How to force https on elastic beanstalk?

2019-01-04 06:49发布

I can't seem to force https on the free usage tier of elastic beanstalk.

I have tried the following suggestion at How to force https on amazon elastic beanstalk without failing the health check

Using this Apache rewrite rule

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{REQUEST_URI} !^/status$ 
RewriteCond %{REQUEST_URI} !^/version$ 
RewriteCond %{REQUEST_URI} !^/_hostmanager/ 
RewriteRule . https://%{SERVER_NAME}%{REQUEST_URI} [L,R]

When I try that, http requests do not get redirected to https as I would like. Instead, the http page loads normally. I've also tried to use the X-Forwarded-Port header with the same result.

I've also tried the following rewrite rule

RewriteCond %{SERVER_PORT} 80
RewriteRule . https://%{SERVER_NAME}%{REQUEST_URI} [L,R]

And this rule causes a redirect loop. So it would seem that the apache rewrite rules don't pick up the Elastic Load Balancer headers X-Forwarded-Port and X-Forwarded-Proto, but also a redirect loop isn't what I am going for either.

Please help. I am new to AWS, Elastic Beanstalk, and not very familiar with Apache rules. I am not too sure where to go from here. Thanks.

19条回答
Bombasti
2楼-- · 2019-01-04 07:08

On elastic beanstalk you can just add your on configuration so that AWS overwrite their, it will allow you to overwrite the web-server configuration and submit your own configuration.

Simply add the following file under the path: .ebextensions\httpd\conf.d

File content:

<VirtualHost *:80>
   LoadModule rewrite_module modules/mod_rewrite.so

   RewriteEngine On
   RewriteCond %{HTTP:X-Forwarded-Proto} !https
   RewriteCond %{HTTP_USER_AGENT} !ELB-HealthChecker
   RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

   <Proxy *>
     Order deny,allow
     Allow from all
   </Proxy>

   ProxyPass / http://localhost:8080/ retry=0
   ProxyPassReverse / http://localhost:8080/
   ProxyPreserveHost on

   ErrorLog /var/log/httpd/elasticbeanstalk-error_log

</VirtualHost>

The '.ebextensions' is the standard configuration folder in AWS and the rest just point to which file and folder you wish to overwrite. If the file or folder doesn't exist simple create them.

查看更多
Viruses.
3楼-- · 2019-01-04 07:12

Just in case anybody is still struggling:

I've struggled for some time and finally, I've found a GitHub (from AWS team) with all AWS configs and the example below works for the HTTP>HTTPS redirection for Apache 2.2. (For configs for Apache 2.4 and Nginx please see the link below).

Apache 2.2

  1. Create a file in the root directory of your app: YOUR_PROJECT_ROOT/.ebextensions/httpd/conf.d/elasticbeanstalk.conf (In case of using IntelliJ / Java make sure it go added to the final .WAR artifact)

  2. Add the following lines to enable the redirection in the virtual host:

    <VirtualHost *:80>
        LoadModule rewrite_module modules/mod_rewrite.so
        RewriteEngine On
        RewriteCond %{HTTP:X-Forwarded-Proto} !https
        RewriteCond %{HTTP_USER_AGENT} !ELB-HealthChecker
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
    
        <Proxy *>
            Order deny,allow
            Allow from all
        </Proxy>
    
        ProxyPass / http://localhost:8080/ retry=0
        ProxyPassReverse / http://localhost:8080/
        ProxyPreserveHost on
    
        ErrorLog /var/log/httpd/elasticbeanstalk-error_log
    </VirtualHost>
    

For more examples for Apache 2.4 and Nginx please visit this GitHub repository:

https://github.com/awsdocs/elastic-beanstalk-samples/tree/master/configuration-files/aws-provided/security-configuration/https-redirect/java-tomcat

Also, there is plenty more useful configuration and examples available.

Regards

查看更多
虎瘦雄心在
4楼-- · 2019-01-04 07:13

Edit: Zags solution is more general and correct. I recommend it over mine (which is specific to a python env)

Here's a clean and quick solution that I came up with that avoids hacking wsgi.conf or using CloudFront

In your .ebextensions/some_file.config:

# Redirect HTTP to HTTPS
  "/etc/httpd/conf.d/https_redirect.conf":
    mode: "000644"
    owner: root
    group: root
    content: |
      <Directory /opt/python/current/app/>
      RewriteEngine on
      RewriteCond %{HTTP:X-Forwarded-Proto} ^http$
      RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
      </Directory>

I feel like this is too easy, but seems to be working fine.

