Warning: file_get_contents(/data/phpspider/zhask/data//catemap/7/rust/4.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
弹性豆茎上装有SSL 403的烧瓶_Ssl_Amazon Web Services_Amazon Ec2_Flask_Amazon Elastic Beanstalk - Fatal编程技术网
Fatal编程技术网
  • ssl/
  • 弹性豆茎上装有SSL 403的烧瓶

弹性豆茎上装有SSL 403的烧瓶

ssl amazon-web-services amazon-ec2 flask

弹性豆茎上装有SSL 403的烧瓶,ssl,amazon-web-services,amazon-ec2,flask,amazon-elastic-beanstalk,Ssl,Amazon Web Services,Amazon Ec2,Flask,Amazon Elastic Beanstalk,下面是应用程序目录结构 app/\uuuu init.py 应用程序/静态/ 应用程序/模型/ 应用程序/视图/ application.py requirements.txt .elasticbeanstalk/config .elasticbeanstalk/optionsettings.application\u名称 .ebextensions/python.config .ebextensions/https.config 下面是.elasticbeanstalk中的文件片段 #co

下面是应用程序目录结构

  • app/\uuuu init.py
  • 应用程序/静态/
  • 应用程序/模型/
  • 应用程序/视图/
  • application.py
  • requirements.txt
  • .elasticbeanstalk/config
  • .elasticbeanstalk/optionsettings.application\u名称
  • .ebextensions/python.config
  • .ebextensions/https.config
下面是.elasticbeanstalk中的文件片段

#config
EnvironmentTier=WebServer::Standard::1.0
EnvironmentType=SingleInstance
Region=us-west-1
ServiceEndpoint=https://elasticbeanstalk.us-west-1.amazonaws.com
SolutionStack=64bit Amazon Linux 2014.03 v1.0.3 running Python

#optionsettings.application_name
[aws:elasticbeanstalk:container:python]
NumProcesses=1
NumThreads=15
StaticFiles=/static/=app/static/
WSGIPath=application.py

[aws:elasticbeanstalk:container:python:staticfiles]
/static/=app/static/
下面是我从SSL创建SSL证书的步骤

  • openssl genrsa 2048>privatekey.pem
  • openssl请求-新建-密钥privatekey.pem-out csr.pem
  • 向Comodo发出SSL证书请求并收到三个文件
    • 根CA证书-AddTrustExternalCARoot.crt
    • 中级CA证书-PositiveSSLCA2.crt
    • 您的PositiveSSL证书-server.crt
注意:我将服务器指定为Apache/OpenSSL

最后,这里是.ebextensions中的文件片段

#https.config
Resources:
  sslSecurityGroupIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupName: {Ref : AWSEBSecurityGroup}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

packages:
  yum:
    mod24_ssl : []

files:
  /etc/httpd/conf.d/ssl.conf:
    mode: 000777
    owner: ec2-user
    group: ec2-user
    content: |
      LoadModule ssl_module modules/mod_ssl.so
      Listen 443
      <VirtualHost *:443>
        <Proxy *>
          Order deny,allow
          Allow from all
        </Proxy>
        SSLEngine on
        SSLCertificateFile "/etc/pki/tls/certs/server.crt"
        SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"

        Alias /static /opt/python/current/app/
        <Directory /opt/python/current/app/>
        Order allow,deny
        Allow from all
        </Directory>

        WSGIScriptAlias / /opt/python/current/app/python/application.py

        <Directory /opt/python/current/app/>
        Order allow,deny
        Allow from all
        </Directory>

        WSGIDaemonProcess wsgi-ssl processes=1 threads=15 display-name=%{GROUP} \
          python-path=/opt/python/current/app:/opt/python/run/venv/lib/python2.6/site-packages user=wsgi group=wsgi \
          home=/opt/python/current/app
        WSGIProcessGroup wsgi
      </VirtualHost>

  /etc/pki/tls/certs/server.crt:
    mode: 000777
    owner: ec2-user
    group: ec2-user
    content: |
      -----BEGIN CERTIFICATE-----
      #contents from server.crt
      -----END CERTIFICATE-----


  /etc/pki/tls/certs/server.key:
    mode: 000777
    owner: ec2-user
    group: ec2-user
    content: |
      -----BEGIN RSA PRIVATE KEY-----
      #contents from privatekey.pem
      -----END RSA PRIVATE KEY-----
所以是的,SSL证书指的是我的自定义域,而服务器仍然认为它是ec2的默认公共DNS(我认为)

仅供参考,自定义域是从Godaddy购买的。我这样做是为了让一条记录指向我的EC2IP地址

简而言之,如何使ec2服务器在设置ssl时知道其fqdn是我的自定义域,而不是ec2提供的域?

