Amazon EC2 实例中的 HTTPS 设置
如何在 Amazon EC2 实例中启用 HTTPS?因为我们的网站在 HTTP 上运行,不提供安全连接。 需要其他人的一些建议。
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
如何在 Amazon EC2 实例中启用 HTTPS?因为我们的网站在 HTTP 上运行,不提供安全连接。 需要其他人的一些建议。
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
发布评论
评论(9)
首先,您需要打开 HTTPS 端口(443)。为此,请访问 https://console.aws.amazon.com/ec2/ 并单击左侧的
安全组链接,然后创建一个也可用 HTTPS 的新安全组。然后,只需更新正在运行的实例的安全组或使用该组创建新实例。
经过这些步骤,你的EC2工作就完成了,一切都是应用程序的问题了。
First, you need to open HTTPS port (443). To do that, you go to https://console.aws.amazon.com/ec2/ and click on the
Security Groupslink on the left, then create a new security group with also HTTPS available.Then, just update the security group of a running instance or create a new instance using that group.
After these steps, your EC2 work is finished, and it's all an application problem.
此答案主要针对在其他网站(如 GoDaddy)购买域名并希望通过证书管理器使用 Amazon 免费证书的人
此答案使用 Amazon Classic Load Balancer(付费)使用前查看定价
请求证书
第 1 步 - 使用 Certificate Manager Go 到证书管理器>申请证书>请求公共证书
在域名上,您将添加
myprojectdomainname.com和*.myprojectdomainname.com并继续下一步选择电子邮件验证并确认和请求
打开您拥有的电子邮件收到(在您购买域名的电子邮件帐户上)并批准请求
此后,检查
myprojectdomainname.com和*.myprojectdomainname.com的验证状态是否为成功,如果成功,您可以继续执行步骤 2步骤 2 - 创建负载均衡器的安全组
在 EC2 上转到安全组 >创建一个安全组并添加 http 和 https 入站
它将类似于:
第 3 步 - 创建负载均衡器
EC2 >负载均衡器>创建负载均衡器>经典负载均衡器(第三个选项)
在项目的 vpc 内创建 LB
在负载均衡器协议上添加 Http 和 Https
下一个>选择现有安全组
选择您在上一步中创建的安全组
下一步 >从 ACM 选择证书
选择步骤 1 的证书
Next > >
在运行状况检查中,我使用了 ping 路径 /(一个斜杠而不是 /index.html)
的安全组关联起来
第 4 步 - 将您的实例与负载均衡器EC2 > ;实例>单击您的项目>行动>网络>更改安全组
添加负载均衡器的安全组
第 5 步
EC2 >负载均衡器>单击您已创建的负载均衡器 >复制 DNS 名称(A 记录),它将类似于
myproject-2021611191.us-east-1.elb.amazonaws.comGo to Route 53 >路线区域>点击域名>转到记录集
(如果您在此处没有域名,请创建一个托管区域,其中
域名:myprojectdomainname.com和类型:公共托管区域)检查您是否有记录类型A(可能不是),创建/编辑名称为空的记录集,类型A,别名是,并将您复制的dns作为目标
还创建一个类型为A,名称
*.myprojectdomainname.com,别名“是”并定位您的域 (myprojectdomainname.com)。这将使您可以通过 www.myprojectdomainname.com 和 subsite.myprojectdomainname.com 访问您的站点。注意:您需要配置反向代理 (Nginx/Apache) 才能执行此操作。在 NS 上复制 4 个名称服务器值以在下一步中使用,它将类似于:
ns-362.awsdns-45.comns-1558.awsdns-02.co.uk
ns-737.awsdns-28.net
ns-1522.awsdns-62.org
转到 EC2 >实例>并复制 IPv4 公共 IP
第 6 步
在您购买域名的域名注册网站上(在我的例子中为 GoDaddy)
将路由更改为
http : <您的 IPv4 公共 IP 号码>并选择 Forward with masking将名称服务器 (NS) 更改为您复制的 4 个 NS,这可能需要 48 小时才能生效
This answer is focused to someone that buy a domain in another site (as GoDaddy) and want to use the Amazon free certificate with Certificate Manager
This answer uses Amazon Classic Load Balancer (paid) see the pricing before using it
Step 1 - Request a certificate with Certificate Manager
Go to Certificate Manager > Request Certificate > Request a public certificate
On Domain name you will add
myprojectdomainname.comand*.myprojectdomainname.comand go on NextChose Email validation and Confirm and Request
Open the email that you have received (on the email account that you have buyed the domain) and aprove the request
After this, check if the validation status of
myprojectdomainname.comand*.myprojectdomainname.comis sucess, if is sucess you can continue to Step 2Step 2 - Create a Security Group to a Load Balancer
On EC2 go to Security Groups > and Create a Security Group and add the http and https inbound
It will be something like:
Step 3 - Create the Load Balancer
EC2 > Load Balancer > Create Load Balancer > Classic Load Balancer (Third option)
Create LB inside - the vpc of your project
On Load Balancer Protocol add Http and Https
Next > Select exiting security group
Choose the security group that you have create in the previous step
Next > Choose certificate from ACM
Select the certificate of the step 1
Next >
on Health check i've used the ping path / (one slash instead of /index.html)
Step 4 - Associate your instance with the security group of load balancer
EC2 > Instances > click on your project > Actions > Networking > Change Security Groups
Add the Security Group of your Load Balancer
Step 5
EC2 > Load Balancer > Click on the load balancer that you have created > copy the DNS Name (A Record), it will be something like
myproject-2021611191.us-east-1.elb.amazonaws.comGo to Route 53 > Routes Zones > click on the domain name > Go to Records Sets
(If you are don't have your domain here, create a hosted zone with
Domain Name: myprojectdomainname.comandType: Public Hosted Zone)Check if you have a record type A (probably not), create/edit record set with name empty, type A, alias Yes and Target the dns that you have copied
Create also a new Record Set of type A, name
*.myprojectdomainname.com, alias Yes and Target your domain (myprojectdomainname.com). This will make possible access your site with www.myprojectdomainname.com and subsite.myprojectdomainname.com. Note: You will need to configure your reverse proxy (Nginx/Apache) to do so.On NS copy the 4 Name Servers values to use on the next Step, it will be something like:
ns-362.awsdns-45.comns-1558.awsdns-02.co.uk
ns-737.awsdns-28.net
ns-1522.awsdns-62.org
Go to EC2 > Instances > And copy the IPv4 Public IP too
Step 6
On the domain register site that you have buyed the domain (in my case GoDaddy)
Change the routing to
http : <Your IPv4 Public IP Number>and select Forward with maskingChange the Name Servers (NS) to the 4 NS that you have copied, this can take 48 hours to make effect
Amazon EC2 实例只是虚拟机,因此您可以像在任何服务器上设置 SSL 一样设置 SSL。
您没有提及您所在的平台,因此很难提供更多信息。
Amazon EC2 instances are just virtual machines so you would setup SSL the same way you would set it up on any server.
