AWS EC2 + Nginx + 子域的 SSL
AWS EC2 + Nginx + SSL fro subdomain
任何人都可以向我解释一下如何在我的 AWS EC2 上安装 SSL。我读了很多文章,说这些步骤很简单,但我尝试了几个,其中 none 个有效。
我有一个 AWS EC2
EC2 静态 IP,54.X.X.X
子域名,xxxx.ab.abc.com
安全组:端口来自
定制 80、443、9000-9100
nginx 重定向
aaa1.ab.abc.com:80 到 aaa1.ab.abc.com:9001
aaa2.ab.abc.com:80 到 aaa1.ab.abc.com:9002
aaa3.ab.abc.com:80 到 aaa1.ab.abc.com:9003
...
aaa(n).ab.abc.com:80 到 aaa1.ab.abc.com:900(n)
ngnix.conf
server {
listen 80;
server_name ~^(aaa(?<site>[0-9]+)).ab.abc.com;
location / {
set $custom_port 90$site;
if ($custom_port ~ "^.{3}$") {
set $custom_port 900$site;
}
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:$custom_port;
}
}
如何将 SSL 安装到 EC2 中,以便无论我访问哪个子域。它会得到认证吗?
Steps I have done.
$sudo service nginx stop
$git clone https://github.com/certbot/certbot.git to use certbot to generate SSL key
$./certbot-auto certonly --manual --email test@gmail.com -d ab.abc.com
$mkdir -p /tmp/certbot/public_html/.well-known/acme-challenge
$cd /tmp/certbot/public_html
$printf "%s" <key> > .well-known/acme-challenge/<key>
$sudo $(command -v python2 || command -v python2.7 || command -v python2.6) -c "import BaseHTTPServer, SimpleHTTPServer; s=BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler);s.serve_forever()"
then I have
108.14.0.213 - - [09/Jul/2017 03:32:26] "GET /path? HTTP/1.1" 404 -
^CTraceback (most recent call last):
File "<string>", line 1, in <module>
File "/usr/lib/python2.7/SocketServer.py", line 236, in serve_forever
poll_interval)
File "/usr/lib/python2.7/SocketServer.py", line 155, in _eintr_retry
return func(*args)
KeyboardInterrupt
如果您只想在您的实例上安装一个 SSl 证书,那么最好是生成一个 CSR 并使用第三方提供商(如 trustsign)签署一个。请注意,在这种情况下,您选择的 SSL 证书必须是上面给定的名称格式的通配符 ssl 证书类型。应该是 *ab.abc.com
如果这只是一个测试服务器并且您不关心安全警告,那么您可以按照以下方式自行签名,但是当您访问 url 来自您的浏览器
# openssl genrsa -out keyfile.key 2048
# openssl req -new -key keyfile.key -out certrequest.csr
# openssl x509 -req -days 3650 -in certrequest.csr -signkey keyfile.key -out certificate.pem
然后您可以将 nginx 配置更新为如下所示:
server {
listen 80;
listen 443;
ssl on;
ssl_certificate /path_to_your_public_Cert/certificate.pem;
ssl_certificate_key /path_to_yourPrivate_key/keyfile.key;
server_name ~^(aaa(?<site>[0-9]+)).ab.abc.com;
location / {
set $custom_port 90$site;
if ($custom_port ~ "^.{3}$") {
set $custom_port 900$site;
}
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:$custom_port;
}
}
任何人都可以向我解释一下如何在我的 AWS EC2 上安装 SSL。我读了很多文章,说这些步骤很简单,但我尝试了几个,其中 none 个有效。
我有一个 AWS EC2
EC2 静态 IP,54.X.X.X
子域名,xxxx.ab.abc.com
安全组:端口来自
定制 80、443、9000-9100
nginx 重定向
aaa1.ab.abc.com:80 到 aaa1.ab.abc.com:9001
aaa2.ab.abc.com:80 到 aaa1.ab.abc.com:9002
aaa3.ab.abc.com:80 到 aaa1.ab.abc.com:9003
...
aaa(n).ab.abc.com:80 到 aaa1.ab.abc.com:900(n)
ngnix.conf
server {
listen 80;
server_name ~^(aaa(?<site>[0-9]+)).ab.abc.com;
location / {
set $custom_port 90$site;
if ($custom_port ~ "^.{3}$") {
set $custom_port 900$site;
}
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:$custom_port;
}
}
如何将 SSL 安装到 EC2 中,以便无论我访问哪个子域。它会得到认证吗?
Steps I have done.
$sudo service nginx stop
$git clone https://github.com/certbot/certbot.git to use certbot to generate SSL key
$./certbot-auto certonly --manual --email test@gmail.com -d ab.abc.com
$mkdir -p /tmp/certbot/public_html/.well-known/acme-challenge
$cd /tmp/certbot/public_html
$printf "%s" <key> > .well-known/acme-challenge/<key>
$sudo $(command -v python2 || command -v python2.7 || command -v python2.6) -c "import BaseHTTPServer, SimpleHTTPServer; s=BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler);s.serve_forever()"
then I have
108.14.0.213 - - [09/Jul/2017 03:32:26] "GET /path? HTTP/1.1" 404 -
^CTraceback (most recent call last):
File "<string>", line 1, in <module>
File "/usr/lib/python2.7/SocketServer.py", line 236, in serve_forever
poll_interval)
File "/usr/lib/python2.7/SocketServer.py", line 155, in _eintr_retry
return func(*args)
KeyboardInterrupt
如果您只想在您的实例上安装一个 SSl 证书,那么最好是生成一个 CSR 并使用第三方提供商(如 trustsign)签署一个。请注意,在这种情况下,您选择的 SSL 证书必须是上面给定的名称格式的通配符 ssl 证书类型。应该是 *ab.abc.com
如果这只是一个测试服务器并且您不关心安全警告,那么您可以按照以下方式自行签名,但是当您访问 url 来自您的浏览器
# openssl genrsa -out keyfile.key 2048
# openssl req -new -key keyfile.key -out certrequest.csr
# openssl x509 -req -days 3650 -in certrequest.csr -signkey keyfile.key -out certificate.pem
然后您可以将 nginx 配置更新为如下所示:
server {
listen 80;
listen 443;
ssl on;
ssl_certificate /path_to_your_public_Cert/certificate.pem;
ssl_certificate_key /path_to_yourPrivate_key/keyfile.key;
server_name ~^(aaa(?<site>[0-9]+)).ab.abc.com;
location / {
set $custom_port 90$site;
if ($custom_port ~ "^.{3}$") {
set $custom_port 900$site;
}
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:$custom_port;
}
}