使用 AWS 彈性 beantalk 負載均衡器在 Rails 上強制實施 https 連接

Question

我有一個使用 AWS 彈性 beantalk 負載均衡器在 puma 和 nginx 上運行的 rails 應用程序。 我配置了 AWS 證書，它在 http 和 https 上都可以正常工作。

但是，如果我在config/environments/production.rb上啟用config.force_ssl = true我開始收到以下錯誤：

在 http 上：連接已重置

在 https 上：安全連接失敗。 加載頁面時，與服務器的連接已重置。

這是我的nginx的配置文件，這是我從awslabs /彈性魔豆樣本得到的內容在這里：

.ebextensions/nginx.config

files:
   "/opt/elasticbeanstalk/support/conf/webapp_healthd.conf":
     owner: root
     group: root
     mode: "000644"
     content: |
       upstream my_app {
         server unix:///var/run/puma/my_app.sock;
       }

       server {
         listen 80;
         server_name _ localhost; # need to listen to localhost for worker tier

         location / {
           set $redirect 0;
           if ($http_x_forwarded_proto != "https") {
             set $redirect 1;
           }
           if ($http_user_agent ~* "ELB-HealthChecker") {
             set $redirect 0;
           }
           if ($redirect = 1) {
             return 301 https://$host$request_uri;
           }
           proxy_pass http://my_app; # match the name of upstream directive which is defined above
           proxy_set_header Host $host;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         }

         location /assets {
           alias /var/app/current/public/assets;
           gzip_static on;
           gzip on;
           expires max;
           add_header Cache-Control public;
         }

         location /public {
           alias /var/app/current/public;
           gzip_static on;
           gzip on;
           expires max;
           add_header Cache-Control public;
         }
       }

container_commands:
  99_restart_nginx:
    command: "service nginx restart || service nginx start"

Answer 1

好吧，我在其他問題中找到了與相同問題有關的答案，但是使用了Node.js。

只需將其添加到.ebextensions文件夾內的文件中，我就將其稱為force-ssl.config

files:
  "/tmp/45_nginx_https_rw.sh":
    owner: root
    group: root
    mode: "000644"
    content: |
      #! /bin/bash

      CONFIGURED=`grep -c "return 301 https" /opt/elasticbeanstalk/support/conf/webapp_healthd.conf`

      if [ $CONFIGURED = 0 ]
        then
          sed -i '/listen 80;/a \    if ($http_x_forwarded_proto = "http") { return 301 https://$host$request_uri; }\n' /opt/elasticbeanstalk/support/conf/webapp_healthd.conf
          logger -t nginx_rw "https rewrite rules added"
          service nginx restart
          exit 0
        else
          logger -t nginx_rw "https rewrite rules already set"
          exit 0
      fi

container_commands:
  00_appdeploy_rewrite_hook:
    command: cp -v /tmp/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/appdeploy/enact
  01_configdeploy_rewrite_hook:
    command: cp -v /tmp/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact
  02_rewrite_hook_perms:
    command: chmod 755 /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh
  03_rewrite_hook_ownership:
    command: chown root:users /opt/elasticbeanstalk/hooks/appdeploy/enact/45_nginx_https_rw.sh /opt/elasticbeanstalk/hooks/configdeploy/enact/45_nginx_https_rw.sh

原始答案： https ： //stackoverflow.com/a/34619855/2454036

更新：我發現原始答案不會一直有效，因為在更新文件之前可能會觸發nginx重新啟動，因此我將添加的service nginx restart放置到了腳本中

Answer 2

HTTP -> HTTPS 重定向是一種非常常見的做法，AWS 在此處記錄了如何實現它： https : //docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-httpredirect.html

您擁有的解決方案與下面列出的他們自己提供的配置非常相似，它涵蓋了一系列不同的環境平台： https : //github.com/awsdocs/elastic-beanstalk-samples/tree/master/configuration-files/aws-提供/安全配置/https-重定向