Ruby on rails 如何为安全WebSocket配置Elastic Beanstalk nginx代理?
我正在使用Elastic Beanstalk部署我的Ruby on Rails(Ruby on rails 如何为安全WebSocket配置Elastic Beanstalk nginx代理?,ruby-on-rails,websocket,amazon-elastic-beanstalk,Ruby On Rails,Websocket,Amazon Elastic Beanstalk,我正在使用Elastic Beanstalk部署我的Ruby on Rails(5.0.1)应用程序,试图通过不安全(ws://)和安全(wss://)连接来支持WebSocket(ActionCable)。如果做不到这一点,我只会对安全感感到高兴,但我工作时只会变得不安全。我一直在跟踪;我的.ebextensions/proxy.config文件与它们完全匹配,我的负载平衡器设置(TCP,SSL等)也与它们完全匹配 我可以成功地使用不安全的WebSocket。我还可以通过http和https成
5.0.1
)应用程序,试图通过不安全(ws://
)和安全(wss://
)连接来支持WebSocket(ActionCable
)。如果做不到这一点,我只会对安全感感到高兴,但我工作时只会变得不安全。我一直在跟踪;我的.ebextensions/proxy.config
文件与它们完全匹配,我的负载平衡器设置(TCP
,SSL
等)也与它们完全匹配
我可以成功地使用不安全的WebSocket。我还可以通过http
和https
成功连接,因此证书很好。唯一不起作用的是安全WebSocket(wss://
):
有效http://api.skill.guide
有效https://api.skill.guide
ws://api.skill.guide/cable
不起作用wss://api.skill.guide/cable
错误:意外响应代码:404
。以下是服务器日志,首先显示成功的不安全升级,然后是失败的安全升级。请注意secure senario中缺少的HTTP\u升级
,这让我相信我的反向代理配置有问题
[2016-12-17T23:16:41.230931 #9482] INFO -- : [5d63e807-6df7-4044-af9c-656b25db9065] Started GET "/cable/?encoding=text" for 172.31.26.218 at 2016-12-17 23:16:41 +0000
I, [2016-12-17T23:16:41.252495 #9482] INFO -- : [5d63e807-6df7-4044-af9c-656b25db9065] Started GET "/cable/?encoding=text" [WebSocket] for 172.31.26.218 at 2016-12-17 23:16:41 +0000
I, [2016-12-17T23:16:41.252578 #9482] INFO -- : [5d63e807-6df7-4044-af9c-656b25db9065] Successfully upgraded to WebSocket (REQUEST_METHOD: GET, HTTP_CONNECTION: Upgrade, HTTP_UPGRADE: websocket)
I, [2016-12-17T23:16:44.643256 #9482] INFO -- : Finished "/cable/?encoding=text" [WebSocket] for 172.31.26.218 at 2016-12-17 23:16:44 +0000
I, [2016-12-17T23:16:47.786466 #9498] INFO -- : [3e502e9b-2773-4ab8-8e7e-d6e46b137ac2] Started GET "/cable/?encoding=text" for 73.222.141.98 at 2016-12-17 23:16:47 +0000
I, [2016-12-17T23:16:47.804715 #9498] INFO -- : [3e502e9b-2773-4ab8-8e7e-d6e46b137ac2] Started GET "/cable/?encoding=text"[non-WebSocket] for 73.222.141.98 at 2016-12-17 23:16:47 +0000
E, [2016-12-17T23:16:47.804789 #9498] ERROR -- : [3e502e9b-2773-4ab8-8e7e-d6e46b137ac2] Failed to upgrade to WebSocket (REQUEST_METHOD: GET, HTTP_CONNECTION: keep-alive, HTTP_UPGRADE: )
I, [2016-12-17T23:16:47.804832 #9498] INFO -- : [3e502e9b-2773-4ab8-8e7e-d6e46b137ac2] Finished "/cable/?encoding=text"[non-WebSocket] for 73.222.141.98 at 2016-12-17 23:16:47 +0000
为了完整起见,这里是我的设置
负载平衡器:
.elasticbeanstalk/proxy.config
:
config/production.rb
Django通道的问题相对相同。
files:
/etc/nginx/conf.d/proxy.conf:
mode: "000644"
owner: root
group: root
content: |
upstream rails {
server 127.0.0.1:3000;
keepalive 256;
}
server {
listen 8080;
if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})T(\d{2})") {
set $year $1;
set $month $2;
set $day $3;
set $hour $4;
}
access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd;
access_log /var/log/nginx/access.log main;
location / {
proxy_pass http://rails;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
gzip on;
gzip_comp_level 4;
gzip_types text/html text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
location /static {
alias /var/app/current/static;
}
}
container_commands:
removeconfig:
command: "rm -f /tmp/deployment/config/#etc#nginx#conf.d#00_elastic_beanstalk_proxy.conf /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf"
config.action_cable.url = 'wss://api.skill.guide/cable'
config.action_cable.disable_request_forgery_protection = true