AWS Elastic Beanstalk .ebextensions 文件创建不起作用(apache 配置)
AWS Elastic Beanstalk .ebextensions File creation not working (apache config)
按照 https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance-php.html 中的说明,我一直在尝试添加我的 SSL 证书以允许 https 用于我的 单实例环境。
我在这上面花了很多时间,这让我发疯。
我的重要发现是:
- 部署后,如果扩展脚本执行无误,则不会创建 /etc/httpd/conf.d/ssl.conf。或者它可能稍后被覆盖。在任何情况下,SSL 证书都不起作用
- 部署后,例如,如果我尝试创建 2 个相同的 ssl.conf 文件 - 导致错误(模块 ssl_module 已加载,跳过),则创建文件
我在重新部署和检查 /etc/httpd/conf.d/.
后通过 SSH 连接到 EC2 实例进行测试
我在平台上 运行:PHP 7.4 运行 在 64 位亚马逊 Linux 2/3.1.2
这是我第一次使用 SSL 证书和 AWS,因此非常感谢任何帮助。
https-instance.config:
packages:
yum:
mod_ssl: []
files:
/etc/pki/tls/certs/server.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
1
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
2
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
3
-----END CERTIFICATE-----
/etc/pki/tls/certs/server.key:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN RSA PRIVATE KEY-----
1
-----END RSA PRIVATE KEY-----
"/etc/httpd/conf.d/ssl.conf":
mode: "000644"
owner: root
group: root
content: |
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/server.crt"
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLSessionTickets Off
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
ProxyPass / http://localhost:80/ retry=0
ProxyPassReverse / http://localhost:80/
ProxyPreserveHost on
RequestHeader set X-Forwarded-Proto "https" early
</VirtualHost>
https-instance-single.config(对于这个问题不重要)
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
要创建/修改任何文件或执行任何脚本 post 部署,请执行以下操作(我已经回答了关于在部署时修改 nginx 配置的类似问题 )。 同样适用于您的 Apache 配置。
您需要在 /tmp 中创建文件,然后使用脚本 mv 将它们添加到最终位置。
以下适用于亚马逊Linux2环境:
来源:https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/platforms-linux-extend.html
脚本从 .platform 中的子文件夹执行,您必须将其放在项目的根目录下,如下所示:
~/your-app/
|-- Procfile
|-- readme.md
|-- .ebextensions/
| |-- 01_write_some_files.config
`-- .platform/
|-- hooks
`-- postdeploy
`-- 01_move_some_files.sh # Executed post deployment
01_write_some_files.config
在 .ebextensions.
的根目录创建一个 .config 文件
- 在 /tmp 中创建文件:
files:
/tmp/someFolder/server.crt:
mode: "000644"
owner: root
group: root
content: |
# your file content
/tmp/someFolder/server.key:
mode: "000644"
owner: root
group: root
content: |
# your file content
# Do the same for all your files
01_move_some_files.sh
在.platform/hooks/postdeploy中创建一个小脚本并将权限更改为755.
#!/usr/bin/bash
# Move the files you created in /tmp into the desired directories.
sudo mv /tmp/someFolder/server.crt /etc/pki/tls/certs/server.crt
# other bash commands
按照 https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance-php.html 中的说明,我一直在尝试添加我的 SSL 证书以允许 https 用于我的 单实例环境。
我在这上面花了很多时间,这让我发疯。
我的重要发现是:
- 部署后,如果扩展脚本执行无误,则不会创建 /etc/httpd/conf.d/ssl.conf。或者它可能稍后被覆盖。在任何情况下,SSL 证书都不起作用
- 部署后,例如,如果我尝试创建 2 个相同的 ssl.conf 文件 - 导致错误(模块 ssl_module 已加载,跳过),则创建文件
我在重新部署和检查 /etc/httpd/conf.d/.
后通过 SSH 连接到 EC2 实例进行测试我在平台上 运行:PHP 7.4 运行 在 64 位亚马逊 Linux 2/3.1.2
这是我第一次使用 SSL 证书和 AWS,因此非常感谢任何帮助。
https-instance.config:
packages:
yum:
mod_ssl: []
files:
/etc/pki/tls/certs/server.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
1
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
2
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
3
-----END CERTIFICATE-----
/etc/pki/tls/certs/server.key:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN RSA PRIVATE KEY-----
1
-----END RSA PRIVATE KEY-----
"/etc/httpd/conf.d/ssl.conf":
mode: "000644"
owner: root
group: root
content: |
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/server.crt"
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLSessionTickets Off
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
ProxyPass / http://localhost:80/ retry=0
ProxyPassReverse / http://localhost:80/
ProxyPreserveHost on
RequestHeader set X-Forwarded-Proto "https" early
</VirtualHost>
https-instance-single.config(对于这个问题不重要)
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
要创建/修改任何文件或执行任何脚本 post 部署,请执行以下操作(我已经回答了关于在部署时修改 nginx 配置的类似问题
您需要在 /tmp 中创建文件,然后使用脚本 mv 将它们添加到最终位置。
以下适用于亚马逊Linux2环境:
来源:https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/platforms-linux-extend.html
脚本从 .platform 中的子文件夹执行,您必须将其放在项目的根目录下,如下所示:
~/your-app/
|-- Procfile
|-- readme.md
|-- .ebextensions/
| |-- 01_write_some_files.config
`-- .platform/
|-- hooks
`-- postdeploy
`-- 01_move_some_files.sh # Executed post deployment
01_write_some_files.config
在 .ebextensions.
的根目录创建一个 .config 文件- 在 /tmp 中创建文件:
files:
/tmp/someFolder/server.crt:
mode: "000644"
owner: root
group: root
content: |
# your file content
/tmp/someFolder/server.key:
mode: "000644"
owner: root
group: root
content: |
# your file content
# Do the same for all your files
01_move_some_files.sh
在.platform/hooks/postdeploy中创建一个小脚本并将权限更改为755.
#!/usr/bin/bash
# Move the files you created in /tmp into the desired directories.
sudo mv /tmp/someFolder/server.crt /etc/pki/tls/certs/server.crt
# other bash commands