我试图在一个运行PHP的EC2 Linux实例上启用SSL,但遇到了"拒绝连接"错误。
我按照以下说明启用SSL:http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/SSL.SingleInstance.html
在第4步中,我完成了创建.config文件的步骤(我确保缩进是正确的),并将其放在.eextensions文件夹中:http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/ssl-singleinstance-php.html
此外,我为HTTPS创建了一个新的安全组(入站HTTPS|TCP|443|0.0.0.0/0)
提交更改后,我继续使用aws.push进行部署。部署成功(没有错误)。然而,当我尝试在http和https上加载实例时,我看到了一个"拒绝连接"错误。
为了查看是否可以恢复这种情况,我删除了.config文件并重新部署,但我仍然看到错误,该网站目前无法访问。
你知道我做错了什么吗?我读了类似问题的答案,但我找不到解决这个问题的办法。我还想知道如何恢复配置以恢复网站。
这是我的配置文件:
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
packages:
yum:
mod24_ssl : []
files:
/etc/httpd/conf.d/ssl.conf:
mode: "000644"
owner: root
group: root
content: |
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/server.crt"
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLSessionTickets Off
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
ProxyPass / http://localhost:80/ retry=0
ProxyPassReverse / http://localhost:80/
ProxyPreserveHost on
RequestHeader set X-Forwarded-Proto "https" early
LogFormat "%h (%{X-Forwarded-For}i) %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i""
ErrorLog /var/log/httpd/elasticbeanstalk-error_log
TransferLog /var/log/httpd/elasticbeanstalk-access_log
</VirtualHost>
/etc/pki/tls/certs/server.crt:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN CERTIFICATE-----
mycertificateheremycertificateheremycertificateheremycertificate
mycertificateheremycertificateheremycertificateheremycertificate
mycertificateheremycertificateheremycertificateheremycertificate
mycertificateheremycertificateheremycertificateheremycertificate
mycertificateheremycertificateheremycertificateheremycertificate
mycertificateheremycertificateheremycertificateheremycertificate
mycertificateheremycertificateheremycertificateheremycertificate
mycertificateheremycertificateheremycertificateheremycertificate
mycertificateheremycertificateheremycertificateheremycertificate
mycertificateheremycertificateheremycertificateheremycertificate
mycertificateheremycertificateheremycertificateheremycertificate
mycertificateheremycertificateheremycertificateheremycertificate
mycertificateheremycertificateheremycertificateheremycertificate
mycertificateheremycertificateheremycertificateheremycertificate
mycertificateheremycertificateheremycertificateheremycertificate
mycertificateheremycertificateheremycertificateheremycertificate
mycertificateheremycertificateheremycertificateheremycertificate
mycertificateheremycertificateheremycertificateheremycertificate
mycertificateheremycertificateheremycertificateheremycertificate
-----END CERTIFICATE-----
/etc/pki/tls/certs/server.key:
mode: "000400"
owner: root
group: root
content: |
-----BEGIN RSA PRIVATE KEY-----
myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
-----END RSA PRIVATE KEY-----
回答我自己的问题,因为这可能会帮助其他人:
问题出在亚马逊Linux服务器的版本上(2014年而不是2015年)。上面的配置文件不适用于2014服务器。