我試圖在使用Elastic Beanstalk部署的AWS EC2實例上啓用HTTPS。執行此操作的文檔要求您在應用程序的根目錄中的目錄.ebextensions/https-instance.config
中添加this snippet。我必須分別用我的證書和密鑰替換certificate file contents
和private key contents
。我最初接受的格式不正確的錯誤,所以我轉換他們以JSON和提供的片段重新上傳它 -在運行Tomcat的EC2實例上終止HTTPS
{
"files": {
"/etc/httpd/conf.d/ssl.conf": {
"owner": "root",
"content": "LoadModule ssl_module modules/mod_ssl.so\nListen 443\n<VirtualHost *:443>\n <Proxy *>\n Order deny,allow\n Allow from all\n </Proxy>\n\n SSLEngine on\n SSLCertificateFile \"/etc/pki/tls/certs/server.crt\"\n SSLCertificateKeyFile \"/etc/pki/tls/certs/server.key\"\n SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH\n SSLProtocol All -SSLv2 -SSLv3\n SSLHonorCipherOrder On\n \n Header always set Strict-Transport-Security \"max-age=63072000; includeSubdomains; preload\"\n Header always set X-Frame-Options DENY\n Header always set X-Content-Type-Options nosniff\n \n ProxyPass/http://localhost:8080/ retry=0\n ProxyPassReverse/http://localhost:8080/\n ProxyPreserveHost on\n \n</VirtualHost>\n",
"group": "root",
"mode": "000644"
},
"/etc/pki/tls/certs/server.crt": {
"owner": "root",
"content": "-----BEGIN CERTIFICATE-----\ncertificate file contents\n-----END CERTIFICATE-----\n",
"group": "root",
"mode": "000400"
},
"/etc/pki/tls/certs/server.key": {
"owner": "root",
"content": "-----BEGIN RSA PRIVATE KEY-----\nprivate key contents # See note below.\n-----END RSA PRIVATE KEY-----\n",
"group": "root",
"mode": "000400"
}
},
"container_commands": {
"killhttpd": {
"command": "killall httpd"
},
"waitforhttpddeath": {
"command": "sleep 3"
}
},
"packages": {
"yum": {
"mod_ssl": []
}
}
}
部署與錯誤中止 -
[Instance: i-0x012x0123x012xyz] Command failed on instance. Return code: 1 Output: httpd: no process found. container_command killhttpd in my-app-name/.ebextensions/https-instance.config failed. For more detail, check /var/log/eb-activity.log using console or EB CLI.
我可以告訴大家,錯誤的是是由於container_commands
鍵造成的,因此在配置後會停止httpd
,以致於可以使用新的https.conf
和證書。它告訴我,它試圖殺死httpd
,但它找不到任何此類進程正在運行。 service httpd status
顯示httpd.worker (pid 0123) is running
,我也可以在線訪問我的應用程序。 /var/log/eb-activity.log
也沒有任何記錄。
我見過其他一些人在網上發佈相同的問題,但我找不到任何解決方案。有什麼我在這裏做錯了嗎?
由於您使用Elastic Beanstalk,因此您不僅僅是在ELB級別終止SSL? – birryree
@birryree我是,但我想終止它一直到EC2實例。 –
在這種情況下,問題可能是'ebextensions'嘗試執行'killall httpd',但是你的過程被稱爲'httpd.worker'。如果你用'killall httpd.worker'替換'killall httpd',會發生什麼? – birryree