其實因為我們在linode的nodebalancers上吃了大虧 所以才來測試一下Amazon的ELB
由於我們需要取得CLIENT的source ip 所以我們有用apache的mod_extract_forwarded
但在linode的nodebalancers上除了http外其他的都是走TCP層 是不支援mod_extract_forwarded (或是其他類似的套件)
這樣就不會有hander值可以讓apache取得ip 而不巧我們必須要走https
未來我們也會在Amazon上建服務 所以就來測一下功能
ELB SSL enable
以下範例是以自簽憑證為例子
前提是你已經裝好openssl
$ openssl genrsa 1024 > private-key.pem
Generating RSA private key, 1024 bit long modulus
...++++++
.......++++++
e is 65537 (0x10001)
$ openssl req -new -key private-key.pem -out csr.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JA
State or Province Name (full name) [Some-State]:Tokyo
Locality Name (eg, city) []:****
Organization Name (eg, company) [Internet Widgits Pty Ltd]:****
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:elb.hoge.com
Email Address []:fufufu@haha.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:*****
An optional company name []:
$ openssl req -x509 -days 365 -in csr.pem -key private-key.pem -out hostcert.pem
$ ls
csr.pem hostcert.pem private-key.pem
接下來就可以到ELB進行設定了
增加一個https的設定後
下一個畫面就會請你上傳憑證或是套用現有的憑證
這裡以上傳憑證為例
Certificate Name:* 取一個自己方便記得的名字
Private Key:* 請填private-key.pem內的全部內容
Public Key Certificate:* 請填hostcert.pem內的全部內容
接下來選Continue Amazon會去比對一次 沒問題就會往下走了
剩下就很容易就下一步下一步就完成了
如果是ca發行的憑證 要再轉成pem
ca會給我們這樣的檔案例如是這樣
以下內容取自 http://www.nczonline.net/blog/2012/08/15/setting-up-ssl-on-an-amazon-elastic-load-balancer/
www_welfurnished_com.crt
PositiveSSLCA2.crt
AddTrustExternalCARoot.crt
一開始我們去申請一定會建一組Private key (務必保留)
$openssl rsa -in host.key -text
請複製完整內容貼到 Private Key:*
-----BEGIN RSA PRIVATE KEY-----
(tons of text)
-----END RSA PRIVATE KEY-----
$openssl x509 -inform PEM -in www_example_com.crt
請複製完整內容貼到 Public Key Certificate:*
-----BEGIN CERTIFICATE-----
(tons of text)
-----END CERTIFICATE-----
$openssl x509 -inform PEM -in PositiveSSLCA2.crt; openssl x509 -inform PEM -in AddTrustExternalCARoot.crt
請複製完整內容貼到Certificate Chain:
如此一來就完成了Amazon ELB的憑證匯入動作
*一個IAM帳號只能上傳10個憑證 可以透過申請增加
可以參考一下amazon的說明 (裡面也包含openssl的相關資訊)
http://docs.amazonwebservices.com/IAM/latest/UserGuide/InstallCert.html
希望大家都能順利完成相關的設定
http://docs.amazonwebservices.com/IAM/latest/UserGuide/InstallCert.html
http://www.nczonline.net/blog/2012/08/15/setting-up-ssl-on-an-amazon-elastic-load-balancer/
http://serverfault.com/questions/255608/ssl-https-within-an-amazon-elb-workflow
http://gca.nat.gov.tw/download/GCA_Apache_CSR_INSTALL.pdf
http://cloudarch.co.uk/2011/10/elastic-load-balancer-ssl-setup-guide-pem-encoded-csr/#.UJJk28XA9C0
留言列表
