如何使用Rails,AWS Elastic Beanstalk和Cloudflare实现SSL

时间:2022-08-25 09:19:19

I have a site hosted on Elastic Beanstalk built with Ruby on Rails. I set up Cloudflare to configure the DNS and provide a CDN. Cloudflare also provides an SSL.

我有一个托管在使用Ruby on Rails构建的Elastic Beanstalk上的站点。我设置Cloudflare来配置DNS并提供CDN。 Cloudflare还提供SSL。

I can't get the SSL working with my app.

我无法使用我的应用程序使用SSL。

With Cloudflare's SSL set at "Flexible" I can load my main page but when I try to log in, I get these errors (edited for brevity):

将Cloudflare的SSL设置为“灵活”我可以加载我的主页但是当我尝试登录时,我会收到这些错误(为简洁起见而编辑):

INFO -- :  Started POST "/users/sign_in" for xxx.xxx.146.132 at 2018-03-19 16:45:24 +0000
INFO -- :  Processing by Users::SessionsController#create as HTML
INFO -- :    Parameters: {"utf8"=>"✓", "authenticity_token"=>"f92CTIe5qlp7C624DZzZM2oWdFMcq6PhyfOJI16saV32yugMmJlenL/F3gTeBBsAjaAw92P1vncWBzI+JnK8wA==", "user"=>{"email"=>"test@test.com", "password"=>"[FILTERED]"}, "commit"=>"Log in"}
WARN -- :  HTTP Origin header (https://[MY_URL].com) didn't match request.base_url (http://[MY_URL].com)
INFO -- :  Completed 401 Unauthorized in 1ms (ActiveRecord: 0.0ms)  
FATAL -- :  ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):

If I set Cloudflare's SSL to "Full" I get a 502 error with a Cloudflare-generated page (see image).

如果我将Cloudflare的SSL设置为“Full”,我会在Cloudflare生成的页面上出现502错误(参见图片)。

如何使用Rails,AWS Elastic Beanstalk和Cloudflare实现SSL

I came across this site (http://til.obiefernandez.com/posts/875a2a69af-cloudflare-flexible-ssl-mode-breaks-rails-5-csrf) which seems to have the exact same issue but setting to "full" didn't help me.

我发现这个网站(http://til.obiefernandez.com/posts/875a2a69af-cloudflare-flexible-ssl-mode-breaks-rails-5-csrf)似乎有完全相同的问题,但设置为“完整”没帮我

I've tried setting config.force_ssl = true in /config/environments/production.rb. That setting would not allow any access to the site. Just shows the same 502 error page from Cloudflare and nothing in my production or nginx logs.

我已经尝试在/config/environments/production.rb中设置config.force_ssl = true。该设置不允许任何访问该网站。只显示来自Cloudflare的相同502错误页面,而我的生产或nginx日志中没有任何内容。

I've tried messing around with custom nginx config's but haven't gotten anywhere. Here is my latest nginx confix attempt:

我已经尝试过使用自定义nginx配置但是没有得到任何地方。这是我最新的nginx confix尝试:

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    include /etc/nginx/conf.d/*.conf;

    index   index.html index.htm;

    server {
        listen       80 ;
        listen       [::]:80 ;
        server_name  localhost;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;


        location / {
          proxy_pass        http://localhost;
          proxy_set_header  Host $host;
          proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header  X-Forwarded-Proto $scheme;
          proxy_set_header  X-Forwarded-Ssl on; # Optional
          proxy_set_header  X-Forwarded-Port $server_port;
          proxy_set_header  X-Forwarded-Host $host;
        }
        error_page 404 /404.html;
            location = /40x.html {
        }

        # redirect server error pages to the static page /50x.html
        #
        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }
}

Can anyone help? I'm sure I'm missing something obvious here.

有人可以帮忙吗?我确定我在这里遗漏了一些明显的东西。

1 个解决方案

#1


-2  

502 Error: This error says that the Cloudfare server is unable to read the response your rails server sends, basically when you select the Full SSL the Cloudflare expects the response to be in SSL but here the rails app send a NON-SSL (HTTP) response which Cloudflare is unable to read.

502错误:此错误表明Cloudfare服务器无法读取您的rails服务器发送的响应,基本上当您选择完整SSL时,Cloudflare希望响应在SSL中,但此处rails应用程序发送NON-SSL(HTTP) Cloudflare无法阅读的回复。

I read the article you shared, looks like rails do not allow flexible SSL for security reasons.

我读了你分享的文章,看起来rails出于安全原因不允许灵活的SSL。

Flexible SSL In flexible SSL you don't need to secure your rails app with SSL Certificate(HTTPS) but your visitors still see the site as being HTTPS enabled.

