1. 首頁
  2. 問答
  3. AWS ELB - >使用自簽名證書的HTTPS後端服務器

AWS ELB - >使用自簽名證書的HTTPS後端服務器

2016-03-23 39 views
12

我已經有適當的HTTPS來終止我AWS AWS的外部HTTPS連接。我現在試圖通過使用帶有自簽名證書的HTTPS來確保我的ELB與EC2上的後端NGINX服務器之間的連接。我遵循the documentation,但通過HTTPS訪問服務器導致408 HTTP超時。我似乎無法獲得任何調試信息來確定事情失敗的地方。AWS ELB - >使用自簽名證書的HTTPS後端服務器

  • 我已確認安全組允許EC2上的ELB和NGINX之間的連接。
  • 我已經確認VPC允許在ELB和EC2節點之間路由流量(HTTP也可以正常工作)。
  • 我已經證實,EC2節點上的HTTPS監聽器正在工作(我可以直接打W/O要去ELB。
  • 我創建類型PublicKeyPolicyType的ELB政策,以及相關的我的公鑰。
  • 我創建tyep BackendServerAuthenticationPolicyType的ELB政策,並與PublicKeyPolicyType有關吧。
  • 我曾與與ELB相關的BackendServerAuthenticationPolicyType。
  • 我已經確保了SSLNegotiationPolicyType支持我指定的算法和密碼在我的NGINX配置中。
  • 我在NGINX訪問日誌中看到HTTP請求,但看不到HTTPS請求。

有什麼辦法可以得到任何額外的診斷信息來測試這個嗎?

這裏是我的ELB配置:

$ aws elb describe-load-balancers --load-balancer-name <MY-ELB-NAME> 

{ 
    "LoadBalancerDescriptions": [ 
     { 
      "Subnets": [ 
       "<REDACTED>", 
       "<REDACTED>", 
       "<REDACTED>" 
      ], 
      "CanonicalHostedZoneNameID": "<REDACTED>", 
      "VPCId": "<REDACTED>", 
      "ListenerDescriptions": [ 
       { 
        "Listener": { 
         "InstancePort": 80, 
         "LoadBalancerPort": 80, 
         "Protocol": "HTTP", 
         "InstanceProtocol": "HTTP" 
        }, 
        "PolicyNames": [] 
       }, 
       { 
        "Listener": { 
         "InstancePort": 443, 
         "SSLCertificateId": "<REDACTED>", 
         "LoadBalancerPort": 443, 
         "Protocol": "HTTPS", 
         "InstanceProtocol": "HTTPS" 
        }, 
        "PolicyNames": [ 
         "ELBSecurityPolicy-2015-05" 
        ] 
       } 
      ], 
      "HealthCheck": { 
       "HealthyThreshold": 2, 
       "Interval": 30, 
       "Target": "HTTP:80/health", 
       "Timeout": 10, 
       "UnhealthyThreshold": 2 
      }, 
      "BackendServerDescriptions": [ 
       { 
        "InstancePort": 443, 
        "PolicyNames": [ 
         "MyBackendServerAuthenticationPolicy" 
        ] 
       } 
      ], 
      "Instances": [ 
       { 
        "InstanceId": "<REDACTED>" 
       } 
      ], 
      "DNSName": "<REDACTED>.us-west-2.elb.amazonaws.com", 
      "SecurityGroups": [ 
       "<GROUP_ID>" 
      ], 
      "Policies": { 
       "LBCookieStickinessPolicies": [], 
       "AppCookieStickinessPolicies": [], 
       "OtherPolicies": [ 
        "ELBSecurityPolicy-2015-05", 
        "MyBackendServerAuthenticationPolicy", 
        "MyPublicKeyPolicy" 
       ] 
      }, 
      "LoadBalancerName": "<MY-ELB-NAME>", 
      "CreatedTime": "2016-03-23T20:58:49.490Z", 
      "AvailabilityZones": [ 
       "us-west-2a", 
       "us-west-2b", 
       "us-west-2c" 
      ], 
      "Scheme": "internal", 
      "SourceSecurityGroup": { 
       "OwnerAlias": "<REDACTED>", 
       "GroupName": "<GROUP_NAME>" 
      } 
     } 
    ] 
}

這裏是我的ELB政策:

$ aws elb describe-load-balancer-policies --load-balancer-name <MY-ELB-NAME> 
{ 
    "PolicyDescriptions": [ 
     { 
      "PolicyAttributeDescriptions": [ 
       { 
        "AttributeName": "Reference-Security-Policy", 
        "AttributeValue": "ELBSecurityPolicy-2015-05" 
       }, 
       ... 
       { 
        "AttributeName": "Protocol-TLSv1.2", 
        "AttributeValue": "true" 
       }, 
       ... 
       { 
        "AttributeName": "ECDHE-RSA-AES128-GCM-SHA256", 
        "AttributeValue": "true" 
       }, 
       ... 
      ], 
      "PolicyName": "ELBSecurityPolicy-2015-05", 
      "PolicyTypeName": "SSLNegotiationPolicyType" 
     }, 
     { 
      "PolicyAttributeDescriptions": [ 
       { 
        "AttributeName": "PublicKeyPolicyName", 
        "AttributeValue": "MyPublicKeyPolicy" 
       } 
      ], 
      "PolicyName": "MyBackendServerAuthenticationPolicy", 
      "PolicyTypeName": "BackendServerAuthenticationPolicyType" 
     }, 
     { 
      "PolicyAttributeDescriptions": [ 
       { 
        "AttributeName": "PublicKey", 
        "AttributeValue": "<REDACTED>" 
       } 
      ], 
      "PolicyName": "MyPublicKeyPolicy", 
      "PolicyTypeName": "PublicKeyPolicyType" 
     } 
    ] 
}

