java-将SSL证书配置为单个Elastic Beanstalk TOMCAT实例
作者:互联网
我试图在我的TOMCAT Elastic beantalk EC2实例中安装SSL证书.我还希望我的应用程序侦听端口443上的HTTPS请求.作为起点,我的解决方案基于this link.
经过一段时间的尝试,我无法安装我的证书或使端口443侦听HTTPS请求.
这些是我遵循的步骤:
1)我在src根目录下使用.ebextensions文件夹构建WAR,如下所示
ROOT.war
|
WEB-INF
META-INF
.ebextensions
|
https-instance-single.config
https-instance.config
2)https-instance.config文件内容
packages:
yum:
mod_ssl : []
container_commands:
1killhttpd:
command: "killall httpd"
ignoreErrors: true
2wait:
command: "sleep 3"
files:
# Apache HTTPS configuration
/etc/httpd/conf.d/ssl.conf:
mode: "000644"
owner: root
group: root
content: |
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/server.crt"
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
ProxyPass / http://localhost:8080/ retry=0
ProxyPassReverse / http://localhost:8080/
ProxyPreserveHost on
</VirtualHost>
# Public certificate
/etc/pki/tls/certs/server.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
/etc/pki/tls/certs/server.key:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN RSA PRIVATE KEY-----
XXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END RSA PRIVATE KEY-----
/etc/pki/tls/certs/gd_bundle.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
3)https-instance-single.config文件内容
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
4)然后,我使用弹性beantalk控制台部署了WAR(在此过程中,至少在控制台上未抛出任何错误消息).
在按规定部署My war之后,我的Web应用程序运行正常,但是没有SSL配置,并且HTTPS请求没有重定向到端口443.更糟糕的是,该应用程序甚至没有在侦听HTTPS请求.
有人有灯吗?我不想使用ELB(弹性负载平衡器),因为Im迁移了一堆小应用程序,这会给我带来可观的成本增加(每个应用程序约20美元).
解决方法:
这是解决问题的所有步骤:
1)我从https-instance.config中删除了/etc/httpd/conf.d/ssl.conf文件声明块
2)我将文件本身添加到.ebextensions / httpd / conf.d / ssl.conf.文件内容如下:
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ServerName [YOUR APP ENDPOINT HERE i.e www.mydomain.com]
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/server.crt"
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
ProxyPass / http://localhost:8080/ retry=0
ProxyPassReverse / http://localhost:8080/
ProxyPreserveHost on
</VirtualHost>
重要提示:不要忘记在服务器名称中添加一行
3)此步骤是可选的,只需执行即可.如果要将所有http请求从端口80重定向到443,则必须添加具有端口80侦听器配置的配置文件.我将其命名为elasticbeanstalk.conf
<VirtualHost *:80>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ServerName [YOUR APP ENDPOINT HERE i.e www.mydomain.com]
Redirect permanent / https://[YOUR APP ENDPOINT HERE i.e www.mydomain.com]/
ErrorLog /var/log/httpd/elasticbeanstalk-error_log
</VirtualHost>
好的,那就是我的战争如何组织其目录:
ROOT.war
|
WEB-INF
META-INF
.ebextensions
|
https-instance-single.config
https-instance.config
|
httpd
|
conf.d
|
elasticbeanstalk.conf
ssl.conf
标签:amazon-web-services,amazon-ec2,tomcat,elastic-beanstalk,java 来源: https://codeday.me/bug/20191026/1934693.html