问题
我正在尝试在Elastic Beanstalk中的EC2实例上启用HTTPS。我在.ebextensions目录中有一个https-instance.config文件,其中包括停止和启动httpd服务器。原始的容器命令如下(来自这里的AWS文档,在我的问题中也提到了:
container_commands:
01killhttpd:
command: "killall httpd"
02waitforhttpddeath:
command: "sleep 3"
然而,我得到了以下错误,详细信息见cfn-init.log:
2020-08-25 14:51:55,622 [INFO] -----------------------Starting build-----------------------
2020-08-25 14:51:55,631 [INFO] Running configSets: Infra-EmbeddedPostBuild
2020-08-25 14:51:55,634 [INFO] Running configSet Infra-EmbeddedPostBuild
2020-08-25 14:51:55,638 [INFO] Running config postbuild_0_tiny_app
2020-08-25 14:51:55,706 [ERROR] Command 01killhttpd (systemctl restart httpd.service) failed
2020-08-25 14:51:55,706 [ERROR] Error encountered during build of postbuild_0_tiny_app: Command 01killhttpd failed
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/cfnbootstrap/construction.py", line 542, in run_config
CloudFormationCarpenter(config, self._auth_config).build(worklog)
File "/usr/lib/python2.7/site-packages/cfnbootstrap/construction.py", line 260, in build
changes['commands'] = CommandTool().apply(self._config.commands)
File "/usr/lib/python2.7/site-packages/cfnbootstrap/command_tool.py", line 117, in apply
raise ToolError(u"Command %s failed" % name)
ToolError: Command 01killhttpd failed
2020-08-25 14:51:55,706 [ERROR] -----------------------BUILD FAILED!------------------------
2020-08-25 14:51:55,707 [ERROR] Unhandled exception during build: Command 01killhttpd failed
Traceback (most recent call last):
File "/opt/aws/bin/cfn-init", line 171, in <module>
worklog.build(metadata, configSets)
File "/usr/lib/python2.7/site-packages/cfnbootstrap/construction.py", line 129, in build
Contractor(metadata).build(configSets, self)
File "/usr/lib/python2.7/site-packages/cfnbootstrap/construction.py", line 530, in build
self.run_config(config, worklog)
File "/usr/lib/python2.7/site-packages/cfnbootstrap/construction.py", line 542, in run_config
CloudFormationCarpenter(config, self._auth_config).build(worklog)
File "/usr/lib/python2.7/site-packages/cfnbootstrap/construction.py", line 260, in build
changes['commands'] = CommandTool().apply(self._config.commands)
File "/usr/lib/python2.7/site-packages/cfnbootstrap/command_tool.py", line 117, in apply
raise ToolError(u"Command %s failed" % name)
ToolError: Command 01killhttpd failed
我已尝试从https-instance.config中删除此重新启动,它已生成,但无法连接到HTTPS。我还试图用其他命令替换上面的命令来重新启动httpd服务器,但这些命令导致了与上面的错误几乎相同的错误:
container_commands:
01restart:
command: "systemctl restart httpd"
和
container_commands:
01restartservice:
command: "systemctl restart httpd.service"
问题
如何重新启动httpd服务器以允许HTTPS连接到我的应用程序?
上下文
- 亚马逊Linux 2
- Python 3.7环境中的Flask应用程序
- 使用单个EC2实例,因此没有负载平衡器
- 我只需要用于开发目的
这是我从AWS获得的完整https-instance.config:
packages:
yum:
mod_ssl : []
files:
/etc/httpd/conf.d/ssl.conf:
mode: "000644"
owner: root
group: root
content: |
LoadModule wsgi_module modules/mod_wsgi.so
WSGIPythonHome /opt/python/run/baselinenv
WSGISocketPrefix run/wsgi
WSGIRestrictEmbedded On
Listen 443
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/server.crt"
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
Alias /static/ /opt/python/current/app/static/
<Directory /opt/python/current/app/static>
Order allow,deny
Allow from all
</Directory>
WSGIScriptAlias / /opt/python/current/app/application.py
<Directory /opt/python/current/app>
Require all granted
</Directory>
WSGIDaemonProcess wsgi-ssl processes=1 threads=15 display-name=%{GROUP}
python-path=/opt/python/current/app
python-home=/opt/python/run/venv
home=/opt/python/current/app
user=wsgi
group=wsgi
WSGIProcessGroup wsgi-ssl
</VirtualHost>
/etc/pki/tls/certs/server.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
MIID8zCCAtsCFGzyKrXOsCiyLHRPfBG75SlmQyXqMA0GCSqGSIb3DQEBCwUAMIG1
...
PuulTMAZWNXHa0g+XbRTtOQDA8FA0vlA80B+rFUQESSo2Cw5JKXTaL9OpMMG/t9S
qvv+vGuaIw==
-----END CERTIFICATE-----
/etc/pki/tls/certs/server.key:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEA+OYzho7mXLUY6zTTqBIibsk2rfuJIO2xN2moIUNTqzJS8Yv6
...
cSQsBzRR1Z5hl77Qa6gwiDx7rYswWtQt/8zsY8OUB3kg1SqriwI=
-----END RSA PRIVATE KEY-----
container_commands:
01restartservice:
command: "systemctl restart httpd.service"
您的命令失败的原因是在AmazonLinux2上Python 3.7环境中有没有httpd(它是物理安装的,但不是活动的(。您可以通过sshing到实例中并运行:来验证这一点
sudo systemctl status httpd
相反,有nginx和gunicorn作为wsgi。您提供的AWS文档链接适用于Amazon Linux 1,而不是2。
因此,SSL证书和HTTPs应该使用.platform/nginx/conf.d/文件夹中的nginx配置文件进行设置。
您可以将AWS Linux 2配置为使用Apache(httpd(,尽管这不是默认设置。
您可以在创建环境时通过控制台进行设置,也可以在配置文件中使用以下内容:
option_settings:
aws:elasticbeanstalk:environment:proxy:
ProxyServer: apache
如果您正在使用Apache,重新启动它的命令是:
sudo systemctl restart httpd
还要注意的是,在AWS Linux 2上,Apache现在只是转发到由Gunicorn提供服务的localhost:8000,而不是通过modwsgi运行应用程序。
有关在AWS Linux 2上运行的自签名证书的配置文件,请参阅此答案。