Engine Yard Rails app - 在Elastic Load Balancer(ELB)上终止SSL并传递X-Forwarded-Proto http头
[英]Engine Yard Rails app - Terminating SSL at an Elastic Load Balancer (ELB) and passing X-Forwarded-Proto http header
问题描述
Followed the Engine Yard docs at https://support.cloud.engineyard.com/entries/21715452-use-elastic-load-balancing-with-engine-yard-cloud 
在https://support.cloud.engineyard.com/entries/21715452-use-elastic-load-balancing-with-engine-yard-cloud上关注 Engine Yard文档
Got this set up and appeared to working well allowing us to use SSL Terminated at the ELB instead at the server. 得到了这个设置并且似乎运行良好,允许我们在ELB上使用SSL Terminated而不是服务器。 In theory this should allow us to use and multiple SSL certs in a single environment. 理论上,这应该允许我们在单个环境中使用多个SSL证书。
This setup means the traffic between the browser and the ELB load balancer is SSL, but the onward traffic from the ELB to the application servers is decrypted. 此设置意味着浏览器和ELB负载平衡器之间的流量是SSL,但是从ELB到应用程序服务器的转发流量将被解密。 This caused us a problem with our rails 3.2.8 application forcing SSL - it redirects every decrypted request back to it's https equivalent, which sends a decrypted request from the load balancer to the application server again, causing an infinite loop condition. 这导致我们的rails 3.2.8应用程序强制SSL出现问题 - 它将每个解密的请求重定向回其https等效项,后者再次从负载均衡器向应用程序服务器发送解密请求,从而导致无限循环条件。
If we disable the forcing of SSL in our app we need to test each request to see if it came from an SSL connection, if it did we can respond, if not, redirect it. 如果我们在我们的应用程序中禁用强制SSL,我们需要测试每个请求以查看它是否来自SSL连接,如果它确实我们可以响应,如果没有,则重定向它。
According to this release note ( http://aws.amazon.com/releasenotes/7778622769836370 ) the ELB will pass the X-Forwarded-Proto header containing 'https' when traffic is passed from a https connection. 根据此发行说明( http://aws.amazon.com/releasenotes/7778622769836370 ),当从https连接传递流量时,ELB将传递包含“https”的X-Forwarded-Proto标头。
Firstly there is no header called 'X-Forwarded-Proto' in the request on Engine Yard. 首先,在Engine Yard的请求中没有名为“X-Forwarded-Proto”的标题。 'HTTP_X-FORWARDED_PROTO' does exist, but it always contains 'http' even when traffic is sent over SSL to the ELB. “HTTP_X-FORWARDED_PROTO”确实存在,但即使通过SSL将流量发送到ELB,它也始终包含“http”。
Can anyone offer any insight into this or ideas for a workaround? 任何人都可以提供任何洞察力或解决方法的想法吗? I've tried EY support without much luck so far. 到目前为止,我已经尝试了没有太多运气的安永支持。
1 个解决方案
解决方案1
4 2012-12-06 19:59:32
You can check for the X-Forwarded-Port header, which is 443 if the request came to the load balancer over ssl. 您可以检查X-Forwarded-Port标头,如果请求通过ssl发送到负载均衡器,则为443。 That would be HTTP_X_FORWARDED_PORT in the rack env. 这将是机架HTTP_X_FORWARDED_PORT中的HTTP_X_FORWARDED_PORT 。
We use this modified rack-ssl gem in our Engine Yard Rails app as a workaround. 我们在Engine Yard Rails应用程序中使用这个经过修改的rack-ssl gem作为解决方法。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.