这些不匹配:

    WSGIDaemonProcess wsgi-ssl processes=1 threads=15 display-name=%{GROUP} \
      python-path=/opt/python/current/app:/opt/python/run/venv/lib/python2.6/site-packages user=wsgi group=wsgi \
      home=/opt/python/current/app
    WSGIProcessGroup wsgi
您可能应该:

    WSGIProcessGroup wsgi-ssl
警告:我是开发人员,不是系统管理员,我不知道自己在做什么

这周我遇到了完全相同的问题。包括域1。这是一个适合我的配置。反馈是欢迎的,因为我刚刚黑了这个Toghter

Resources:
  sslSecurityGroupIngress: 
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupName: {Ref : AWSEBSecurityGroup}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

packages:
  yum:
    mod24_ssl : []

files:
  /etc/httpd/conf.d/ssl.conf:
    mode: "000755"
    owner: root
    group: root
    content: |
      LoadModule ssl_module modules/mod_ssl.so
      Listen 443
      <VirtualHost *:443>
        <Proxy *>
        Require all granted
        </Proxy>
        SSLEngine on
        SSLCertificateFile "/etc/pki/tls/certs/server.crt"
        SSLCertificateChainFile "/etc/pki/tls/certs/inter.crt"
        SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"

        Alias /static /opt/python/current/app/printwithme/static
        <Directory /opt/python/current/app/>
        Order allow,deny
        Allow from all
        </Directory>

        WSGIScriptAlias / /opt/python/current/app/application.py

        <Directory /opt/python/current/app/>
        Require all granted
        </Directory>

        WSGIDaemonProcess wsgi-ssl processes=1 threads=15 display-name=%{GROUP} \
          python-path=/opt/python/current/app:/opt/python/run/venv/lib/python2.6/site-packages user=wsgi group=wsgi \
          home=/opt/python/current/app
        WSGIProcessGroup wsgi-ssl
      </VirtualHost>

  /etc/pki/tls/certs/server.crt:
    mode: "000400"
    owner: root
    group: root
    content: |
      -----BEGIN CERTIFICATE-----

      -----END CERTIFICATE-----

  /etc/pki/tls/certs/server.key:
    mode: "000400"
    owner: root
    group: root
    content: |
      -----BEGIN RSA PRIVATE KEY-----

      -----END RSA PRIVATE KEY-----

  /etc/pki/tls/certs/inter.crt:
    mode: "000400"
    owner: root
    group: root
    content: |
      -----BEGIN CERTIFICATE-----

      -----END CERTIFICATE-----

container_commands:
  01killhttpd:
    command: "killall httpd"
  02waitforhttpddeath:
    command: "sleep 3"

这应该指向创建应用程序对象的文件。你的可能不一样

然后必须改变:

WSGIScriptAlias / /opt/python/current/app/python/application.py

Alias /static /opt/python/current/app/

因为在我的应用程序中,静态文件位于嵌套文件夹中。这应该指向包含您的文件的目录。请注意,
my app name
是一个变量,需要时可由您更改

最后,我添加了一个
文件。这是SSL人员用我的证书给我的。您可能也需要添加它。在我看来,这可能是可选的,但不是真的

如果我错过了什么,对不起

更新 我对文件模式有问题。我不得不引用他们的话: 模式:“000755” 模式:“000400”

我将更新配置以反映这些更改。

已应用修复,但问题仍然存在。可能是因为我对Apache缺乏了解,但代码段中的user=wsgi group=wsgi是否也会受到影响?使用user=wsgi group=wsgi可能不是您想要的,因为这意味着您必须在系统上拥有一个名为该组的UNIX用户和组,而您不会这样做。除非你知道自己在做什么,否则所有这些选项都应该被忽略。在指令中,尝试将它们设置为甚至不需要的Apache用户是一个常见错误。在没有相应UNIX用户或组的情况下,随意将它们设置为其他内容更糟糕。我在这里有点迷茫。那么,我是否保留WSGIDaemonProcess?在专家看来,wsgi设置可能有缺陷,但就日志而言,我认为ssl设置将首先受到质疑,正如问题的更新部分所述。您的ssl证书消息是另一个问题。如果你解决了这个问题,mod_wsgi就会因为我指出的原因而失败。WSGIProcessGroup指令的第一个参数必须与您定义的WSGIDaemonProcess匹配。目前情况并非如此,因此,如果请求到达mod_wsgi,它将错误地说您正在尝试选择一个不存在的守护进程组。为了避免这种情况,您需要将WSGIProcessGroup指令的参数更改为wsgi ssl,以匹配WSGIDaemonProcess指令用作第一个参数的参数。我想立即尝试一下,但目前我已经永久放弃了eb。不管怎样,这个答案更直接地解决了我的问题! 
WSGIScriptAlias / /opt/python/current/app/application.py

Alias /static /opt/python/current/app/

Alias /static /opt/python/current/app/my-app-name/static