Also note that I am explicitly redirecting HTTP instead of "not HTTPS".

查看更多
爷的心禁止访问
5楼-- · 2019-01-04 07:15

this is an easy solution

  1. ssh into your EC2 instance
  2. copy the contents of /etc/httpd/conf.d/wsgi.conf into a local file called wsgi.conf which will be placed in the base folder of your application
  3. Edit the local version of wsgi.conf and add the following redirect rules within the < VirtualHost> < /VirtualHost> tags

    RewriteEngine On
    RewriteCond %{HTTP:X-Forwarded-Proto} !https
    RewriteRule !/status https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]
    
  4. Change the “/status” to whatever page you are using as a health check page.

  5. Save the file
  6. Edit your < app>.conf file inside your .ebextensions directory to add a container command to copy this version of wsgi.conf over Amazon’s version

    container_commands:
    01_syncdb:
      command: "django-admin.py syncdb --noinput" leader_only: true
    02_collectstatic:
      command: "django-admin.py collectstatic --noinput"
    03_wsgireplace:
      command: 'cp wsgi.conf ../wsgi.conf'
    ...
    
  7. Deploy the code.

  8. The deployed version of wsg.conf at /etc/httd/conf.d/wsgi.conf will now include the necessary redirect rules.

It should work and the file will be properly updated for each deployment. The only thing to watch for is if Amazon changes their base wsgi.conf file contents in the future, then your copy may no longer work.

Autor rickchristianson

查看更多
Ridiculous、
6楼-- · 2019-01-04 07:16

I needed to enforce HTTPS only for our production environment, and not for the development and staging ones which are also on Elastic Beanstalk but do not use a load balancer (and therefore cannot be assigned a certificate directly).

I use an environment variable USE_HTTPS. We copy the the ssl_rewrite.conf file if and only if USE_HTTPS is set to true.

.ebextensions/files/ssl_rewrite.conf

RewriteEngine On
<If "-n '%{HTTP:X-Forwarded-Proto}' && %{HTTP:X-Forwarded-Proto} != 'https'">
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</If>

.ebextensions/https.config

files:
  "/home/ec2-user/https_setup.sh":
    mode: "000755"
    owner: root
    group: root
    content: |
      #!/bin/bash

      echo "USE_HTTPS env var: ${USE_HTTPS,,}"
      outfile=/etc/httpd/conf.d/ssl_rewrite.conf
      if [ "${USE_HTTPS,,}" == "true" ]; then
        echo "Configure SSL rewrite"
        cp .ebextensions/files/ssl_rewrite.conf $outfile
        chmod 644 $outfile
        chown root:root $outfile
      else
        [ -f $outfile ] && rm $outfile
        echo "Do not use SSL"
        exit 0
      fi

container_commands:
  01_https_setup:
    command: "/home/ec2-user/https_setup.sh"

Note that if you change USE_HTTPS, you need to redeploy your application for the change to take effect. You can also remove the echo commands in the https.config file if you wish.

查看更多
冷血范
7楼-- · 2019-01-04 07:18

Please note that the most voted answer is a bit old now. The answer by A Paul is actually the correct answer. The link provided in his answer is by AWS (so it is the recommended method to override your Apache configuration to make the redirection from HTTP to HTTPS when running your application on Elastic Beanstalk).

There is one very important thing to note. If you are deploying more than 1 web app, then adding the .ebextensions folder inside one of your web app is not going to work. You will notice that Non of the configurations you specified are being written or created. If you are deploying multiple Web Apps on Elastic Beanstalk environment, then you will need to read this article by AWS Java Tomcat Deploy Multiple WAR files on Elastic Beanstalk

In general, you will need to have the following structure before you issue the eb command on it to deploy the WAR files:

MyApplication.zip
├── .ebextensions
├── foo.war
├── bar.war
└── ROOT.war

if .ebextentions folder exists inside each WAR file, then you will notice that it is completely ignored and no configuration changes will be performed.

Hope this helps someone else.

查看更多
登录 后发表回答