AWS负载均衡器后面的SSL证书
[英]SSL certificate behind AWS Load Balancer
问题描述
I have a project running on AWS.
我有一个在 AWS 上运行的项目。 The structure is this:结构是这样的:
Application Load Balancer:
- EC2 AutoScaling Group [1-5]:
- 1^ instance...
... (more spawned when needed)
- 5^ instance...
I have created a certificate for the Load Balancer with AWS Certificate Manager.我使用 AWS Certificate Manager 为负载均衡器创建了一个证书。 So the traffic now is:所以现在的流量是:
Clients ---- HTTPS Port 443 ----- > Load Balancer ------ HTTP Port 80 ----> EC2 Instances
But since there is no certificate on the instances when I load the webpage I get a 'Site Not Secure' warning.但由于在我加载网页时实例上没有证书,我收到“站点不安全”警告。
How can I create a complete SSL connection from Clients to any of my instances behind the Load Balancer?如何创建从客户端到负载均衡器后面的任何实例的完整 SSL 连接?
EDIT编辑
Here is the nginx configuration (for all instances)这是 nginx 配置(适用于所有实例)
server {
listen 80;
server_name marette.ovh www.marette.ovh;
root /home/marette/marette_backend/dist;
index index.html index.htm;
client_max_body_size 10M;
error_page 502 /gateway.html;
location / {
add_header 'Access-Control-Allow-Origin' "*" always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
proxy_read_timeout 30s;
proxy_send_timeout 30s;
root /home/marette/marette_backend/dist;
try_files $uri $uri/ /index.html;
}
error_log /var/log/nginx/vue-app-error.log;
access_log /var/log/nginx/vue-app-access.log;
# this is for the REST backend
location /api {
add_header 'Access-Control-Allow-Origin' "*" always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
# required to be able to read Authorization header in frontend
add_header 'Access-Control-Expose-Headers' 'Authorization' always;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 30s;
proxy_send_timeout 30s;
proxy_pass https://127.0.0.1:8000/api;
}
}
And here is the configuration of the listeners for the Balancer这是 Balancer 的侦听器的配置
EDIT2 :编辑2 :
EDIT3 :编辑3 :
1 个解决方案
解决方案1
0 2020-07-08 10:00:49
Checks that should be performed:应执行的检查:
- Always check the domain name is correct for the SSL, if it is not valid then you will get certificate errors.始终检查 SSL 的域名是否正确,如果它无效,则会出现证书错误。
- Validate the listener is correctly configured to listen on 443 using HTTPS, and that the SSL is valid.验证侦听器是否正确配置为使用 HTTPS 侦听 443,并且 SSL 有效。
- Validate the target group is using the correct protocol and port for the server itself (does not need to be the same as the load balancer).验证目标组是否使用服务器本身的正确协议和端口(不需要与负载均衡器相同)。
A great site to test for SSL problems is using SSL Labs测试 SSL 问题的好网站是使用SSL Labs
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.