AWS Elastic Beanstalk
开发人员指南
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

在运行 .NET 的 Amazon EC2 实例上终止 HTTPS

以下配置文件将创建并运行一个 Windows PowerShell 脚本,该脚本用于执行以下任务:

  • 检查现有 HTTPS 证书是否已绑定到端口 443

  • 从 Amazon S3 存储桶获取 PFX 证书和密码

    注意

    aws-elasticbeanstalk-ec2-role 中添加 AmazonS3ReadOnlyAccess 策略,用来访问 Amazon S3 存储桶中的 SSL 证书和密码文件。

  • 安装证书

  • 将证书绑定到端口 443

    注意

    要删除 HTTP 终端节点(端口 80),请在示例的删除 HTTP 绑定 部分中包括 Remove-WebBinding 命令。

例 .ebextensions/https-instance-dotnet.config

files: "C:\\certs\\install-cert.ps1": content: | import-module webadministration ## Settings - replace the following values with your own $bucket = "my-bucket" ## S3 bucket name $certkey = "example.com.pfx" ## S3 object key for your PFX certificate $pwdkey = "password.txt" ## S3 object key for a text file containing the certificate's password ## # Set variables $certfile = "C:\cert.pfx" $pwdfile = "C:\certs\pwdcontent" Read-S3Object -BucketName $bucket -Key $pwdkey -File $pwdfile $pwd = Get-Content $pwdfile -Raw # Clean up existing binding if ( Get-WebBinding "Default Web Site" -Port 443 ) { Echo "Removing WebBinding" Remove-WebBinding -Name "Default Web Site" -BindingInformation *:443: } if ( Get-Item -path IIS:\SslBindings\0.0.0.0!443 ) { Echo "Deregistering WebBinding from IIS" Remove-Item -path IIS:\SslBindings\0.0.0.0!443 } # Download certificate from S3 Read-S3Object -BucketName $bucket -Key $certkey -File $certfile # Install certificate Echo "Installing cert..." $securepwd = ConvertTo-SecureString -String $pwd -Force -AsPlainText $cert = Import-PfxCertificate -FilePath $certfile cert:\localMachine\my -Password $securepwd # Create site binding Echo "Creating and registering WebBinding" New-WebBinding -Name "Default Web Site" -IP "*" -Port 443 -Protocol https New-Item -path IIS:\SslBindings\0.0.0.0!443 -value $cert -Force ## Remove the HTTP binding ## (optional) Uncomment the following line to unbind port 80 # Remove-WebBinding -Name "Default Web Site" -BindingInformation *:80: ## # Update firewall netsh advfirewall firewall add rule name="Open port 443" protocol=TCP localport=443 action=allow dir=OUT commands: 00_install_ssl: command: powershell -NoProfile -ExecutionPolicy Bypass -file C:\\certs\\install-cert.ps1

在单实例环境中,您还必须修改实例的安全组,以便允许端口 443 上的流量。以下配置文件使用 AWS CloudFormation 函数检索安全组的 ID,并向其中添加规则。

例 .ebextensions/https-instance-single.config

Resources: sslSecurityGroupIngress: Type: AWS::EC2::SecurityGroupIngress Properties: GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]} IpProtocol: tcp ToPort: 443 FromPort: 443 CidrIp: 0.0.0.0/0

对于负载均衡的环境,将负载均衡器配置为保持不变地传输安全流量,或者解密后重新加密,以便实现端到端加密。