英文:
What SSL Cert to install in dotnet Kestrel host in non dev environment
问题
目前在AWS云中,我们将HTTPS-SSL终止在ALB,我正在尝试将HTTPS SSL/TLS转发到容器。
我可以在启动时配置SSL
builder.WebHost.ConfigureKestrel(options =>
{
options.Listen(IPAddress.Any, 5002, listenOptions =>
{
listenOptions.Protocols = HttpProtocols.Http1AndHttp2AndHttp3;
listenOptions.UseHttps(<CERTPATH>, <PASSPHRASE>);
});
});
我尝试获取AWS证书管理器证书,使用以下代码
var exportCertificateResponse = await acmClient.GetCertificateAsync(new GetCertificateRequest()
{
CertificateArn = builder.Configuration["AWS:CertificateArn"],
});
但是此证书没有私钥,因此无法直接使用。
所以我想我可能在使用错误类型的证书。感谢任何帮助。
当前的Docker文件
FROM mcr.microsoft.com/dotnet/aspnet:6.0 AS base
WORKDIR /app
EXPOSE 5002
FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build
WORKDIR /src
COPY ["WebApi/WebApi.csproj", "WebApi/"]
RUN dotnet restore "WebApi/WebApi.csproj"
COPY . .
WORKDIR "/src/WebApi"
RUN dotnet build "WebApi.csproj" -c Release -o /app/build
FROM build AS publish
RUN dotnet publish "WebApi.csproj" -c Release -o /app/publish /p:UseAppHost=false
FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .
ENTRYPOINT ["dotnet", "WebApi.dll"]
我应该只是在Docker中添加一个自签名证书吗?
英文:
Currently in AWS Cloud, we have the HTTPS-SSL terminated at the ALB, I am trying to Forward the HTTS SSL/TLS till the Container.
I can configure the SSL at the Start up
builder.WebHost.ConfigureKestrel(options =>
{
options.Listen(IPAddress.Any,5002, listenOptions =>
{
listenOptions.Protocols = HttpProtocols.Http1AndHttp2AndHttp3;
listenOptions.UseHttps(<CERTPATH>, <PASSPHRASE>);
});
});
I tried getting the AWS Certificate Manager Cert, using the following code
var exportCertificateResponse = await acmClient.GetCertificateAsync(new GetCertificateRequest()
{
CertificateArn = builder.Configuration["AWS:CertificateArn"],
});
But this certificate doesn't have the private key, so can't use this directly.
SO I guess I might be using the incorrect type of cert. Appreciate any help
Current dockerfile
FROM mcr.microsoft.com/dotnet/aspnet:6.0 AS base
WORKDIR /app
EXPOSE 5002
FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build
WORKDIR /src
COPY ["WebApi/WebApi.csproj", "WebApi/"]
RUN dotnet restore "WebApi/WebApi.csproj"
COPY . .
WORKDIR "/src/WebApi"
RUN dotnet build "WebApi.csproj" -c Release -o /app/build
FROM build AS publish
RUN dotnet publish "WebApi.csproj" -c Release -o /app/publish /p:UseAppHost=false
FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .
ENTRYPOINT ["dotnet", "WebApi.dll"]
Should i just add a self signed cert to the docker?
答案1
得分: 0
AWS ACM SSL 证书免费,不能直接用在你的代码中。它们只能附加到负载均衡器、CloudFront 分发和 API 网关。如果你想在后端服务器上使用 SSL 证书,你需要以其他方式获取,比如通过 Let's Encrypt 或从 SSL 证书公司 购买。
如果你想从后端服务器提供 SSL 证书而不是负载均衡器,你将无法使用应用负载均衡器。你需要切换到配置了 TCP 透传的网络负载均衡器。这样做意味着你将无法利用应用负载均衡器中可用的路径路由和重定向规则等功能。
如果你只想在负载均衡器和后端服务器之间实现端到端加密,你可以在后端服务器上安装自签名证书,因为负载均衡器不会验证后端 SSL 证书。
英文:
The free AWS ACM SSL certificates cannot be used directly in your code. They are only available to attach to load balancers, CloudFront distributions, and API Gateways. If you want to have an SSL certificate on your back-end server you will have to obtain one some other way, such as via Let's Encrypt, or by purchasing one from a SSL certificate company.
If you want to serve the SSL certificate from your backend server instead of the load balancer, you won't be able to use an Application Load Balancer. You will have to switch to a Network Load Balancer configured with TCP Passthrough. Doing this means you will not be able to take advantage of things like path routing and redirect rules that are available in Application Load Balancers.
If you just want to implement end-to-end encryption between the load balancer and your backend server, you could install a self-signed certificate on your backend server, because the load balancer does not do validation of the backend SSL certificate.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论