其實因為我們在linode的nodebalancers上吃了大虧 所以才來測試一下Amazon的ELB
由於我們需要取得CLIENT的source ip 所以我們有用apache的mod_extract_forwarded
但在linode的nodebalancers上除了http外其他的都是走TCP層 是不支援mod_extract_forwarded (或是其他類似的套件)
這樣就不會有hander值可以讓apache取得ip 而不巧我們必須要走https
未來我們也會在Amazon上建服務 所以就來測一下功能

ELB SSL enable 

以下範例是以自簽憑證為例子
前提是你已經裝好openssl


$ openssl genrsa 1024 > private-key.pem  

Generating RSA private key, 1024 bit long modulus  
...++++++  
.......++++++  
e is 65537 (0x10001) 

$ openssl req -new -key private-key.pem -out csr.pem
  
You are about to be asked to enter information that will be incorporated  
into your certificate request.  
What you are about to enter is what is called a Distinguished Name or a DN.  
There are quite a few fields but you can leave some blank  
For some fields there will be a default value,  
If you enter '.', the field will be left blank.  
-----  
Country Name (2 letter code) [AU]:JA  
State or Province Name (full name) [Some-State]:Tokyo  
Locality Name (eg, city) []:****  
Organization Name (eg, company) [Internet Widgits Pty Ltd]:****  
Organizational Unit Name (eg, section) []:IT  
Common Name (eg, YOUR name) []:elb.hoge.com  
Email Address []:fufufu@haha.com  
  
Please enter the following 'extra' attributes  
to be sent with your certificate request  
A challenge password []:*****  
An optional company name []:   

$ openssl req -x509 -days 365 -in csr.pem -key private-key.pem  -out hostcert.pem  
$ ls  
csr.pem  hostcert.pem  private-key.pem  

接下來就可以到ELB進行設定了
增加一個https的設定後
下一個畫面就會請你上傳憑證或是套用現有的憑證
這裡以上傳憑證為例

Certificate Name:* 取一個自己方便記得的名字
Private Key:* 請填private-key.pem內的全部內容
Public Key Certificate:* 請填hostcert.pem內的全部內容
接下來選Continue Amazon會去比對一次 沒問題就會往下走了
剩下就很容易就下一步下一步就完成了

如果是ca發行的憑證 要再轉成pem
ca會給我們這樣的檔案例如是這樣
以下內容取自 http://www.nczonline.net/blog/2012/08/15/setting-up-ssl-on-an-amazon-elastic-load-balancer/
www_welfurnished_com.crt
PositiveSSLCA2.crt
AddTrustExternalCARoot.crt

一開始我們去申請一定會建一組Private key (務必保留)
$openssl rsa -in host.key -text
請複製完整內容貼到 Private Key:*
-----BEGIN RSA PRIVATE KEY-----
(tons of text)
-----END RSA PRIVATE KEY-----

$openssl x509 -inform PEM -in www_example_com.crt
請複製完整內容貼到 Public Key Certificate:*
-----BEGIN CERTIFICATE-----
(tons of text)
-----END CERTIFICATE-----

$openssl x509 -inform PEM -in PositiveSSLCA2.crt; openssl x509 -inform PEM -in AddTrustExternalCARoot.crt
請複製完整內容貼到Certificate Chain:

如此一來就完成了Amazon ELB的憑證匯入動作

*一個IAM帳號只能上傳10個憑證 可以透過申請增加
可以參考一下amazon的說明 (裡面也包含openssl的相關資訊)
http://docs.amazonwebservices.com/IAM/latest/UserGuide/InstallCert.html

希望大家都能順利完成相關的設定

http://docs.amazonwebservices.com/IAM/latest/UserGuide/InstallCert.html
http://www.nczonline.net/blog/2012/08/15/setting-up-ssl-on-an-amazon-elastic-load-balancer/
http://serverfault.com/questions/255608/ssl-https-within-an-amazon-elb-workflow
http://gca.nat.gov.tw/download/GCA_Apache_CSR_INSTALL.pdf
http://cloudarch.co.uk/2011/10/elastic-load-balancer-ssl-setup-guide-pem-encoded-csr/#.UJJk28XA9C0
arrow
arrow
    全站熱搜

    紐士比 發表在 痞客邦 留言(0) 人氣()

    E-mail轉寄