 80.
  • Listen on port 443 and proxy it to EC2 instance port 443.
• EC2 Web Server/Proxy :
  • Listen on port 80 and response with redirect to HTTPS.
  • Listen on port 443 and serve the request.

I though EB Predefined Python 3.4 (Docker) and Single Docker Container is almost same, except in the Python thing. I've written a post in Enable HTTPS and HTTP-Redirect on AWS Elastic Beanstalk . You could read the guide there. It tells you how to configure Elastic Beanstalk Single Docker Container serve HTTPS and HTTP (redirect to HTTPS).

If you got error (usually if you started it from Elastic Beanstalk sample on first landing page):

Updating security group named: sg-xxxxxxxx failed Reason: SecurityGroupEgress cannot be specified without VpcId

You need to specify your VpcId inside AWSEBLoadBalancerSecurityGroup > Properties . So, the config should be:

...
"AWSEBLoadBalancerSecurityGroup": {
  "Type": "AWS::EC2::SecurityGroup",
  "Properties": {
    "GroupDescription": "Allow HTTP and HTTPS",
    "VpcId": "vpc-xxxxxxxx",
    "SecurityGroupIngress": [
      {
        "IpProtocol": "tcp",
        "FromPort": 80,
        "ToPort": 80,
        "CidrIp": "0.0.0.0/0"
      },
      {
        "IpProtocol": "tcp",
        "FromPort": 443,
        "ToPort": 443,
        "CidrIp": "0.0.0.0/0"
      }
    ],
    "SecurityGroupEgress": [
      {
        "IpProtocol": "tcp",
        "FromPort": 80,
        "ToPort": 80,
        "CidrIp": "0.0.0.0/0"
      },
      {
        "IpProtocol": "tcp",
        "FromPort": 443,
        "ToPort": 443,
        "CidrIp": "0.0.0.0/0"
      }
    ]
  }
},
...