[英]Enforce https connection on Rails using AWS elastic beanstalk load balancer
I have a rails app running on puma & nginx using AWS elastic beanstalk load balancer.我有一个使用 AWS 弹性 beantalk 负载均衡器在 puma 和 nginx 上运行的 rails 应用程序。 I configured AWS certificate and it works fine on both http and https.
我配置了 AWS 证书,它在 http 和 https 上都可以正常工作。
However, if I enable config.force_ssl = true
on the config/environments/production.rb
I start getting the following errors:但是,如果我在
config/environments/production.rb
上启用config.force_ssl = true
我开始收到以下错误:
On http: The connection was reset在 http 上:连接已重置
On https: Secure Connection Failed.在 https 上:安全连接失败。 The connection to the server was reset while the page was loading.
加载页面时,与服务器的连接已重置。
Here's the content of my nginx configuration file, which I got from awslabs/elastic-beanstalk-samples here :这是我的nginx的配置文件,这是我从awslabs /弹性魔豆样本得到的内容在这里:
.ebextensions/nginx.config
files:
"/opt/elasticbeanstalk/support/conf/webapp_healthd.conf":
owner: root
group: root
mode: "000644"
content: |
upstream my_app {
server unix:///var/run/puma/my_app.sock;
}
server {
listen 80;
server_name _ localhost; # need to listen to localhost for worker tier
location / {
set $redirect 0;
if ($http_x_forwarded_proto != "https") {
set $redirect 1;
}
if ($http_user_agent ~* "ELB-HealthChecker") {
set $redirect 0;
}
if ($redirect = 1) {
return 301 https://$host$request_uri;
}
proxy_pass http://my_app; # match the name of upstream directive which is defined above
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /assets {
alias /var/app/current/public/assets;
gzip_static on;
gzip on;
expires max;
add_header Cache-Control public;
}
location /public {
alias /var/app/current/public;
gzip_static on;
gzip on;
expires max;
add_header Cache-Control public;
}
}
container_commands:
99_restart_nginx:
command: "service nginx restart || service nginx start"
Well I found my answer elsewhere in a question related to the same problem but using Node.js 好吧,我在其他问题中找到了与相同问题有关的答案,但是使用了Node.js。
Just had to add this to a file inside .ebextensions folder, I called it enforce-ssl.config 只需将其添加到.ebextensions文件夹内的文件中,我就将其称为force-ssl.config
files:
"/tmp/45_nginx_https_rw.sh":
owner: root
group: root
mode: "000644"
content: |
#! /bin/bash
CONFIGURED=`grep -c "return 301 https" /opt/elasticbeanstalk/support/conf/webapp_healthd.conf`
if [ $CONFIGURED = 0 ]
then
sed -i '/listen 80;/a \ if ($http_x_forwarded_proto = "http") { return 301 https://$host$request_uri; }\n' /opt/elasticbeanstalk/support/conf/webapp_healthd.conf
logger -t nginx_rw "https rewrite rules added"
service nginx restart
exit 0
else
logger -t nginx_rw "https rewrite rules already set"
exit 0
fi
container_commands:
00_appdeploy_rewrite_hook:
command: cp -v /tmp/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/appdeploy/enact
01_configdeploy_rewrite_hook:
command: cp -v /tmp/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact
02_rewrite_hook_perms:
command: chmod 755 /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh
03_rewrite_hook_ownership:
command: chown root:users /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh
Original answer: https://stackoverflow.com/a/34619855/2454036 原始答案: https : //stackoverflow.com/a/34619855/2454036
Update: I found out that the original answer won't always work because the nginx restart may be fired before the files are updated, so I placed the added service nginx restart
to the script 更新:我发现原始答案不会一直有效,因为在更新文件之前可能会触发nginx重新启动,因此我将添加的
service nginx restart
放置到了脚本中
HTTP -> HTTPS redirection is a very common practice and AWS has documented how to achieve it here: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-httpredirect.html HTTP -> HTTPS 重定向是一种非常常见的做法,AWS 在此处记录了如何实现它: https : //docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-httpredirect.html
The solution you have is very similar to their own provided configurations listed below, which covers a range of different environment platforms: https://github.com/awsdocs/elastic-beanstalk-samples/tree/master/configuration-files/aws-provided/security-configuration/https-redirect您拥有的解决方案与下面列出的他们自己提供的配置非常相似,它涵盖了一系列不同的环境平台: https : //github.com/awsdocs/elastic-beanstalk-samples/tree/master/configuration-files/aws-提供/安全配置/https-重定向
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.