灵活的SSL在灵活的SSL中,您无需使用SSL证书(HTTPS)保护您的rails应用程序,但您的访问者仍然会将该网站视为启用HTTPS。

如何使用Rails,AWS Elastic Beanstalk和Cloudflare实现SSL

Flexible SSL: secure connection between your visitor and Cloudflare, but no secure connection between Cloudflare and your web server. You don't need to have an SSL certificate on your web server, but your visitors still see the site as being HTTPS enabled.

灵活的SSL:访问者与Cloudflare之间的安全连接,但Cloudflare与您的Web服务器之间没有安全连接。您不需要在Web服务器上拥有SSL证书,但访问者仍然会将该站点视为启用HTTPS。

Full SSL
As mentioned in the article if you enable Full SSL, then you need to configure rails config.force_ssl = true to use a Self-signed SSL certificate or you can get a certificate from letsencrypt for free, once you did that you need change your Nginx to run on HTTPS port 443. This should fix the 502 error.

完整SSL如文章中提到的,如果启用完全SSL,则需要配置rails config.force_ssl = true以使用自签名SSL证书,或者您可以免费获得letsencrypt的证书,一旦您这样做,您需要更改您的Nginx在HTTPS端口443上运行。这应该可以解决502错误。

Here is a tutorial on Using HTTPs with Ruby on Rails

这是一个关于在Ruby on Rails上使用HTTPs的教程

如何使用Rails,AWS Elastic Beanstalk和Cloudflare实现SSL

Full SSL: secure connection between your visitor and Cloudflare, and secure connection (but not authenticated) between Cloudflare and your web server. You will need to have your server configured to answer HTTPS connections, with a self-signed certificate at least.

完整SSL:访问者与Cloudflare之间的安全连接,以及Cloudflare与您的Web服务器之间的安全连接(但未经过身份验证)。您需要将服务器配置为应答HTTPS连接,至少使用自签名证书。

Image Source

图像来源

#1


-2  

502 Error: This error says that the Cloudfare server is unable to read the response your rails server sends, basically when you select the Full SSL the Cloudflare expects the response to be in SSL but here the rails app send a NON-SSL (HTTP) response which Cloudflare is unable to read.

502错误:此错误表明Cloudfare服务器无法读取您的rails服务器发送的响应,基本上当您选择完整SSL时,Cloudflare希望响应在SSL中,但此处rails应用程序发送NON-SSL(HTTP) Cloudflare无法阅读的回复。

I read the article you shared, looks like rails do not allow flexible SSL for security reasons.

我读了你分享的文章,看起来rails出于安全原因不允许灵活的SSL。

Flexible SSL In flexible SSL you don't need to secure your rails app with SSL Certificate(HTTPS) but your visitors still see the site as being HTTPS enabled.

灵活的SSL在灵活的SSL中,您无需使用SSL证书(HTTPS)保护您的rails应用程序,但您的访问者仍然会将该网站视为启用HTTPS。

如何使用Rails,AWS Elastic Beanstalk和Cloudflare实现SSL

Flexible SSL: secure connection between your visitor and Cloudflare, but no secure connection between Cloudflare and your web server. You don't need to have an SSL certificate on your web server, but your visitors still see the site as being HTTPS enabled.

灵活的SSL:访问者与Cloudflare之间的安全连接,但Cloudflare与您的Web服务器之间没有安全连接。您不需要在Web服务器上拥有SSL证书,但访问者仍然会将该站点视为启用HTTPS。

Full SSL
As mentioned in the article if you enable Full SSL, then you need to configure rails config.force_ssl = true to use a Self-signed SSL certificate or you can get a certificate from letsencrypt for free, once you did that you need change your Nginx to run on HTTPS port 443. This should fix the 502 error.

完整SSL如文章中提到的,如果启用完全SSL,则需要配置rails config.force_ssl = true以使用自签名SSL证书,或者您可以免费获得letsencrypt的证书,一旦您这样做,您需要更改您的Nginx在HTTPS端口443上运行。这应该可以解决502错误。

Here is a tutorial on Using HTTPs with Ruby on Rails

这是一个关于在Ruby on Rails上使用HTTPs的教程

如何使用Rails,AWS Elastic Beanstalk和Cloudflare实现SSL

Full SSL: secure connection between your visitor and Cloudflare, and secure connection (but not authenticated) between Cloudflare and your web server. You will need to have your server configured to answer HTTPS connections, with a self-signed certificate at least.

完整SSL:访问者与Cloudflare之间的安全连接,以及Cloudflare与您的Web服务器之间的安全连接(但未经过身份验证)。您需要将服务器配置为应答HTTPS连接,至少使用自签名证书。

Image Source

图像来源