Ssl 如何在Elastic Beanstalk中的EC2实例上重新启动HTTPS以启用HTTPS?
问题 我正在尝试在Elastic Beanstalk中的EC2实例上启用HTTPS。我在Ssl 如何在Elastic Beanstalk中的EC2实例上重新启动HTTPS以启用HTTPS?,ssl,amazon-ec2,https,amazon-elastic-beanstalk,Ssl,Amazon Ec2,Https,Amazon Elastic Beanstalk,问题 我正在尝试在Elastic Beanstalk中的EC2实例上启用HTTPS。我在.ebextensions目录中有一个https instance.config文件,其中包括停止和启动httpd服务器。最初的容器命令如下(来自AWS文档,在我的问题中也提到: 但是,我得到了以下错误,详细信息见cfn init.log: 2020-08-25 14:51:55,622 [INFO] -----------------------Starting build-----------------
.ebextensions
目录中有一个https instance.config
文件,其中包括停止和启动httpd
服务器。最初的容器命令如下(来自AWS文档,在我的问题中也提到:
但是,我得到了以下错误,详细信息见cfn init.log
:
2020-08-25 14:51:55,622 [INFO] -----------------------Starting build-----------------------
2020-08-25 14:51:55,631 [INFO] Running configSets: Infra-EmbeddedPostBuild
2020-08-25 14:51:55,634 [INFO] Running configSet Infra-EmbeddedPostBuild
2020-08-25 14:51:55,638 [INFO] Running config postbuild_0_tiny_app
2020-08-25 14:51:55,706 [ERROR] Command 01killhttpd (systemctl restart httpd.service) failed
2020-08-25 14:51:55,706 [ERROR] Error encountered during build of postbuild_0_tiny_app: Command 01killhttpd failed
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/cfnbootstrap/construction.py", line 542, in run_config
CloudFormationCarpenter(config, self._auth_config).build(worklog)
File "/usr/lib/python2.7/site-packages/cfnbootstrap/construction.py", line 260, in build
changes['commands'] = CommandTool().apply(self._config.commands)
File "/usr/lib/python2.7/site-packages/cfnbootstrap/command_tool.py", line 117, in apply
raise ToolError(u"Command %s failed" % name)
ToolError: Command 01killhttpd failed
2020-08-25 14:51:55,706 [ERROR] -----------------------BUILD FAILED!------------------------
2020-08-25 14:51:55,707 [ERROR] Unhandled exception during build: Command 01killhttpd failed
Traceback (most recent call last):
File "/opt/aws/bin/cfn-init", line 171, in <module>
worklog.build(metadata, configSets)
File "/usr/lib/python2.7/site-packages/cfnbootstrap/construction.py", line 129, in build
Contractor(metadata).build(configSets, self)
File "/usr/lib/python2.7/site-packages/cfnbootstrap/construction.py", line 530, in build
self.run_config(config, worklog)
File "/usr/lib/python2.7/site-packages/cfnbootstrap/construction.py", line 542, in run_config
CloudFormationCarpenter(config, self._auth_config).build(worklog)
File "/usr/lib/python2.7/site-packages/cfnbootstrap/construction.py", line 260, in build
changes['commands'] = CommandTool().apply(self._config.commands)
File "/usr/lib/python2.7/site-packages/cfnbootstrap/command_tool.py", line 117, in apply
raise ToolError(u"Command %s failed" % name)
ToolError: Command 01killhttpd failed
及
问题
如何重新启动httpd服务器以允许HTTPS连接到我的应用程序
上下文
- 亚马逊Linux 2
- Python3.7环境中的Flask应用程序
- 使用单个EC2实例,因此没有负载平衡器
- 我只需要为了发展的目的
https instance.config
:
packages:
yum:
mod_ssl : []
files:
/etc/httpd/conf.d/ssl.conf:
mode: "000644"
owner: root
group: root
content: |
LoadModule wsgi_module modules/mod_wsgi.so
WSGIPythonHome /opt/python/run/baselinenv
WSGISocketPrefix run/wsgi
WSGIRestrictEmbedded On
Listen 443
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/server.crt"
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
Alias /static/ /opt/python/current/app/static/
<Directory /opt/python/current/app/static>
Order allow,deny
Allow from all
</Directory>
WSGIScriptAlias / /opt/python/current/app/application.py
<Directory /opt/python/current/app>
Require all granted
</Directory>
WSGIDaemonProcess wsgi-ssl processes=1 threads=15 display-name=%{GROUP} \
python-path=/opt/python/current/app \
python-home=/opt/python/run/venv \
home=/opt/python/current/app \
user=wsgi \
group=wsgi
WSGIProcessGroup wsgi-ssl
</VirtualHost>
/etc/pki/tls/certs/server.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
MIID8zCCAtsCFGzyKrXOsCiyLHRPfBG75SlmQyXqMA0GCSqGSIb3DQEBCwUAMIG1
...
