如何在 AWS 或 Google Cloud 代理后配置 Discourse 并启用 SSL

大家好，让我加入这个讨论……

我正在使用带有亚马逊颁发证书的 AWS 负载均衡器，但我无法将其下载到我的 EC2 实例上。当我通过 https://www.capitool.com.br 访问我的论坛时，一切正常，但通过 capitool.com.br 访问时，由于默认是 HTTP，无法正常工作。

在 Route 53 中，我为 capitool.com.br 设置了一个指向 www.capitool.com.br 的 ALIAS 记录。因此，当您尝试访问 capitool.com.br 时，Route 53 会将其指向 www.capitool.com.br。

所以我复制了 web.ssl.template.yml 文件，并将所有内容替换为：

  - replace:
     filename: "/etc/nginx/conf.d/discourse.conf"
     from: /server.+{/
     to: |
       server {
         listen 80;
         return 301 https://$$ENV_DISCOURSE_HOSTNAME$request_uri;
       }
       server {

但我收到了“请求过多”的错误。我也尝试了以下方法：

  - replace:
     filename: "/etc/nginx/conf.d/discourse.conf"
     from: /server.+{/
     to: |
       server {
         listen 80;
         server_name forum.com.br www.forum.com.br;
         rewrite ^/(.*) https://$$ENV_DISCOURSE_HOSTNAME$request_uri permanent;
       }
       server {

但都没有成功……

各位能帮我吗？我的论坛已经无法访问了……

我尚未通过管理员界面强制启用 HTTPS。

提前感谢。

anyone could help me on this?

This isn’t a Discourse issue, it’s nginx and aws. Stack exchange is a place more likely to yield results in under four hours.

If it’s an emergency and you want immediate help here you can post in marketplace with a budget.

Check this out:

The problem is that you need to use X-forwarded-http header if your discourse server is behind a load balancer.

Unfortunately, Discourse does not have a solution for this out of the box.
I am myself searching for a solution and have not found any, yet.

Hi @Anil_Gupta, i tried your example, but it gets redirected many times.
Here is my discourse https://www.capitool.com.br/.

run:
  - replace:
     filename: "/etc/nginx/conf.d/discourse.conf"
     from: /server.+{/
     to: |
       server {
         listen 80;
         server_name www.capitool.com.br;
         if ($http_x_forwarded_proto != "https") {
           rewrite ^(.*)$ https://$server_name$request_uri permanent;
         }
       }
       server {

Are you doing health checks in the ALB? Maybe you need to bypass that or accept 301 as a healthy response.

As I already said, this does not work with Discourse at this time.
I was questioning the same in the thread that I shared earlier.

At this time, i do not have any solution that would make it work.
We use Google’s Load balance server (same as Amazon ELB).

You do realise that this very site you are replying on is serving all the traffic via an AWS alb with an auto scaling group?

No, I did not knew it.

What’s the solution then?
Do we have it documented anywhere on how to achieve http to https using the http_forwarded_header?

I tried and it just shows the NGINX page.

It would be helpful if somebody can list the steps to set it up.

Does meta.discourse run on http behind the AWS ELB (using https)?

Or both Amazon ELB and discourse server are having HTTPS?

The question is to have https config ONLY at Load balance server level. The discourse install should be only using HTTP and still should be able to REWRITE/REDIRECT to https version.

Is it possible?

Yes, this is how you would set it up. ELB gets traffic unencrypted and it has the cert and handles SSL.

Ya… but, how does the redirection work at the discourse server level then?
There has to be some redirection rule at discourse set up. In my case, google load balance server does not handle the redirection.

Google recommends that this rule should be added to the discourse’s web server:

server {
      listen         80;
      server_name    www.example.org;
      if ($http_x_forwarded_proto != "https") {
          rewrite ^(.*)$ https://$server_name$REQUEST_URI permanent;
      }
}

The question is where should we add this rule?

I have tried adding it in app.yml (inside after_web_config hook) but, it does not work.
It starts showing the ‘Welcome to Nginx’ screen after adding the above rule.

Do you have any suggestions as to how this rule can be configured in Discourse set up?

The general process you follow is …

enter container, mess with nginx config file inside container, run sv restart nginx to have it take effect. Continue messing with nginx conf until you have something that works.

Only after that would you add it to the bootstrap process.

Prior to implementing ipv6, our proxy server listened on 80/443 and it talked to Discourse listening on non port 80 on various machines.

Proxying on path is not going to work… not at all, not even following why you would do this, you would enter a world of regex pain.

That said this entire discussion is out of scope for the original howto, split off and moved to support.

A complete guide on this would be fantastic. There seems to be bits & pieces (plenty of interest) around this topic of deploying on AWS in a HA environment with ELB.

I acknowledge that such a document would compete against hosted options.

Very extremely unlikely we are going to publish any guidelines on “this is how you build a super mega enterprise Discourse setup” for a book full of reasons.

If the community want to share knowledge be our guests

Thanks @sam

I guess I’m not looking for a mega install but a ha version that scales & is not going to wake me up in the middle of the night with issues.

I’m not interested in a hosted solution.

Cheers

Todd

Unless you are doing at least 20 million pageviews per month – and please do correct me if you are – you can trivially achieve “not going to wake me up” and “scales” just fine on a single Digital Ocean droplet.

Otherwise you have decided to opt yourself into pain. Which is entirely your perogative, if that’s what you want.

Thanks @codinghorror

Just confirming is a single droplet a single machine?

Yep, one droplet is one machine.