2016-12-15 116 views
0

我試圖在使用Elastic Beanstalk部署的AWS EC2實例上啓用HTTPS。執行此操作的文檔要求您在應用程序的根目錄中的目錄.ebextensions/https-instance.config中添加this snippet。我必須分別用我的證書和密鑰替換certificate file contentsprivate key contents。我最初接受的格式不正確的錯誤,所以我轉換他們以JSON和提供的片段重新上傳它 -在運行Tomcat的EC2實例上終止HTTPS

{ 
    "files": { 
    "/etc/httpd/conf.d/ssl.conf": { 
     "owner": "root", 
     "content": "LoadModule ssl_module modules/mod_ssl.so\nListen 443\n<VirtualHost *:443>\n <Proxy *>\n Order deny,allow\n Allow from all\n </Proxy>\n\n SSLEngine    on\n SSLCertificateFile \"/etc/pki/tls/certs/server.crt\"\n SSLCertificateKeyFile \"/etc/pki/tls/certs/server.key\"\n SSLCipherSuite  EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH\n SSLProtocol   All -SSLv2 -SSLv3\n SSLHonorCipherOrder On\n \n Header always set Strict-Transport-Security \"max-age=63072000; includeSubdomains; preload\"\n Header always set X-Frame-Options DENY\n Header always set X-Content-Type-Options nosniff\n \n ProxyPass/http://localhost:8080/ retry=0\n ProxyPassReverse/http://localhost:8080/\n ProxyPreserveHost on\n \n</VirtualHost>\n", 
     "group": "root", 
     "mode": "000644" 
    }, 
    "/etc/pki/tls/certs/server.crt": { 
     "owner": "root", 
     "content": "-----BEGIN CERTIFICATE-----\ncertificate file contents\n-----END CERTIFICATE-----\n", 
     "group": "root", 
     "mode": "000400" 
    }, 
    "/etc/pki/tls/certs/server.key": { 
     "owner": "root", 
     "content": "-----BEGIN RSA PRIVATE KEY-----\nprivate key contents # See note below.\n-----END RSA PRIVATE KEY-----\n", 
     "group": "root", 
     "mode": "000400" 
    } 
    }, 
    "container_commands": { 
    "killhttpd": { 
     "command": "killall httpd" 
    }, 
    "waitforhttpddeath": { 
     "command": "sleep 3" 
    } 
    }, 
    "packages": { 
    "yum": { 
     "mod_ssl": [] 
    } 
    } 
} 

部署與錯誤中止 -

[Instance: i-0x012x0123x012xyz] Command failed on instance. Return code: 1 Output: httpd: no process found. container_command killhttpd in my-app-name/.ebextensions/https-instance.config failed. For more detail, check /var/log/eb-activity.log using console or EB CLI. 

我可以告訴大家,錯誤的是是由於container_commands鍵造成的,因此在配置後會停止httpd,以致於可以使用新的https.conf和證書。它告訴我,它試圖殺死httpd,但它找不到任何此類進程正在運行。 service httpd status顯示httpd.worker (pid 0123) is running,我也可以在線訪問我的應用程序。 /var/log/eb-activity.log也沒有任何記錄。

我見過其他一些人在網上發佈相同的問題,但我找不到任何解決方案。有什麼我在這裏做錯了嗎?

+0

由於您使用Elastic Beanstalk,因此您不僅僅是在ELB級別終止SSL? – birryree

+0

@birryree我是,但我想終止它一直到EC2實例。 –

+1

在這種情況下,問題可能是'ebextensions'嘗試執行'killall httpd',但是你的過程被稱爲'httpd.worker'。如果你用'killall httpd.worker'替換'killall httpd',會發生什麼? – birryree

回答

1

ebextensions正試圖執行killall httpd,但您的過程被稱爲httpd.worker

ebextensions中的行更改爲killall httpd.worker

+0

我得到'輸出:httpd:找不到進程',所以我改變它,如你所說,然後我得到'輸出:httpd.worker:找不到進程'。有任何想法嗎? – Richard

+0

@Richard您是否運行完全相同的環境(運行Amazon Linux的Elastic Beanstalk上的Tomcat配置)?在這種情況下,您是否啓用了Apache HTTP Server作爲代理或nginx?有很多配置我的建議不起作用。 – birryree

+0

是的,我是64位運行Tomcat 8 Java 8的Amazon Linux 2017.03 v2.6.0 – Richard