PuulTMAZWNXHa0g+XbRTtOQDA8FA0vlA80B+rFUQESSo2Cw5JKXTaL9OpMMG/t9S
qvv+vGuaIw==
-----END CERTIFICATE-----
/etc/pki/tls/certs/server.key:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEA+OYzho7mXLUY6zTTqBIibsk2rfuJIO2xN2moIUNTqzJS8Yv6
...
cSQsBzRR1Z5hl77Qa6gwiDx7rYswWtQt/8zsY8OUB3kg1SqriwI=
-----END RSA PRIVATE KEY-----
container_commands:
01restartservice:
command: "systemctl restart httpd.service"
软件包:
百胜:
mod_ssl:[]
文件夹:
/etc/httpd/conf.d/ssl.conf:
模式:“000644”
所有者:root
组:根
内容:|
LoadModule wsgi_modules/mod_wsgi.so
WSGIPythonHome/opt/python/run/baselinenv
WSGISocketPrefix运行/wsgi
WSGirestricton嵌入式
听我说
斯伦金安
SSLCertificateFile“/etc/pki/tls/certs/server.crt”
SSLCertificateKeyFile“/etc/pki/tls/certs/server.key”
别名/static//opt/python/current/app/static/
命令允许,拒绝
通融
WSGIScriptAlias//opt/python/current/app/application.py
要求所有授权
WSGIDaemonProcess wsgi ssl进程=1线程=15显示名称=%{GROUP}\
python路径=/opt/python/current/app\
python home=/opt/python/run/venv\
home=/opt/python/current/app\
用户=wsgi\
组=wsgi
WSGIProcessGroup wsgi ssl
/etc/pki/tls/certs/server.crt:
模式:“000400”
所有者:root
组:根
内容:|
-----开始证书-----
MIID8zCCAtsCFGzyKrXOsCiyLHRPfBG75SlmQyXqMA0GCSqGSIb3DQEBCwUAMIG1
...
PuulTMAZWNXHa0g+XbRTtOQDA8FA0vlA80B+rFUQESSo2Cw5JKXTaL9OpMMG/t9S
qvv+vGuaIw==
-----结束证书-----
/etc/pki/tls/certs/server.key:
模式:“000400”
所有者:root
组:根
内容:|
-----开始RSA私钥-----
Miieogibakcaqea+OYzho7mXLUY6zTTqBIibsk2rfuJIO2xN2moIUNTqzJS8Yv6
...
cSQsBzRR1Z5hl77Qa6gwiDx7rYswWtQt/8zsY8OUB3kg1SqriwI=
-----结束RSA私钥-----
容器命令:
01重新启动服务:
命令:“systemctl重新启动httpd.service”
命令失败的原因是在Amazon Linux 2上
Python 3.7环境中没有httpd(它是物理安装的,但不是活动的)。您可以通过将其加载到实例中并运行以下命令来验证这一点:
sudo systemctl status httpd
相反,nginx
和gunicorn
作为wsgi。您提供的AWS文档链接是针对Amazon Linux 1的,而不是针对2的
因此,SSL证书和HTTPs应该使用
.platform/nginx/conf.d/
文件夹中的nginx进行设置。在每次新部署时都会重新启动httpd,这对于单个EC2实例来说已经足够了,这很有趣。从AWS文档中我从来都不知道这一点——即使在他们的Linux 2特定文档中(),他们在“.platform/httpd/conf.d/”文件夹中讨论配置。我想我不知道配置会有什么不同——我不是这方面的专家——但这可能是一个单独的问题。我现在没有ssh访问权限。@whoopscheckmate是的。遗憾的是AWS文档现在很混乱。一些涉及Amazon Linux 1,其他部分涉及Amazon Linux2,不清楚他们什么时候这样做。这个答案很有道理,但我搜索了一个将httpd配置映射到nginx配置的清晰方法,但没有找到任何结果。这是我看到的使用nginx()启用https的文档但这似乎不正确。我的问题是,有没有一种简单的方法来更改上面的配置文件来进行nginx设置?如果有,并且您愿意帮忙,我可以问另一个问题。如果没有,我应该在他们的论坛上联系AWS吗?我的另一个想法是以某种方式将wsgi更改为httpd。这可能吗?@whoopscheckmate目前还不确定也许你能做,但我现在不清楚怎么做。
container_commands:
01restartservice:
command: "systemctl restart httpd.service"
packages:
yum:
mod_ssl : []
files:
/etc/httpd/conf.d/ssl.conf:
mode: "000644"
owner: root
group: root
content: |
LoadModule wsgi_module modules/mod_wsgi.so
WSGIPythonHome /opt/python/run/baselinenv
WSGISocketPrefix run/wsgi
WSGIRestrictEmbedded On
Listen 443
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/server.crt"
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
Alias /static/ /opt/python/current/app/static/
<Directory /opt/python/current/app/static>
Order allow,deny
Allow from all
</Directory>
WSGIScriptAlias / /opt/python/current/app/application.py
<Directory /opt/python/current/app>
Require all granted
</Directory>
WSGIDaemonProcess wsgi-ssl processes=1 threads=15 display-name=%{GROUP} \
python-path=/opt/python/current/app \
python-home=/opt/python/run/venv \
home=/opt/python/current/app \
user=wsgi \
group=wsgi
WSGIProcessGroup wsgi-ssl
</VirtualHost>
/etc/pki/tls/certs/server.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
MIID8zCCAtsCFGzyKrXOsCiyLHRPfBG75SlmQyXqMA0GCSqGSIb3DQEBCwUAMIG1
...
PuulTMAZWNXHa0g+XbRTtOQDA8FA0vlA80B+rFUQESSo2Cw5JKXTaL9OpMMG/t9S
qvv+vGuaIw==
-----END CERTIFICATE-----
/etc/pki/tls/certs/server.key:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEA+OYzho7mXLUY6zTTqBIibsk2rfuJIO2xN2moIUNTqzJS8Yv6
...
cSQsBzRR1Z5hl77Qa6gwiDx7rYswWtQt/8zsY8OUB3kg1SqriwI=
-----END RSA PRIVATE KEY-----
container_commands:
01restartservice:
command: "systemctl restart httpd.service"
sudo systemctl status httpd