堆栈内存溢出
  简体   繁体   English

如何在us-east-1之外将HTTPS API网关和应用程序负载均衡器结合使用?

[英]How do I combine AWS API Gateway and Application Load Balancer for HTTPS outside of us-east-1?

 原文  2017-06-05 20:50:52       amazon-web-services/ ssl/ aws-api-gateway/ aws-certificate-manager

问题描述

I am attempting to route traffic through the AWS API Gateway to my ECS containers running in a private subnet via an Application Load Balancer running in a public subnet. 我试图通过AWS API网关将流量路由到通过在公有子网中运行的应用程序负载均衡器在私有子网中运行的ECS容器。 Using plain old HTTP everything works perfectly fine, but now I want to add transport layer security (TLS, fka SSL) to the communication between the gateway and the load balancer. 使用普通的旧HTTP一切都很好,但现在我想将传输层安全性(TLS,fka SSL)添加到网关和负载均衡器之间的通信。 In other words, terminate SSL at the load balancer. 换句话说,在负载均衡器处终止SSL。

  • I've got a custom domain name configured and working on my gateway that was already exposing a HTTPS endpoint. 我已经配置了自定义域名并在我的网关上工作,该网关已经公开了HTTPS端点。
  • I've got a HTTPS listener configured on my load balancer, which scolds me for having a dodgy certificate but if I ignore the warning when I hit it directly I get routed to my service correctly. 我在我的负载均衡器上配置了一个HTTPS监听器,这让我知道有一个狡猾的证书,但如果我直接点击它时忽略了警告,我就会正确地路由到我的服务。 Thus load balancer routing is correct. 因此负载均衡器路由是正确的。
  • When I attempt to point the gateway to the balancer it breaks. 当我试图将网关指向平衡器时,它会断开。 Furthermore, it seems the I can only use certificates for custom domain names that are in the us-east-1 region. 此外,我似乎只能使用us-east-1区域内自定义域名的证书。 At present they are failing with the following error in CloudWatch (details obscured for privacy). 目前,他们在CloudWatch中出现以下错误(隐私细节因隐私而失败)。

Execution failed due to configuration error: Host name 'XXXXXXXXX-lb-XXXXXXXXX..elb.amazonaws.com' does not match the certificate subject provided by the peer (CN=) 由于配置错误导致执行失败:主机名“XXXXXXXXX-lb-XXXXXXXXX..elb.amazonaws.com”与对等方提供的证书主题不匹配(CN =)

Given my load balancer is not in the us-east-1 region how can I achieve my goal? 鉴于我的负载均衡器不在 us-east-1区域,我怎样才能达到目标?

1 个解决方案

解决方案1
 3 已采纳  2017-06-05 21:47:57

Assign a custom domain name to the load balancer. 将自定义域名分配给负载均衡器。 Then assign a valid SSL certificate to the load balancer using the ACM service. 然后使用ACM服务将有效的SSL证书分配给负载均衡器。 Then reference the load balancer using the custom domain name. 然后使用自定义域名引用负载均衡器。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 AWS 在 us-east-1 之外使用 CloudFront 和 HTTPS - AWS Using CloudFront and HTTPS outside us-east-1 us-east-1和us-east-2中的AWS API网关高可用性设置 - AWS API gateway High Availability setup in us-east-1 and us-east-2 如何强制 AWS .NET SDK 为 S3 使用 us-east-1 区域端点而不是旧的全局端点? - How do I force the AWS .NET SDK to utilize the us-east-1 regional endpoint for S3 rather than the legacy global endpoint? 跨 AWS 区域迁移:us-east-1 到 us-east-2 - Moving Across AWS Regions: us-east-1 to us-east-2 如何在 aws api 网关中使用 AWS 私有应用程序负载均衡器 - How to use AWS private application load balancer in aws api gateway 如何为 ECS 添加带有应用程序负载均衡器的 AWS API 网关? - how to add AWS API gateway with application load balancer for ECS? 如何配置 AWS 应用程序负载均衡器和 NAT 网关以拥有公共 IP - How do I configure AWS Application load balancer and NAT gateway to have the public IP AWS S3 - 如何为 us-east-1 以外的区域启用区域终端节点? - AWS S3 - how to enable regional endpoints for regions other than us-east-1? 默认情况下,AWS GetSignedUrl 使用 us-east-1 区域生成错误的 url - AWS GetSignedUrl generates wrong url with us-east-1 region by default AWS CloudFront 为 us-east-1 以外的区域返回 503 - AWS CloudFront returns 503 for regions other than us-east-1
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM