英文:
Deploy Spring Boot application on AWS Elastic Beanstalk with automatic SSL certificates
问题
假设我有一个 Spring Boot 项目,它生成一个名为 www.example.com.jar 的 JAR 文件,该文件使用其内嵌的 HTTP 服务器显示一个示例页面,页面上显示着单词 "Example"。
- 我想要将这个裸露的 JAR 文件部署到 AWS Elastic Beanstalk。
- 我想要为我的自定义域名启用 SSL/TLS 支持,即
https://www.example.com/。 - 我想要使用亚马逊自己的 Amazon 证书管理器。
- 我希望亚马逊证书管理器根据需要自动更新证书。
- 如果需要,我愿意使用亚马逊的 Route 53 来处理 DNS。
- 如果需要,我愿意使用负载均衡器。
- 如果需要,我愿意使用亚马逊的 CloudFront。
- 我不希望采用需要我手动 renew 证书并定期将其复制到某个位置的解决方案。
- 我不希望采用需要我创建 EC2 实例的解决方案;我想要部署一个裸露的 JAR。
满足所有这些要求的选项有哪些?(我看过的大多数教程完全跳过了 SSL 部分,尽管在今天的网络上 SSL 是强制要求的。)
最后,如果使用裸露的 Docker 镜像可以实现,但是使用裸露的 Docker 镜像可以满足相同的要求,我将对满足这些要求的裸露 Docker 镜像的方法感兴趣。
英文:
Let's say I have a Spring Boot project that produces a JAR file www.example.com.jar which using its embedded HTTP server shows a example page showing the word "Example".
- I want to deploy this bare JAR file on AWS Elastic Beanstalk.
- I want SSL/TLS support for my custom domain, i.e.
https://www.example.com/. - I want to use Amazon's own Amazon Certificate Manager.
- I want Amazon Certificate Manager to automatically renew the certificate as needed.
- I am happy to use Amazon's Route 53 if necessary for DNS.
- I am willing to use load balancer(s) if necessary.
- I am willing to use Amazon's CloudFront if necessary.
- I do not want a solution that makes me manually renew a certificate and copy it somewhere from time to time.
- I do not want a solution that requires me to create an EC2 instance; I want to deploy a bare JAR.
What are the options to meet all these requirements? (Most of the tutorials I've seen skip the SSL part altogether, even though SSL is mandatory on today's web).
Lastly if this is simply not possible with a bare JAR file, but would be possible with a bare Docker image, I would be interested in meeting these same requirements using a bare Docker image.
答案1
得分: 4
> - 我想要在AWS Elastic Beanstalk上部署这个裸的JAR文件。
>
> - 我不希望使用需要我创建EC2实例的解决方案;我想要部署一个裸的JAR。
这两个陈述对我来说没有意义。您想要使用Elastic Beanstalk,但又不想使用EC2实例?Elastic Beanstalk实质上是一个为您管理EC2实例的服务。当您使用Elastic Beanstalk部署应用时,它将创建一个或多个EC2实例,并在这些实例上部署您的应用。
要将您的Spring Boot应用程序部署到Elastic Beanstalk,请按照此官方指南操作。
为满足您的SSL要求,您需要在AWS ACM中为您拥有的域(www.example.com)创建一个SSL证书,并选择DNS验证。然后创建它告诉您的DNS记录,以验证您对该域的所有权。
接下来,使用负载均衡器将您的Java应用程序部署到Elastic Beanstalk。然后将AWS ACM证书附加到负载均衡器。最后,为www.example.com创建一个DNS CNAME记录,将其指向负载均衡器的DNS名称。除非您想要将根域(example.com而不是www.example.com)指向负载均衡器,否则您无需使用Route53来实现此目的。
英文:
> - I want to deploy this bare JAR file on AWS Elastic Beanstalk.
>
> - I do not want a solution that requires me to create an EC2 instance; I want to deploy a bare JAR.
These two statements don't make sense to me. You want to use Elastic Beanstalk, but you don't want to use EC2 instances? Elastic Beanstalk is nothing more than a service that manages EC2 instances for you. When you deploy your application with Elastic Beanstalk it is going to create one or more EC2 instances and deploy your application on those.
