Skip to content

Instantly share code, notes, and snippets.

@hhff

hhff/directions.sh

Created September 28, 2018 19:55
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save hhff/d4b80ea9d23fcde41c1be3e51ff5b2e7 to your computer and use it in GitHub Desktop.
Save hhff/d4b80ea9d23fcde41c1be3e51ff5b2e7 to your computer and use it in GitHub Desktop.
Download ZIP
SSL Proxy for Multi Tenant Sites on AWS
Raw
directions.sh
ssh -i your_key.pem ec2-user@YOUR_EC2_IP
sudo yum-config-manager --add-repo https://openresty.org/package/amazon/openresty.repo
sudo yum install openresty
sudo yum install openresty-resty
# if https://openresty.org/package/amazon/2/x86_64/repodata/repomd.xml: \[Errno 14\] HTTPS Error 404 - Not Found
# sudo vim /etc/yum.repos.d/openresty.repo
# exchange the $releasever placeholder of the baseurl to “latest” baseurl=https://openresty.org/package/amazon/latest/$basearch.
wget http://luarocks.org/releases/luarocks-2.0.13.tar.gz
tar -xzvf luarocks-2.0.13.tar.gz
cd luarocks-2.0.13/
./configure --prefix=/usr/local/openresty/luajit \
--with-lua=/usr/local/openresty/luajit/ \
--lua-suffix=jit \
--with-lua-include=/usr/local/openresty/luajit/include/luajit-2.1
make
sudo make install
sudo yum install gcc
sudo groupadd www
sudo usermod -a -G www ec2-user
sudo /usr/local/openresty/luajit/bin/luarocks install lua-resty-auto-ssl
sudo mkdir /etc/resty-auto-ssl
sudo chown -R root:www /etc/resty-auto-ssl/
sudo chmod -R 775 /etc/resty-auto-ssl
sudo openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
-subj '/CN=sni-support-required-for-valid-ssl' \
-keyout /etc/ssl/resty-auto-ssl-fallback.key \
-out /etc/ssl/resty-auto-ssl-fallback.crt
sudo mv /usr/local/openresty/nginx/conf/nginx.conf /usr/local/openresty/nginx/conf/nginx.backup.conf
sudo vim /usr/local/openresty/nginx/conf/nginx.conf
sudo service openresty start
# Tail Errors
tail -F /usr/local/openresty/nginx/logs/error.log
Raw
nginx.conf
user ec2-user www;
worker_processes auto;
pid /run/openresty.pid;
events {
worker_connections 1024;
}
http {
lua_shared_dict auto_ssl 1m;
lua_shared_dict auto_ssl_settings 64k;
resolver 8.8.8.8 ipv6=off;
init_by_lua_block {
auto_ssl = (require "resty.auto-ssl").new()
auto_ssl:set("allow_domain", function(domain)
return true
end)
auto_ssl:init()
}
init_worker_by_lua_block {
auto_ssl:init_worker()
}
server {
listen 443 ssl;
ssl_certificate_by_lua_block {
auto_ssl:ssl_certificate()
}
ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;
set $pipe_proxy "dns.pipemusic.co";
location / {
proxy_set_header Host $pipe_proxy;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Server $host;
proxy_cookie_domain $pipe_proxy $host;
proxy_ssl_server_name on;
proxy_ssl_name $pipe_proxy;
proxy_ssl_protocols TLSv1.2;
proxy_pass https://$pipe_proxy;
proxy_read_timeout 90;
}
}
server {
listen 80;
location /.well-known/acme-challenge/ {
content_by_lua_block {
auto_ssl:challenge_server()
}
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 127.0.0.1:8999;
client_body_buffer_size 128k;
client_max_body_size 128k;
location / {
content_by_lua_block {
auto_ssl:hook_server()
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment