HTTPS重定向Elastic Beanstalk环境Puma Rails 5

时间:2021-08-16 11:46:25

I am unable to redirect http://example.com to https://example.com. I tried various configurations but nothin works.

我无法将http://example.com重定向到https://example.com。我试过各种配置,但没什么用。

Based on the research, I have realized that I need to add this to nginx config.

基于这项研究,我意识到我需要将它添加到nginx配置中。

if ($http_x_forwarded_proto != 'https') {
          rewrite ^ https://$host$request_uri? permanent;
        }

I create a new config file in the ..ebextensions directory with the following content,

我在..ebextensions目录中创建了一个新的配置文件,其中包含以下内容,

upstream my_app {
  server unix:///var/run/puma/my_app.sock;
}

log_format healthd '$msec"$uri"'
                '$status"$request_time"$upstream_response_time"'
                '$http_x_forwarded_for';

server {
  listen 80;
  server_name _ localhost; # need to listen to localhost for worker tier

  if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})T(\d{2})") {
    set $year $1;
    set $month $2;
    set $day $3;
    set $hour $4;
  }

  access_log  /var/log/nginx/access.log  main;
  access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd;

  location / {
    proxy_pass http://my_app; # match the name of upstream directive which is defined above
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }

  location /assets {
    alias /var/app/current/public/assets;
    gzip_static on;
    gzip on;
    expires max;
    add_header Cache-Control public;
  }

  location /public {
    alias /var/app/current/public;
    gzip_static on;
    gzip on;
    expires max;
    add_header Cache-Control public;
  }
}

save it and do

保存并做

  1. eb deploy
  2. eb部署
  3. Goto http://example.com
  4. 转到http://example.com

I still get the "unsure" message.

我仍然得到“不确定”的消息。

I also used the content as is from this. But that does not work either.

我也使用了这个内容。但这也不起作用。

What am i missing?

我错过了什么?

Sunil

苏尼尔

2 个解决方案

#1


1  

Nowhere in your code do I see a listen to 443 which is the HTTPS.

我的代码中没有任何地方可以看到听取443这是HTTPS。

This is my SSL script.

这是我的SSL脚本。

upstream puma_production {
  server unix:/home/deploy/games.directory/shared/tmp/sockets/puma.sock fail_timeout=0;
}

server {
  listen 80;

  location / {
    return 301 https://$host$request_uri;
  }
}

server {
  listen 443;
  server_name games.directory;
  root /home/deploy/games.directory/current/public;
  try_files $uri/index.html $uri @puma_production;

  ssl on;
  ssl_certificate '';
  ssl_certificate_key '';
  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:50m;
  ssl_session_tickets off;

  ssl_protocols TLSv1.1 TLSv1.2;
  ssl_ciphers ''
  ssl_prefer_server_ciphers on;

  # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
  add_header Strict-Transport-Security max-age=15768000;

  # OCSP Stapling ---
  # fetch OCSP records from URL in ssl_certificate and cache them
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /etc/letsencrypt/live/games.directory/chain.pem;

  error_page 500 502 503 504 /500.html;
  client_max_body_size 4G;
  keepalive_timeout 10;

  location @puma_production {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect off;
    proxy_set_header X-Forwarded-Proto https;
    proxy_pass http://puma_production;

    access_log /home/deploy/games.directory/shared/log/nginx.access.log;
    error_log /home/deploy/games.directory/shared/log/nginx.error.log;
  }

  location ^~ /assets/ {
     gzip_static on;
    expires max;
    add_header Cache-Control public;
  }

  if ($request_method !~ ^(GET|HEAD|PUT|PATCH|POST|DELETE|OPTIONS)$ ){
    return 405;
  }
}

#2


0  

Use EB file keys to customise for nginx conf generation template. http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers-ec2.html

使用EB文件密钥自定义nginx conf生成模板。 http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers-ec2.html

Create a file .ebextensions/01_puma_nginx.conf (Configuration files are executed in alphabetical order, so tweak name prefix based on additional requirements) with following content.