To deploy your Spring Boot application to Elastic Beanstalk, follow this official guide.
To meet your SSL requirements, you need to create an SSL certificate in AWS ACM for the domain you own (www.example.com), and pick DNS validation. Then create the DNS record it tells you to, to validate your ownership of the domain.
Next, deploy your Java application to Elastic Beanstalk with a load balancer. Then attach the AWS ACM certificate to the load balancer. Finally, create a DNS CNAME record for www.example.com that points to the DNS name of the load balancer. You don't need to use Route53 for this unless you are trying to point a root domain (example.com instead of www.example.com) to your load balancer.
答案2
得分: 1
可能已经在满足所有这些要求方面取得了一些进展,但可能需要解决证书的自动更新/重新安装问题:
- 是的,在AWS Elastic Beanstalk上使用了裸的Spring Boot JAR文件。
- 是的,为自定义域(例如https://www.example.com/)提供了SSL/TLS支持。
- 是的,使用了亚马逊自己的Amazon证书管理器(ACM)。
- 我不确定,但我希望Amazon证书管理器会根据需要自动更新证书。
- 是的,我正在使用Amazon的Route 53作为DNS。
- 是的,我最终同意使用了负载均衡器,并使用了一个负载均衡器。
- 我还不了解CloudFront。
- 没有必要直接设置EC2实例。
其中最困难的部分之一是将HTTP流量重定向到HTTPS。文档引导我使用.ebextensions配置解决方案,但这似乎存在问题,因为这似乎为测试配置设置了一个先有鸡还是先有蛋的问题。当我找到一些关于如何配置负载均衡器规则的文档时,我感到如释重负,因为这实际上引导我设置了负载均衡器本身中所需的重定向功能:https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-rules.html#edit-rule
在重定向到HTTPS之前,我必须在负载均衡器上设置HTTPS。我用于此的文档是https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-elb.html。
为了为我的自定义域设置公共证书,我使用了ACM:https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html。
最初,我为我的自定义域使用了Route 53的托管区域。我不得不去我的域名注册商Godaddy,设置DNS条目以利用Route 53。一旦DNS指向了AWS托管区域DNS主机,我就不再需要回到Godaddy了。
我已经投入了大约4到5天的努力,所以我的头脑仍然有些混乱。我最初启动应用程序时遵循的指南是https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/java-se-platform.html。
英文:
Might have stumbled through to satisfaction of all of these requirements except for potentially the automatic renewal / re-installation of the certificate:
- yes, bare Spring Boot JAR file on AWS Elastic Beanstalk.
- yes, SSL/TLS support for my custom domain, i.e. https://www.example.com/.
- yes, did use Amazon's own Amazon Certificate Manager.
- I don't know, but I'm hopeful that Amazon Certificate Manager will automatically renew the certificate as needed.
- yes, Amazon's Route 53 is something I'm using for DNS.
- yes, I broke down and became willing to use load balancer(s) and used one
- I don't know about CloudFront yet.
- didn't have to set up an EC2 instance directly
One of the most difficult parts was arranging for the redirection of HTTP traffic to HTTPS. The documentation was leading me to an .ebextensions config solution -- but that seemed problematic because it seemed to be setting up a chicken-and-egg problem for testing the configuration. I felt relieved when I found some documentation about how to configure load balancer rules that actually led me to functionality I needed to set up the redirection in the load balancer itself: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-rules.html#edit-rule
Prior to redirecting to HTTPS, I had to set up HTTPS on the load balancer. The doc I used for that was https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-elb.html
To get the public certificate set up for my custom domain, I used ACM: https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html
And originally, I got going with a hosted zone for my custom domain with Route 53. And I had to go to my domain registrar, godaddy, to set up the DNS entries to utilize Route 53. Once DNS was pointed to the AWS Hosted Zone DNS hosts, I didn't really have to go back to godaddy any more.
I'm about 4 or 5 days into this effort, so my head is still spinning a bit. The directions I followed to get the application launched initially were the ones at https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/java-se-platform.html.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论