关于亚马逊网络服务：AWS ELB -> 带有自签名证书的基于 HTTPS 的后端服务器

AWS ELB -> Backend Server over HTTPS with Self-Signed Certificate

我已经使用 HTTPS 来终止我的 AWS ELB 上的外部 HTTPS 连接。我现在正在尝试使用带有自签名证书的 HTTPS 来保护我的 ELB 和 EC2 上的后端 NGINX 服务器之间的连接。我遵循了文档，但通过 HTTPS 访问服务器会导致 408 HTTP 超时。我似乎无法获得任何调试信息来确定哪里出错了。

我已经确认安全组允许 EC2 上的 ELB 和 NGINX 之间的连接。
我已经确认 VPC 允许在 ELB 和 EC2 节点之间路由流量(HTTP 也可以正常工作)。
我已经确认 EC2 节点上的 HTTPS 侦听器正在运行(我可以直接点击它，而无需转到 ELB。
我创建了一个 PublicKeyPolicyType 类型的 ELB 策略，并关联了我的公钥。
我创建了一个类型为 BackendServerAuthenticationPolicyType 的 ELB 策略，并将其与 PublicKeyPolicyType 相关联。
我已将 BackendServerAuthenticationPolicyType 与 ELB 相关联。
我确保 SSLNegotiationPolicyType 支持我在 NGINX 配置中指定的算法和密码。
我在 NGINX 访问日志中看到 HTTP 请求，但没有看到 HTTPS 请求。

有什么办法可以让我获得任何额外的诊断信息来测试这个吗？

这是我的 ELB 配置：

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83

$ aws elb describe-load-balancers --load-balancer-name <MY-ELB-NAME>

{
"LoadBalancerDescriptions": [
{
"Subnets": [
"<REDACTED>",
"<REDACTED>",
"<REDACTED>"
],
"CanonicalHostedZoneNameID":"<REDACTED>",
"VPCId":"<REDACTED>",
"ListenerDescriptions": [
{
"Listener": {
"InstancePort": 80,
"LoadBalancerPort": 80,
"Protocol":"HTTP",
"InstanceProtocol":"HTTP"
},
"PolicyNames": []
},
{
"Listener": {
"InstancePort": 443,
"SSLCertificateId":"<REDACTED>",
"LoadBalancerPort": 443,
"Protocol":"HTTPS",
"InstanceProtocol":"HTTPS"
},
"PolicyNames": [
"ELBSecurityPolicy-2015-05"
]
}
],
"HealthCheck": {
"HealthyThreshold": 2,
"Interval": 30,
"Target":"HTTP:80/health",
"Timeout": 10,
"UnhealthyThreshold": 2
},
"BackendServerDescriptions": [
{
"InstancePort": 443,
"PolicyNames": [
"MyBackendServerAuthenticationPolicy"
]
}
],
"Instances": [
{
"InstanceId":"<REDACTED>"
}
],
"DNSName":"<REDACTED>.us-west-2.elb.amazonaws.com",
"SecurityGroups": [
"<GROUP_ID>"
],
"Policies": {
"LBCookieStickinessPolicies": [],
"AppCookieStickinessPolicies": [],
"OtherPolicies": [
"ELBSecurityPolicy-2015-05",
"MyBackendServerAuthenticationPolicy",
"MyPublicKeyPolicy"
]
},
"LoadBalancerName":"<MY-ELB-NAME>",
"CreatedTime":"2016-03-23T20:58:49.490Z",
"AvailabilityZones": [
"us-west-2a",
"us-west-2b",
"us-west-2c"
],
"Scheme":"internal",
"SourceSecurityGroup": {
"OwnerAlias":"<REDACTED>",
"GroupName":"<GROUP_NAME>"
}
}
]
}

这是我的 ELB 政策：

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

$ aws elb describe-load-balancer-policies --load-balancer-name <MY-ELB-NAME>
{
"PolicyDescriptions": [
{
"PolicyAttributeDescriptions": [
{
"AttributeName":"Reference-Security-Policy",
"AttributeValue":"ELBSecurityPolicy-2015-05"
},
...
{
"AttributeName":"Protocol-TLSv1.2",
"AttributeValue":"true"
},
...
{
"AttributeName":"ECDHE-RSA-AES128-GCM-SHA256",
"AttributeValue":"true"
},
...
],
"PolicyName":"ELBSecurityPolicy-2015-05",
"PolicyTypeName":"SSLNegotiationPolicyType"
},
{
"PolicyAttributeDescriptions": [
{
"AttributeName":"PublicKeyPolicyName",
"AttributeValue":"MyPublicKeyPolicy"
}
],
"PolicyName":"MyBackendServerAuthenticationPolicy",
"PolicyTypeName":"BackendServerAuthenticationPolicyType"
},
{
"PolicyAttributeDescriptions": [
{
"AttributeName":"PublicKey",
"AttributeValue":"<REDACTED>"
}
],
"PolicyName":"MyPublicKeyPolicy",
"PolicyTypeName":"PublicKeyPolicyType"
}
]
}

这是我的 NGINX 配置：

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

worker_processes 10;
worker_rlimit_nofile 8192;
events {
worker_connections 4096;
}

error_log syslog:server=unix:/dev/log error;
pid logs/nginx.pid;

http {
default_type application/octet-stream;

log_subrequest on;
access_log syslog:server=unix:/dev/log,severity=debug extended;

tcp_nodelay on;
tcp_nopush on;

server_tokens off;

upstream api {
server localhost:8080;
}

server {
listen 80 default_server;
listen [::]:80 default_server;

location / {
# Redirect all other HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
}

server {
listen 443 ssl;
listen [::]:443 ssl;

ssl_certificate /path/to/ssl.crt;
ssl_certificate_key /path/to/ssl.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;ECDHE

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /path/to/dhparam.pem;

# modern configuration. tweak to your needs.
# See: https://mozilla.github.io/server-side-tls/ssl-config-generator/
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;

add_header Strict-Transport-Security"max-age=15768000; includeSubDomains;";

# Our main location to proxy everything else to the upstream
# server, but with the added logic for enforcing HTTPS.
location / {
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_next_upstream error;

proxy_pass http://api;
}
}
}

我正在使用以下命令生成密钥/证书：

1
2
3
4
5
6
7
8
9
10
11
12
13
14

$ openssl genrsa \\
-out /path/to/ssl.key 2048
$ openssl req \\
-sha256 \\
-new \\
-key /path/to/ssl.key \\
-out /path/to/ssl.csr
$ openssl x509 \\
-req \\
-days 365 \\
-in /path/to/ssl.csr \\
-signkey /path/to/ssl.key \\
-out /path/to/ssl.crt
$ openssl dhparam -out /path/to/dhparam.pem 2048