我想在Elastic Beanstalk环境中加密负载均衡器和Web服务器之间的流量。亚马逊在这里有一个指南:https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-endtoend.html,但是它涉及手动为您的服务器生成证书。是否有全自动的替代品?
如果您的服务器将其自身的自签名证书作为部署容器命令的一部分,则每次部署以及启动新服务器时,每个服务器都会获得更新的证书。
我为此找到的最佳命令如下,它将创建有效期为10年的证书:
sudo openssl req -x509 -newkey rsa:4096 -keyout /etc/pki/tls/certs/server.key -out /etc/pki/tls/certs/server.crt -days 3650 -nodes -subj "/CN=example.com"
使用这种方法,只要您至少十年一次部署(包括升级EB容器版本),您的服务器就会保持运转。
这也大大简化了设置。现在您需要做的是以下操作:
下面是python的完整HTTPS弹性beantalk配置文件的示例。这是对AWS's suggested config file for python的略微修改。我已将generate certificate命令添加到容器命令的开头,并删除了/etc/pki/tls/certs/server.crt和/etc/pki/tls/certs/server.key的两个文件语句,因为它们现在是自动生成的。 AWS examples for other languages can be found here。
Python配置文件:
packages:
yum:
mod24_ssl : []
files:
/etc/httpd/conf.d/ssl.conf:
mode: "000644"
owner: root
group: root
content: |
LoadModule wsgi_module modules/mod_wsgi.so
WSGIPythonHome /opt/python/run/baselinenv
WSGISocketPrefix run/wsgi
WSGIRestrictEmbedded On
Listen 443
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/server.crt"
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
Alias /static/ /opt/python/current/app/static/
<Directory /opt/python/current/app/static>
Order allow,deny
Allow from all
</Directory>
WSGIScriptAlias / /opt/python/current/app/application.py
<Directory /opt/python/current/app>
Require all granted
</Directory>
WSGIDaemonProcess wsgi-ssl processes=1 threads=15 display-name=%{GROUP} \
python-path=/opt/python/current/app \
python-home=/opt/python/run/venv \
home=/opt/python/current/app \
user=wsgi \
group=wsgi
WSGIProcessGroup wsgi-ssl
</VirtualHost>
container_commands:
01createcerts:
command: |
sudo openssl req -x509 -newkey rsa:4096 -keyout /etc/pki/tls/certs/server.key -out /etc/pki/tls/certs/server.crt -days 3650 -nodes -subj "/CN=example.com"
02killhttpd:
command: "killall httpd"
0waitforhttpddeath:
command: "sleep 3"