带有负载均衡器和证书管理器的 EC2 实例上的 WSS 套接字
[英]WSS Socket on EC2 instance with Load Balancer and Certificate Manager
问题描述
I'm trying to set up a solution which includes an EC2 instance with Apache running NodeJS.
我正在尝试设置一个解决方案,其中包括一个运行 NodeJS 的 Apache 的 EC2 实例。 I've already successfully created a working webserver-instance with a public SSL-certificate from Certifate Manager accessed on port 80 and 443. This server should be able to connect to my other instance but for some reason I keep running into dead-ends and I suspect the solution is not possible...我已经成功地创建了一个有效的网络服务器实例,其中包含来自证书管理器的公共 SSL 证书,该证书在端口 80 和 443 上访问。该服务器应该能够连接到我的另一个实例,但由于某种原因,我一直遇到死胡同和我怀疑解决方案是不可能的......
I've built a working setup using Let's Encrypt certificates but I would love to keep as much as possible in AWS.我已经使用 Let's Encrypt 证书构建了一个工作设置,但我希望尽可能多地保留在 AWS 中。
Issue: In the LE-solution, I can access the local.pem-files on my server.问题:在 LE 解决方案中,我可以访问服务器上的 local.pem 文件。 I can include the local paths to the LE-certificates in the server-setup-file like this:我可以在服务器设置文件中包含 LE 证书的本地路径,如下所示:
...
var options = {
key: fs.readFileSync("/etc/letsencrypt/live/example.com/privkey.pem"),
cert: fs.readFileSync("/etc/letsencrypt/live/example.com/fullchain.pem")
};
var https = require('https').Server(options, app);
...
but when I'm using AWS Certificate Manager's public certificates, I'm not sure how to get around this?但是当我使用 AWS Certificate Manager 的公共证书时,我不确定如何解决这个问题?
My solution (not working): I'm no SSL-wizard, so I might be trying to do something impossible here.我的解决方案(不起作用):我不是 SSL 向导,所以我可能会在这里尝试做一些不可能的事情。 I've tried to create a local certificate using OpenSSL but keep the Load Balancer and Certificate Manager certificate on the domain.我尝试使用 OpenSSL 创建本地证书,但将负载均衡器和证书管理器证书保留在域中。
...
var options = {
key: fs.readFileSync("/home/ec2-user/server-key.pem"),
cert: fs.readFileSync("/home/ec2-user/server-cert.pem"),
};
var https = require('https').Server(options, app);
...
This solutions returns following error message when I try to connect to the node/socket server with url: https://live.example.com:3000 :当我尝试使用 url: https://live.example.com:3000连接到节点/套接字服务器时,此解决方案返回以下错误消息:
WebSocket connection to 'wss://live.example.com:3000/socket.io/?EIO=4&transport=websocket' failed: Error in connection establishment: net::ERR_CERT_COMMON_NAME_INVALID
So I guess that my solution with both Certificate Manager certificate on the domain and the OpenSSL certificate on the server isn't possible or is the problem to be found elsewhere?所以我想我的解决方案在域上的证书管理器证书和服务器上的 OpenSSL 证书是不可能的,或者问题可以在其他地方找到?
Please let me know:-)请告诉我:-)
1 个解决方案
解决方案1
1 已采纳 2020-12-15 20:38:57
As mentioned in comments, certificates created through AWS Certificate Manager can only be used for certain AWS services such as Elastic Load Balancers, not self-managed web servers.正如评论中提到的,通过 AWS Certificate Manager 创建的证书只能用于某些 AWS 服务,例如 Elastic Load Balancer,不能用于自我管理的 web 服务器。 What you can do is use a Certificate Manager cert and put it on a load balancer, with your Apache/Node server sitting behind the load balancer in a target group.您可以做的是使用证书管理器证书并将其放在负载均衡器上,而您的 Apache/Node 服务器位于目标组中的负载均衡器后面。 All connections over the public internet would be HTTPS, but the connection between the load balancer and your app server (going over AWS's internal network) would be plain HTTP.公共互联网上的所有连接都是 HTTPS,但负载均衡器和您的应用服务器之间的连接(通过 AWS 的内部网络)将是普通的 HTTP。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.