创建一个文件.ebextensions / 01_puma_nginx.conf(配置文件按字母顺序执行,因此根据附加要求调整名称前缀),内容如下。

files:
  "/opt/elasticbeanstalk/support/conf/nginx_config.erb":
    mode: "000644"
    owner: root
    group: root
    content: |
Paste your custom nginx configuration template content here....

Instead of building your own template and break things, check the existing template in the current instance and tweak only required things (here just your http redirection part).

不要构建自己的模板并破坏东西,而是检查当前实例中的现有模板并仅调整所需的东西(这里只是你的http重定向部分)。

Well, if this seems a little complicated, you can use rails force_ssl option by checking 'X-Forwarded-Proto' header

好吧,如果这看起来有点复杂,你可以通过检查'X-Forwarded-Proto'标题来使用rails force_ssl选项

  force_ssl if: :ssl_required?

  def ssl_required?
    if request.headers["X-Forwarded-Proto"]!="https"
      true
    else
      false
    end
  end

#1


1  

Nowhere in your code do I see a listen to 443 which is the HTTPS.

我的代码中没有任何地方可以看到听取443这是HTTPS。

This is my SSL script.

这是我的SSL脚本。

upstream puma_production {
  server unix:/home/deploy/games.directory/shared/tmp/sockets/puma.sock fail_timeout=0;
}

server {
  listen 80;

  location / {
    return 301 https://$host$request_uri;
  }
}

server {
  listen 443;
  server_name games.directory;
  root /home/deploy/games.directory/current/public;
  try_files $uri/index.html $uri @puma_production;

  ssl on;
  ssl_certificate '';
  ssl_certificate_key '';
  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:50m;
  ssl_session_tickets off;

  ssl_protocols TLSv1.1 TLSv1.2;
  ssl_ciphers ''
  ssl_prefer_server_ciphers on;

  # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
  add_header Strict-Transport-Security max-age=15768000;

  # OCSP Stapling ---
  # fetch OCSP records from URL in ssl_certificate and cache them
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /etc/letsencrypt/live/games.directory/chain.pem;

  error_page 500 502 503 504 /500.html;
  client_max_body_size 4G;
  keepalive_timeout 10;

  location @puma_production {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect off;
    proxy_set_header X-Forwarded-Proto https;
    proxy_pass http://puma_production;

    access_log /home/deploy/games.directory/shared/log/nginx.access.log;
    error_log /home/deploy/games.directory/shared/log/nginx.error.log;
  }

  location ^~ /assets/ {
     gzip_static on;
    expires max;
    add_header Cache-Control public;
  }

  if ($request_method !~ ^(GET|HEAD|PUT|PATCH|POST|DELETE|OPTIONS)$ ){
    return 405;
  }
}

#2


0  

Use EB file keys to customise for nginx conf generation template. http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers-ec2.html

使用EB文件密钥自定义nginx conf生成模板。 http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers-ec2.html

Create a file .ebextensions/01_puma_nginx.conf (Configuration files are executed in alphabetical order, so tweak name prefix based on additional requirements) with following content.

创建一个文件.ebextensions / 01_puma_nginx.conf(配置文件按字母顺序执行,因此根据附加要求调整名称前缀),内容如下。

files:
  "/opt/elasticbeanstalk/support/conf/nginx_config.erb":
    mode: "000644"
    owner: root
    group: root
    content: |
Paste your custom nginx configuration template content here....

Instead of building your own template and break things, check the existing template in the current instance and tweak only required things (here just your http redirection part).

不要构建自己的模板并破坏东西,而是检查当前实例中的现有模板并仅调整所需的东西(这里只是你的http重定向部分)。

Well, if this seems a little complicated, you can use rails force_ssl option by checking 'X-Forwarded-Proto' header

好吧,如果这看起来有点复杂,你可以通过检查'X-Forwarded-Proto'标题来使用rails force_ssl选项

  force_ssl if: :ssl_required?

  def ssl_required?
    if request.headers["X-Forwarded-Proto"]!="https"
      true
    else
      false
    end
  end