Dan*_*che 3 java tomcat amazon-ec2 amazon-web-services amazon-elastic-beanstalk
我正在尝试在我的 TOMCAT 弹性 beanstalk EC2 实例中安装 SSL 证书。我还希望我的应用程序侦听端口 443 上的 HTTPS 请求。作为起点,我的解决方案基于此链接。
经过一段时间的尝试,我无法安装我的证书或使端口 443 侦听 HTTPS 请求。
这些是我遵循的步骤:
1)我在 src ROOT 处构建了一个带有 .ebextensions 文件夹的 WAR,如下所示
ROOT.war
|
WEB-INF
META-INF
.ebextensions
|
https-instance-single.config
https-instance.config
2) https-instance.config文件内容
packages:
yum:
mod_ssl : []
container_commands:
1killhttpd:
command: "killall httpd"
ignoreErrors: true
2wait:
command: "sleep 3"
files:
# Apache HTTPS configuration
/etc/httpd/conf.d/ssl.conf:
mode: "000644"
owner: root
group: root
content: |
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/server.crt"
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
ProxyPass / http://localhost:8080/ retry=0
ProxyPassReverse / http://localhost:8080/
ProxyPreserveHost on
</VirtualHost>
# Public certificate
/etc/pki/tls/certs/server.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
/etc/pki/tls/certs/server.key:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN RSA PRIVATE KEY-----
XXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END RSA PRIVATE KEY-----
/etc/pki/tls/certs/gd_bundle.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
3) https-instance-single.config文件内容
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
4)然后我使用弹性 beanstalk 控制台部署了我的 WAR(在此过程中没有抛出错误消息,至少在控制台上)。
按照指定部署我的战争后,我的 Web 应用程序运行良好,但没有 SSL 配置,HTTPS 请求没有被重定向到端口 443。更糟糕的是,该应用程序甚至没有侦听 HTTPS 请求。
谁有灯??我不想使用 ELB(弹性负载均衡器),因为我迁移了一堆小型应用程序,这会给我带来相当大的成本增加(每个应用程序大约 20 美元)。
以下是我为解决问题而遵循的所有步骤:
1)我从 https-instance.config 中删除了 /etc/httpd/conf.d/ssl.conf 文件声明块
2) 我在 .ebextensions/httpd/conf.d/ssl.conf 中添加了文件本身。波纹管文件内容:
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ServerName [YOUR APP ENDPOINT HERE i.e www.mydomain.com]
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/server.crt"
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
ProxyPass / http://localhost:8080/ retry=0
ProxyPassReverse / http://localhost:8080/
ProxyPreserveHost on
</VirtualHost>
重要提示:不要忘记添加一行您的服务器名称
3)这一步是可选的,直接做如果你想把你所有的http请求从80端口重定向到443,你必须添加一个配置文件,配置80端口监听器。我将它命名为 elasticbeanstalk.conf
<VirtualHost *:80>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ServerName [YOUR APP ENDPOINT HERE i.e www.mydomain.com]
Redirect permanent / https://[YOUR APP ENDPOINT HERE i.e www.mydomain.com]/
ErrorLog /var/log/httpd/elasticbeanstalk-error_log
</VirtualHost>
最后,这就是我的战争目录的组织方式:
ROOT.war
|
WEB-INF
META-INF
.ebextensions
|
https-instance-single.config
https-instance.config
|
httpd
|
conf.d
|
elasticbeanstalk.conf
ssl.conf