1. 首页
  2. 问答
  3. 将SSL证书配置为单个Elastic Beanstalk TOMCAT实例

将SSL证书配置为单个Elastic Beanstalk TOMCAT实例

2017-02-28 72 views
1

我试图在我的TOMCAT elastic beanstalk EC2实例中安装SSL证书。我还希望我的应用程序监听端口443上的HTTPS请求。作为起点,我基于this link上的解决方案。将SSL证书配置为单个Elastic Beanstalk TOMCAT实例

经过一段时间的大量尝试后,我无法安装证书或使端口443侦听到HTTPS请求。

那些是我遵循以下步骤:

1)I建立与在SRC ROOT一个.ebextensions文件夹中的WAR,如下

ROOT.war 
     | 
     WEB-INF 
     META-INF 
     .ebextensions 
      | 
      https-instance-single.config 
      https-instance.config

2)HTTPS-instance.config文件内容

packages: 
    yum: 
    mod_ssl : [] 

container_commands: 
    1killhttpd: 
    command: "killall httpd" 
    ignoreErrors: true 
    2wait: 
    command: "sleep 3" 

files: 
    # Apache HTTPS configuration 
    /etc/httpd/conf.d/ssl.conf: 
    mode: "000644" 
    owner: root 
    group: root 
    content: | 
     LoadModule ssl_module modules/mod_ssl.so 
     Listen 443 
     <VirtualHost *:443> 
     <Proxy *> 
      Order deny,allow 
      Allow from all 
     </Proxy> 

     SSLEngine    on 
     SSLCertificateFile "/etc/pki/tls/certs/server.crt" 
     SSLCertificateKeyFile "/etc/pki/tls/certs/server.key" 
     SSLCipherSuite   EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH 
     SSLProtocol   All -SSLv2 -SSLv3 
     SSLHonorCipherOrder On 

     Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" 
     Header always set X-Frame-Options DENY 
     Header always set X-Content-Type-Options nosniff 

     ProxyPass/http://localhost:8080/ retry=0 
     ProxyPassReverse/http://localhost:8080/ 
     ProxyPreserveHost on 
     </VirtualHost> 


    # Public certificate 
    /etc/pki/tls/certs/server.crt: 
    mode: "000400" 
    owner: root 
    group: root 
    content: | 
     -----BEGIN CERTIFICATE----- 
     XXXXXXXXXXXXXXXXXXXXXXXXXXX 
     -----END CERTIFICATE----- 

    /etc/pki/tls/certs/server.key: 
    mode: "000400" 
    owner: root 
    group: root 
    content: | 
     -----BEGIN RSA PRIVATE KEY----- 
     XXXXXXXXXXXXXXXXXXXXXXXXXXX 
     -----END RSA PRIVATE KEY----- 

    /etc/pki/tls/certs/gd_bundle.crt: 
    mode: "000400" 
    owner: root 
    group: root 
    content: | 
     -----BEGIN CERTIFICATE----- 
     XXXXXXXXXXXXXXXXXXXXXXXXXXX 
     -----END CERTIFICATE----- 
     -----BEGIN CERTIFICATE----- 
     XXXXXXXXXXXXXXXXXXXXXXXXXXX 
     -----END CERTIFICATE----- 
     -----BEGIN CERTIFICATE----- 
     XXXXXXXXXXXXXXXXXXXXXXXXXXX 
     -----END CERTIFICATE-----

3)HTTPS实例-single.config文件内容

Resources: 
    sslSecurityGroupIngress: 
    Type: AWS::EC2::SecurityGroupIngress 
    Properties: 
     GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]} 
     IpProtocol: tcp 
     ToPort: 443 
     FromPort: 443 
     CidrIp: 0.0.0.0/0

4)然后我使用弹性beanstalk控制台部署我的WAR(在进程中至少在控制台中引发了没有错误消息)。

我的战争如指定,我的web应用程序运行完美,但没有SSL配置和HTTPS请求没有被重定向到端口443.更糟糕的是,应用程序甚至没有收听HTTPS请求。

任何人都有光?我不想使用ELB(弹性负载平衡器),因为我正在迁移一堆小应用程序,这会带来我大幅增加的成本(每个应用程序大约20美元)。

来源

2017-02-28 Daniel Interliche

+0

你摸不着头脑? – hgolov

+0

什么都没有!有什么想法吗? –

+0

我有同样的问题,没有解决方案:( –

回答

2

这里是所有步骤我跟着解决我的问题:

1)I去除从/etc/httpd/conf.d/ssl.conf文件声明块HTTPS-instance.config

2)我在.ebextensions/httpd/conf.d/ssl.conf文件中添加了这个文件。娄文件内容:

LoadModule ssl_module modules/mod_ssl.so 
Listen 443 
<VirtualHost *:443> 
    <Proxy *> 
    Order deny,allow 
    Allow from all 
    </Proxy> 

    ServerName [YOUR APP ENDPOINT HERE i.e www.mydomain.com] 
    SSLEngine    on 
    SSLCertificateFile "/etc/pki/tls/certs/server.crt" 
    SSLCertificateKeyFile "/etc/pki/tls/certs/server.key" 
    SSLCipherSuite   EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH 
    SSLProtocol   All -SSLv2 -SSLv3 
    SSLHonorCipherOrder On 

    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" 
    Header always set X-Frame-Options DENY 
    Header always set X-Content-Type-Options nosniff 

    ProxyPass/http://localhost:8080/ retry=0 
    ProxyPassReverse/http://localhost:8080/ 
    ProxyPreserveHost on 
</VirtualHost>

重要:不要忘记添加一个符合你服务器名称

3)这一步是可选的,只要做到这一点。如果你想重定向所有的HTTP请求从端口80到443您必须添加配置文件与端口80监听器配置。我把它命名为elasticbeanstalk.conf

<VirtualHost *:80> 
    <Proxy *> 
    Order deny,allow 
    Allow from all 
    </Proxy> 

    ServerName [YOUR APP ENDPOINT HERE i.e www.mydomain.com] 
    Redirect permanent/https://[YOUR APP ENDPOINT HERE i.e www.mydomain.com]/ 

    ErrorLog /var/log/httpd/elasticbeanstalk-error_log 

</VirtualHost>

Finnaly,那我怎么战争的目录组织:

ROOT.war 
     | 
     WEB-INF 
     META-INF 
     .ebextensions 
      | 
      https-instance-single.config 
      https-instance.config 
      | 
      httpd 
       | 
        conf.d 
         | 
         elasticbeanstalk.conf 
         ssl.conf

来源

2017-10-27 14:14:09

1

我有同样的问题。我在Elastic Beanstalk的Java Tomcat Platform文档中发现了答案。您不需要通过http-instance.config文件中的配置来创建ssl.conf文件,而需要在.ebextensions/httpd/conf.d/ssl.conf中自行创建该文件。

来源

2017-05-03 19:41:09 Harv

+0

感谢Harv,你的回答帮我找到了我的最终解决方案,贴出来了。 –

相关问题

 相关问题