无法从自定义域 HTTPS 访问 Elastic Beanstalk（单实例）

Question

问候 SO 社区，

我正在尝试将我的单实例 Elastic Beanstalk 应用程序配置为使用自定义域和 HTTPS。自定义域和 SSL 证书都是从第三方获得的，并使用他们的 DNS 服务器（而不是 Route 53）。

我添加了每个 AWS 文档 (https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance.html) 的 .ebextensions/https-instance-securitygroup.config 以及 Node 应用程序的文件 (https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance-nodejs.html)。最后一步的唯一区别是我没有创建 .ebextensions/https-instance.config 文件，因为我将代码推送到 GitHub 并使用 CodePipeline 构建我的代码。因此，https.conf 和证书是手动创建并上传到 EC2 实例的。

另外，我检查了我的实例的入站规则，以确保 80 和 443 在 EB 实例和关联的安全组上处于打开状态。

proxy.conf

upstream nodejs {
  server 127.0.0.1:5000;
  keepalive 256;
}

server {
  listen 8080;

  if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})T(\d{2})") {
      set $year $1;
      set $month $2;
      set $day $3;
      set $hour $4;
  }
  access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd;
  access_log  /var/log/nginx/access.log  main;

  location / {
      proxy_pass  http://nodejs;
      proxy_set_header   Connection "";
      proxy_http_version 1.1;
      proxy_set_header        Host            $host;
      proxy_set_header        X-Real-IP       $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
  }

  gzip on;
  gzip_comp_level 4;
  gzip_types text/html text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

  location /static {
      alias /var/app/current/client/build/static;
  }

}

https.conf

# HTTPS server

server {
  listen       443      ssl;
  server_name  localhost;

  ssl_certificate      /etc/pki/tls/certs/server.crt;
  ssl_certificate_key  /etc/pki/tls/certs/server.key;

  ssl_session_timeout  5m;

  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers   on;

  # For enhanced health reporting support, uncomment this block:

  #if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})T(\d{2})") {
  #    set $year $1;
  #    set $month $2;
  #    set $day $3;
  #    set $hour $4;
  #}
  #access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd;
  #access_log  /var/log/nginx/access.log  main;

  location / {
          proxy_pass  http://nodejs;
          proxy_set_header   Connection "";
          proxy_http_version 1.1;
          proxy_set_header        Host            $host;
          proxy_set_header        X-Real-IP       $remote_addr;
          proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header        X-Forwarded-Proto https;
  }
}

Answer 1

因此，在第一百次重读 AWS 文档之后，我终于能够解决我的问题。而且因为我没有严格使用.ebextensions 文件夹的首选方法，所以我不得不直接在 Elastic Beanstalk 创建的 EC2 实例上摆弄 Nginx 代理。

简而言之，我的/etc/nginx/conf.d/proxy.conffile 中缺少以下部分：

location / {
   ### START MISSING ###
   set $redirect 0;
   if ($http_x_forwarded_proto != "https") {
     set $redirect 1;
   }
   if ($http_user_agent ~* "ELB-HealthChecker") {
     set $redirect 0;
   }
   if ($redirect = 1) {
     return 301 https://$host$request_uri;
   }
   ### END OF MISSING ###

   proxy_pass  http://nodejs;
   proxy_set_header   Connection "";
   proxy_http_version 1.1;
   proxy_set_header        Host            $host;
   proxy_set_header        X-Real-IP       $remote_addr;
   proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
}

此处记录：https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-httpredirect.html

具体来说，这是一个来自 NodeJS 的 sn-p，默认 Nginx 代理配置文件：https://github.com/awsdocs/elastic-beanstalk-samples/blob/master/configuration-files/aws-provided/security-configuration/https-redirect/nodejs/https-redirect-nodejs.config