这已经很接近了,只是缺少一些小步骤。我用 ALB ELB 解决了这个问题。
首先,我使用了与此处描述的脚本类似的脚本:https://myopswork.com/how-to-do-end-to-end-encryption-of-data-in-transit-b-w-aws-alb-and-ec2-3b7fd917cddd
#!/bin/bash
DIR=$(dirname $0)
domain=$(uname -n)
echo "Generating SSL for $domain"
commonname="$domain"
country="US"
state="California"
locality="LA"
organization="My Inc."
organizationalunit="Org"
email="[email protected]"
# Optional
password=dummypassword
echo "Generating key request for $domain"
mkdir -p /etc/ssl/private
chmod 700 /etc/ssl/private
mkdir -p /etc/ssl/certs
# Generate a key
openssl genrsa -des3 -passout pass:$password -out /etc/ssl/private/$domain.key 2048 -noout
# Remove passphrase from the key. Comment the line out to keep the passphrase
echo "Removing passphrase from key"
openssl rsa -in /etc/ssl/private/$domain.key -passin pass:$password -out /etc/ssl/private/$domain.key
# Create the request
echo "Creating CSR"
openssl req -new -key /etc/ssl/private/$domain.key -out /etc/ssl/private/$domain.csr -passin pass:$password \
-subj "/C=$country/ST=$state/L=$locality/O=$organization/OU=$organizationalunit/CN=$commonname/emailAddress=$email"
# Create the cert
openssl x509 -req -days 365 -in /etc/ssl/private/$domain.csr -signkey /etc/ssl/private/$domain.key -out /etc/ssl/certs/$domain.crt
# Setup nginx config
sed "s/{{hostname}}/${domain}/" < $DIR/template.conf > /etc/nginx/sites-available/site.conf
ln -sf /etc/nginx/sites-available/site.conf /etc/nginx/sites-enabled/site.conf
模板看起来像这样:
server {
# listen 80 #uncomment to also listen on port 80 - useful for debugging
listen 443 ssl;
listen [::]:443 ssl;
server_name {{hostname}};
ssl_certificate /etc/ssl/certs/{{hostname}}.crt;
ssl_certificate_key /etc/ssl/private/{{hostname}}.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options sameorigin;
add_header X-Content-Type-Options nosniff;
location / {
...
}
}
该域名看起来像ip-172-10-11-12
.
为了调试所有内容,我运行了一些东西like以下内容 - 这是凭记忆得出的,因此可能有细节。我首先确保可以通过点击 nginx 在本地卷曲服务器:
curl https://ip-172-10-11-12/healthcheck --cacert /etc/ssl/certs/ip-172-10-11-12.crt
然后我得到了 ELB 地址,并确保我可以对此进行卷曲。我必须使用可以访问 ELB 机器的机器。请注意,由于安全规则,ELB 不可 pinagable,但可卷曲。我相信我测试了这两种方式。首先,我尝试过:
curl https://elb-address/healthcheck --insecure
然后我将 ip-172-10-11-12 添加到 /etc/hosts 文件并尝试:
curl https://ip-172-10-11-12/healthcheck --cacert /cert/file/copied/onto/machine
一旦我开始工作,ALB ELB 就开始工作了。在最后一次调用起作用之前,我必须检查防火墙规则、AWS 安全组等。但当它起作用时,ELB 开始看到服务器。
我在调试时还有一个最终的见解:如果从公共互联网访问 ELB,则 ELB 必须只有公共子网,并且公共子网应与目标计算机位于同一可用区