donh61500
2015-11-20 04:51
浏览 76
已采纳

运行PHP的单个EC2 Linux实例上的SSL:“连接被拒绝”错误

I'm trying to enable SSL on a single EC2 Linux instance running PHP but I get a "connection refused" error.

I followed these instructions to enable SSL: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/SSL.SingleInstance.html

And in step 4, I completed the steps to create a .config file (I made sure indentation was correct) and place it inside the .ebextensions folder: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/ssl-singleinstance-php.html

Also, I created a new Security Group for HTTPS (Inbound HTTPS | TCP | 443 | 0.0.0.0/0).

After committing the change, I went ahead and deployed using aws.push. The deployment was successful (no errors). However, I see a "refused connection" error when trying to load my instance both on http and https.

In order to see if I could revert this situation, I removed the .config file and redeployed, but I still see the error, the site is not accessible at the moment.

Any ideas of what I may be doing wrong? I read the answers that were given in similar questions, but I can't find a solution to this issue. I'm also wondering how I can revert the configuration to bring the site back.

Here's my config file:

Resources:
  sslSecurityGroupIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

packages:
  yum:
    mod24_ssl : []

files:
  /etc/httpd/conf.d/ssl.conf:
    mode: "000644"
    owner: root
    group: root
    content: |
      LoadModule ssl_module modules/mod_ssl.so
      Listen 443
      <VirtualHost *:443>
        <Proxy *>
          Order deny,allow
          Allow from all
        </Proxy>

        SSLEngine             on
        SSLCertificateFile    "/etc/pki/tls/certs/server.crt"
        SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
        SSLCipherSuite        EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
        SSLProtocol           All -SSLv2 -SSLv3
        SSLHonorCipherOrder   On
        SSLSessionTickets     Off

        Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
        Header always set X-Frame-Options DENY
        Header always set X-Content-Type-Options nosniff

        ProxyPass / http://localhost:80/ retry=0
        ProxyPassReverse / http://localhost:80/
        ProxyPreserveHost on
        RequestHeader set X-Forwarded-Proto "https" early

        LogFormat "%h (%{X-Forwarded-For}i) %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
        ErrorLog /var/log/httpd/elasticbeanstalk-error_log
        TransferLog /var/log/httpd/elasticbeanstalk-access_log
      </VirtualHost>

  /etc/pki/tls/certs/server.crt:
    mode: "000400"
    owner: root
    group: root
    content: |
      -----BEGIN CERTIFICATE-----
      mycertificateheremycertificateheremycertificateheremycertificate
      mycertificateheremycertificateheremycertificateheremycertificate
      mycertificateheremycertificateheremycertificateheremycertificate
      mycertificateheremycertificateheremycertificateheremycertificate
      mycertificateheremycertificateheremycertificateheremycertificate
      mycertificateheremycertificateheremycertificateheremycertificate
      mycertificateheremycertificateheremycertificateheremycertificate
      mycertificateheremycertificateheremycertificateheremycertificate
      mycertificateheremycertificateheremycertificateheremycertificate
      mycertificateheremycertificateheremycertificateheremycertificate
      mycertificateheremycertificateheremycertificateheremycertificate
      mycertificateheremycertificateheremycertificateheremycertificate
      mycertificateheremycertificateheremycertificateheremycertificate
      mycertificateheremycertificateheremycertificateheremycertificate
      mycertificateheremycertificateheremycertificateheremycertificate
      mycertificateheremycertificateheremycertificateheremycertificate
      mycertificateheremycertificateheremycertificateheremycertificate
      mycertificateheremycertificateheremycertificateheremycertificate
      mycertificateheremycertificateheremycertificateheremycertificate
      -----END CERTIFICATE-----

  /etc/pki/tls/certs/server.key:
    mode: "000400"
    owner: root
    group: root
    content: |
      -----BEGIN RSA PRIVATE KEY-----
      myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
      myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
      myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
      myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
      myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
      myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
      myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
      myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
      myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
      myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
      myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
      myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
      myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
      myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
      myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
      myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
      myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
      myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
      myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
      myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
      myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
      myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
      myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
      myrsaprivatekeyheremyrsaprivatekeyheremyrsaprivatekeyheremyrsapr
      -----END RSA PRIVATE KEY-----
  • 写回答
  • 好问题 提建议
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • dongxun5349 2015-12-03 03:53
    已采纳

    Answering my own question since it might help others:

    The issue was with the version of the Amazon Linux server (2014 instead of 2015). The config file above does not work with 2014 servers.

    已采纳该答案
    评论
    解决 无用
    打赏 举报

相关推荐 更多相似问题