弹性豆茎上装有SSL 403的烧瓶
下面是应用程序目录结构弹性豆茎上装有SSL 403的烧瓶,ssl,amazon-web-services,amazon-ec2,flask,amazon-elastic-beanstalk,Ssl,Amazon Web Services,Amazon Ec2,Flask,Amazon Elastic Beanstalk,下面是应用程序目录结构 app/\uuuu init.py 应用程序/静态/ 应用程序/模型/ 应用程序/视图/ application.py requirements.txt .elasticbeanstalk/config .elasticbeanstalk/optionsettings.application\u名称 .ebextensions/python.config .ebextensions/https.config 下面是.elasticbeanstalk中的文件片段 #co
- app/\uuuu init.py
- 应用程序/静态/
- 应用程序/模型/
- 应用程序/视图/
- application.py
- requirements.txt
- .elasticbeanstalk/config
- .elasticbeanstalk/optionsettings.application\u名称
- .ebextensions/python.config
- .ebextensions/https.config
#config
EnvironmentTier=WebServer::Standard::1.0
EnvironmentType=SingleInstance
Region=us-west-1
ServiceEndpoint=https://elasticbeanstalk.us-west-1.amazonaws.com
SolutionStack=64bit Amazon Linux 2014.03 v1.0.3 running Python
#optionsettings.application_name
[aws:elasticbeanstalk:container:python]
NumProcesses=1
NumThreads=15
StaticFiles=/static/=app/static/
WSGIPath=application.py
[aws:elasticbeanstalk:container:python:staticfiles]
/static/=app/static/
下面是我从SSL创建SSL证书的步骤
- openssl genrsa 2048>privatekey.pem
- openssl请求-新建-密钥privatekey.pem-out csr.pem
- 向Comodo发出SSL证书请求并收到三个文件
- 根CA证书-AddTrustExternalCARoot.crt
- 中级CA证书-PositiveSSLCA2.crt
- 您的PositiveSSL证书-server.crt
#https.config
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupName: {Ref : AWSEBSecurityGroup}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
packages:
yum:
mod24_ssl : []
files:
/etc/httpd/conf.d/ssl.conf:
mode: 000777
owner: ec2-user
group: ec2-user
content: |
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/server.crt"
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
Alias /static /opt/python/current/app/
<Directory /opt/python/current/app/>
Order allow,deny
Allow from all
</Directory>
WSGIScriptAlias / /opt/python/current/app/python/application.py
<Directory /opt/python/current/app/>
Order allow,deny
Allow from all
</Directory>
WSGIDaemonProcess wsgi-ssl processes=1 threads=15 display-name=%{GROUP} \
python-path=/opt/python/current/app:/opt/python/run/venv/lib/python2.6/site-packages user=wsgi group=wsgi \
home=/opt/python/current/app
WSGIProcessGroup wsgi
</VirtualHost>
/etc/pki/tls/certs/server.crt:
mode: 000777
owner: ec2-user
group: ec2-user
content: |
-----BEGIN CERTIFICATE-----
#contents from server.crt
-----END CERTIFICATE-----
/etc/pki/tls/certs/server.key:
mode: 000777
owner: ec2-user
group: ec2-user
content: |
-----BEGIN RSA PRIVATE KEY-----
#contents from privatekey.pem
-----END RSA PRIVATE KEY-----
所以是的,SSL证书指的是我的自定义域,而服务器仍然认为它是ec2的默认公共DNS(我认为)
仅供参考,自定义域是从Godaddy购买的。我这样做是为了让一条记录指向我的EC2IP地址
简而言之,如何使ec2服务器在设置ssl时知道其fqdn是我的自定义域,而不是ec2提供的域?这些不匹配:
WSGIDaemonProcess wsgi-ssl processes=1 threads=15 display-name=%{GROUP} \