You don't mention what platform you are on, so it difficult to give any more information.
这是一个老问题,但值得一提的是答案中的另一个选项。
如果您的域的 DNS 系统已在 Amazon Route 53 中定义,您可以在 EC2 之前使用 Amazon CloudFront 服务并向其附加免费的 Amazon SSL 证书。这样,您将受益于拥有 CDN 来实现更快的内容交付,并通过 HTTPS 协议保护您的域。
An old question but worth mentioning another option in the answers.
In case the DNS system of your domain has been defined in Amazon Route 53, you can use Amazon CloudFront service in front of your EC2 and attach a free Amazon SSL certificate to it. This way you will benefit from both having a CDN for a faster content delivery and also securing you domain with HTTPS protocol.
您还可以使用 Amazon API Gateway。将您的应用程序置于 API 网关后面。请查看此常见问题解答
You can also use Amazon API Gateway. Put your application behind API Gateway. Please check this FAQ
对于那些希望在 ec2 上使用无麻烦的 https 主要用于演示和测试目的的人来说,还必须有一个答案,他们可以快速实现这一目标的一种方法是:
我的答案在这里描述了 如何使用 EC2 在几分钟内实现用于测试目的的 https,而无需创建证书的麻烦
There must be also an answer for people who want a hassle free https on ec2 for mainly demo and testing purposes, one way they can achieve that very fast is:
With my answer here which describes How you can achieve https for testing purposes in minutes with EC2 without the hassle of creating certificates
我发现的最好的资源之一是使用 let's encrypt,您的 EC2 实例不需要 ELB 或 cloudfront 即可使用 HTTPS,只需按照以下简单说明操作即可:
让我们加密
登录您的服务器并按照链接中的步骤操作。
正如其他人提到的,您通过编辑安全组打开端口 443 也很重要
您可以通过更改 此链接中的网站名称
请不要忘记它的有效期只有 90 天
One of the best resources I found was using let's encrypt, you do not need ELB nor cloudfront for your EC2 instance to have HTTPS, just follow the following simple instructions:
let's encrypt
Login to your server and follow the steps in the link.
It is also important as mentioned by others that you have port 443 opened by editing your security groups
You can view your certificate or any other website's by changing the site name in this link
Please do not forget that it is only valid for 90 days
您需要注册一个域(例如在 GoDaddy 上)并将负载均衡器放在您的 ec2 实例前面 - 正如 DigaoParceiro 在他的回答中所说。
问题是亚马逊在您的 ec2 实例上生成的域是短暂的。今天该域名属于您,明天可能就不属于您了。
因此,当您尝试在亚马逊生成的域上注册证书时,let's encrypt 会抛出错误,该错误指出:
ACME 服务器拒绝为此域名颁发证书,因为策略禁止这样做更多有关此内容的详细信息请参见此处:
https:// Community.letsencrypt.org/t/policy-forbids-issuing-for-name-on-amazon-ec2-domain/12692/4
You need to register a domain(on GoDaddy for example) and put a load balancer in front of your ec2 instance - as DigaoParceiro said in his answer.
The issue is that domains generated by amazon on your ec2 instances are ephemeral. Today the domain is belonging to you, tomorrow it may not.
For that reason, let's encrypt throws an error when you try to register a certificate on amazon generated domain that states:
The ACME server refuses to issue a certificate for this domain name, because it is forbidden by policyMore details about this here:
https://community.letsencrypt.org/t/policy-forbids-issuing-for-name-on-amazon-ec2-domain/12692/4
使用 Elastic Load Balacing,它支持负载均衡器处的 SSL 终止,包括从应用程序实例卸载 SSL 解密并提供 SSL 证书的集中管理。
Use Elastic Load Balacing, it supports SSL termination at the Load Balancer, including offloading SSL decryption from application instances and providing centralized management of SSL certificates.