首页 文章

SSL无法与Elastic Load Balancer和Nginx一起使用

提问于
浏览
0

我最近购买了SSL证书,我正在尝试使用Nginx EC2实例将其加载到我的Elastic Load Balancer上 .

该网站没有加载任何东西,我的错误日志显示此错误: no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking

所有的 Health 检查都在亚马逊的网站上传递,所以我不确定是什么问题 . SSL证书也已正确上传到我的ELB . 我的nginx代理文件如下所示:

server {    
    listen 80;
    listen 443 default_server ssl;

    rewrite ^(.*) https://$host$1 permanent;

    client_max_body_size 4G;
    client_header_timeout 60;
    client_body_buffer_size 1K;
    client_header_buffer_size 1k;
    server_name %(DOMAINS)s %(EC2_INSTANCES)s;
    keepalive_timeout 20;
    root %(PROJECT_PATH)s;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        if (!-f $request_filename) {
            proxy_pass http://app_server;
            break;
        }
    }
    error_page 500 502 503 504 /500.html;
    location = /500.html {
        root /path/to/app/current/public;
    }
}

任何意见是极大的赞赏!先感谢您!

EDIT - - -

该网站现在显示一个纯白页,但是当我检查元素时(通过Chrome)有503错误 . 不确定这是否起作用,但我认为越多的信息就越好 .

ssl amazon-web-services nginx amazon-ec2 amazon-elb

1 回答

  • 1

    在您的ELB中,将流量从443重定向到80端口,并在您的vhost中执行此操作:

    server {

    listen 80;
rewrite ^(.*) https://$host$1 permanent;    

client_max_body_size 4G;
client_header_timeout 60;
client_body_buffer_size 1K;
client_header_buffer_size 1k;
server_name %(DOMAINS)s %(EC2_INSTANCES)s;
keepalive_timeout 20;
root %(PROJECT_PATH)s;

location / {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;

    set $is_https 'off';
            if ($http_x_forwarded_proto ~ 'https') {
                    set $is_https 'on';
            }
    proxy_set_header HTTPS $is_https;

    proxy_redirect off;
    if (!-f $request_filename) {
        proxy_pass http://app_server;
        break;
    }
}
error_page 500 502 503 504 /500.html;
location = /500.html {
    root /path/to/app/current/public;
}

    }

    如果要在ELB中终止SSL,则不需要在vhost中检查SSL . 您只需检查http_x_forwarded_proto标头并将其传递给后端即可 .

    回复于

相关问题