這裏是我的NGINX配置:

worker_processes 10; 
worker_rlimit_nofile 8192; 
events { 
    worker_connections 4096; 
} 

error_log syslog:server=unix:/dev/log error; 
pid  logs/nginx.pid; 

http { 
    default_type application/octet-stream; 

    log_subrequest on; 
    access_log syslog:server=unix:/dev/log,severity=debug extended; 

    tcp_nodelay on; 
    tcp_nopush  on; 

    server_tokens off; 

    upstream api { 
    server localhost:8080; 
    } 

    server { 
    listen 80 default_server; 
    listen [::]:80 default_server; 

    location/{ 
     # Redirect all other HTTP requests to HTTPS with a 301 Moved Permanently response. 
     return 301 https://$host$request_uri; 
    } 
    } 

    server { 
    listen 443 ssl; 
    listen [::]:443 ssl; 

    ssl_certificate /path/to/ssl.crt; 
    ssl_certificate_key /path/to/ssl.key; 
    ssl_session_timeout 1d; 
    ssl_session_cache shared:SSL:50m; 
    ssl_session_tickets off;ECDHE 

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits 
    ssl_dhparam /path/to/dhparam.pem; 

    # modern configuration. tweak to your needs. 
    # See: https://mozilla.github.io/server-side-tls/ssl-config-generator/ 
    ssl_protocols TLSv1.2; 
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; 
    ssl_prefer_server_ciphers on; 

    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains;"; 

    # Our main location to proxy everything else to the upstream 
    # server, but with the added logic for enforcing HTTPS. 
    location/{ 
     proxy_http_version 1.1; 
     proxy_set_header X-Real-IP $remote_addr; 
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
     proxy_set_header Host $http_host; 
     proxy_redirect off; 
     proxy_next_upstream error; 

     proxy_pass http://api; 
    } 
    } 
}

我生成密鑰/證書使用以下命令:

$ openssl genrsa \ 
    -out /path/to/ssl.key 2048 
$ openssl req \ 
    -sha256 \ 
    -new \ 
    -key /path/to/ssl.key \ 
    -out /path/to/ssl.csr 
$ openssl x509 \ 
    -req \ 
    -days 365 \ 
    -in /path/to/ssl.csr \ 
    -signkey /path/to/ssl.key \ 
    -out /path/to/ssl.crt 
$ openssl dhparam -out /path/to/dhparam.pem 2048

來源

2016-03-23 jsears

+1

您是否因符合性原因(PCI/HIPAA/etc)而這樣做,還是僅僅因爲您認爲您需要它? ELB和Web服務器之間的網絡流量將包含在您的VPC中,因此只有當攻擊者訪問VPC中的服務器時纔會受到影響。除非您對「運動加密」有法律要求,否則通常認爲SSL對ELB是足夠好的。 –

+0

是的,我們有加密流量的法律要求,這是一個很好的做法。 – jsears

+0

設置爲「HTTPS」的監聽器的「實例協議」設置(在控制檯中)? HTTPS和443需要設置在該屏幕的左側和右側,並且右側默認爲HTTP ...我不知道如果不是這樣會導致408會導致什麼。 –

回答

5

將一些非EC DHE密碼添加到NGINX配置爲我解決了這個問題。我改了以下配置的HTTPS監聽器在nginx.conf:

# intermediate configuration. tweak to your needs. 
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

我想刪除所有非歐共體DHE密碼和僅支持ECDHE。我懷疑這解決了這個問題,因爲我生成的是RSA密鑰/證書而不是EC密鑰/證書。如果有人知道如何正確生成EC密鑰/證書,然後正確提取EC公鑰以上傳到AWS,請改進我的回答。我試圖生成EC密鑰/證書,但是當我嘗試創建ELB公鑰策略時,AWS會將其報告爲無效公鑰。

來源

2016-03-24 18:50:23 jsears

+1

您是否可以更新信息以包含用於創建和上傳EC密鑰/證書的說明/命令,以及嘗試上傳EC密鑰/證書時從AWS返回的確切錯誤/響應? – Castaglia

+1

這對我有用。我之前使用的是「Mozilla Modern」SSL配置,在切換到「Intermediate」時一切正常。所有現代密碼以「ECDHE-」開頭,而中間包括一些「DHE-」,「AES128-」,「AES256-」和「EDH-」。我還沒有深入瞭解哪些AWS ELB實際正在使用。 – notpeter

+0

謝謝 - 有同樣的問題,需要密碼。 – Brett

相關問題

 相關問題