python-path=/opt/python/current/app:/opt/python/run/venv/lib/python2.6/site-packages user=wsgi group=wsgi \
home=/opt/python/current/app
WSGIProcessGroup wsgi
您可能应该:
WSGIProcessGroup wsgi-ssl
警告:我是开发人员,不是系统管理员,我不知道自己在做什么
这周我遇到了完全相同的问题。包括域1。这是一个适合我的配置。反馈是欢迎的,因为我刚刚黑了这个Toghter
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupName: {Ref : AWSEBSecurityGroup}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
packages:
yum:
mod24_ssl : []
files:
/etc/httpd/conf.d/ssl.conf:
mode: "000755"
owner: root
group: root
content: |
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
<Proxy *>
Require all granted
</Proxy>
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/server.crt"
SSLCertificateChainFile "/etc/pki/tls/certs/inter.crt"
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
Alias /static /opt/python/current/app/printwithme/static
<Directory /opt/python/current/app/>
Order allow,deny
Allow from all
</Directory>
WSGIScriptAlias / /opt/python/current/app/application.py
<Directory /opt/python/current/app/>
Require all granted
</Directory>
WSGIDaemonProcess wsgi-ssl processes=1 threads=15 display-name=%{GROUP} \
python-path=/opt/python/current/app:/opt/python/run/venv/lib/python2.6/site-packages user=wsgi group=wsgi \
home=/opt/python/current/app
WSGIProcessGroup wsgi-ssl
</VirtualHost>
/etc/pki/tls/certs/server.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
/etc/pki/tls/certs/server.key:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
/etc/pki/tls/certs/inter.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
container_commands:
01killhttpd:
command: "killall httpd"
02waitforhttpddeath:
command: "sleep 3"
到
这应该指向创建应用程序对象的文件。你的可能不一样
然后必须改变:
WSGIScriptAlias / /opt/python/current/app/python/application.py
Alias /static /opt/python/current/app/
到
因为在我的应用程序中,静态文件位于嵌套文件夹中。这应该指向包含您的文件的目录。请注意,my app name
是一个变量,需要时可由您更改
最后,我添加了一个链
文件。这是SSL人员用我的证书给我的。您可能也需要添加它。在我看来,这可能是可选的,但不是真的
如果我错过了什么,对不起
更新
我对文件模式有问题。我不得不引用他们的话:
模式:“000755”
模式:“000400”
我将更新配置以反映这些更改。已应用修复,但问题仍然存在。可能是因为我对Apache缺乏了解,但代码段中的user=wsgi group=wsgi是否也会受到影响?使用user=wsgi group=wsgi可能不是您想要的,因为这意味着您必须在系统上拥有一个名为该组的UNIX用户和组,而您不会这样做。除非你知道自己在做什么,否则所有这些选项都应该被忽略。在指令中,尝试将它们设置为甚至不需要的Apache用户是一个常见错误。在没有相应UNIX用户或组的情况下,随意将它们设置为其他内容更糟糕。我在这里有点迷茫。那么,我是否保留WSGIDaemonProcess?在专家看来,wsgi设置可能有缺陷,但就日志而言,我认为ssl设置将首先受到质疑,正如问题的更新部分所述。您的ssl证书消息是另一个问题。如果你解决了这个问题,mod_wsgi就会因为我指出的原因而失败。WSGIProcessGroup指令的第一个参数必须与您定义的WSGIDaemonProcess匹配。目前情况并非如此,因此,如果请求到达mod_wsgi,它将错误地说您正在尝试选择一个不存在的守护进程组。为了避免这种情况,您需要将WSGIProcessGroup指令的参数更改为wsgi ssl,以匹配WSGIDaemonProcess指令用作第一个参数的参数。我想立即尝试一下,但目前我已经永久放弃了eb。不管怎样,这个答案更直接地解决了我的问题!
WSGIScriptAlias / /opt/python/current/app/application.py
Alias /static /opt/python/current/app/
Alias /static /opt/python/current/app/my-app-name/static