https://hao2.hatenablog.jp/entry/loadbalancer_ssl
前提: Let's Encrypt で無料SSL証明書作成済
※デフォルトでECCとなり、Alibabaに取り込めないのでRSAで作成する
-- 1. CLB作成
cat <<-'EOF' | base64
#!/bin/bash
yum install -y httpd
systemctl start httpd
systemctl enable httpd
echo $(uname -n) > /var/www/html/index.html
EOF
echo "IyEvYmluL2Jhc2gKeXVtIGluc3RhbGwgLXkgaHR0cGQKc3lzdGVtY3RsIHN0YXJ0IGh0dHBkCnN5c3RlbWN0bCBlbmFibGUgaHR0cGQKZWNobyAkKHVuYW1lIC1uKSA+IC92YXIvd3d3L2h0bWwvaW5kZXguaHRtbAo=" | base64 -d
cat <<-'EOF' > variables.tf
locals {
availability_zone = "ap-northeast-1a"
}
variable "instance_type" {
description = "instance_type"
type = string
default = "ecs.t5-lc2m1.nano"
}
variable "image_id" {
description = "image_id"
type = string
default = "aliyun_2_1903_x64_20G_alibase_20231221.vhd"
}
EOF
cat <<-'EOF' > main.tf
terraform {
required_version = ">= 1.0.0, < 2.0.0"
required_providers {
alicloud = {
source = "aliyun/alicloud"
version = "= 1.217.0"
}
}
}
provider "alicloud" {
region = "ap-northeast-1"
}
resource "alicloud_vpc" "vpc01" {
vpc_name = "vpc01"
description = "vpc01"
cidr_block = "10.2.0.0/16"
}
resource "alicloud_vswitch" "sw01" {
vswitch_name = "sw01"
description = "sw01"
vpc_id = alicloud_vpc.vpc01.id
cidr_block = "10.2.1.0/24"
zone_id = local.availability_zone
}
resource "alicloud_security_group" "sg01" {
name = "sg01"
description = "sg01"
vpc_id = alicloud_vpc.vpc01.id
security_group_type = "normal"
}
resource "alicloud_security_group_rule" "sg0101" {
type = "ingress"
ip_protocol = "tcp"
port_range = "80/80"
security_group_id = alicloud_security_group.sg01.id
nic_type = "intranet"
policy = "accept"
priority = 10
cidr_ip = "10.2.1.0/24"
description = "sg0101"
}
resource "alicloud_security_group_rule" "sg0102" {
type = "ingress"
ip_protocol = "tcp"
port_range = "443/443"
security_group_id = alicloud_security_group.sg01.id
nic_type = "intranet"
policy = "accept"
priority = 10
cidr_ip = "10.2.1.0/24"
description = "sg0102"
}
resource "alicloud_instance" "instance01" {
image_id = var.image_id
instance_type = var.instance_type
security_groups = [alicloud_security_group.sg01.id]
instance_name = "instance01"
system_disk_category = "cloud_ssd"
system_disk_name = "instance01"
system_disk_size = 20
description = "instance01"
internet_charge_type = "PayByBandwidth"
internet_max_bandwidth_out = 0
host_name = "instance01"
vswitch_id = alicloud_vswitch.sw01.id
instance_charge_type = "PostPaid"
key_name = "alibabakey01"
deletion_protection = false
credit_specification = "Standard"
user_data = "IyEvYmluL2Jhc2gKeXVtIGluc3RhbGwgLXkgaHR0cGQKc3lzdGVtY3RsIHN0YXJ0IGh0dHBkCnN5c3RlbWN0bCBlbmFibGUgaHR0cGQKZWNobyAkKHVuYW1lIC1uKSA+IC92YXIvd3d3L2h0bWwvaW5kZXguaHRtbAo="
}
resource "alicloud_instance" "instance02" {
image_id = var.image_id
instance_type = var.instance_type
security_groups = [alicloud_security_group.sg01.id]
instance_name = "instance02"
system_disk_category = "cloud_ssd"
system_disk_name = "instance02"
system_disk_size = 20
description = "instance02"
internet_charge_type = "PayByBandwidth"
internet_max_bandwidth_out = 0
host_name = "instance02"
vswitch_id = alicloud_vswitch.sw01.id
instance_charge_type = "PostPaid"
key_name = "alibabakey01"
deletion_protection = false
credit_specification = "Standard"
user_data = "IyEvYmluL2Jhc2gKeXVtIGluc3RhbGwgLXkgaHR0cGQKc3lzdGVtY3RsIHN0YXJ0IGh0dHBkCnN5c3RlbWN0bCBlbmFibGUgaHR0cGQKZWNobyAkKHVuYW1lIC1uKSA+IC92YXIvd3d3L2h0bWwvaW5kZXguaHRtbAo="
}
resource "alicloud_slb_load_balancer" "clb01" {
load_balancer_name = "clb01"
address_type = "internet"
internet_charge_type = "PayByBandwidth"
bandwidth = 1
load_balancer_spec = "slb.s1.small"
payment_type = "PayAsYouGo"
master_zone_id = local.availability_zone
delete_protection = "off"
instance_charge_type = "PayBySpec"
}
resource "alicloud_slb_server_group" "be01" {
load_balancer_id = alicloud_slb_load_balancer.clb01.id
name = "be01"
}
resource "alicloud_slb_server_group_server_attachment" "be01_instance01" {
server_group_id = alicloud_slb_server_group.be01.id
server_id = alicloud_instance.instance01.id
port = 80
weight = 100
type = "ecs"
}
resource "alicloud_slb_server_group_server_attachment" "be01_instance02" {
server_group_id = alicloud_slb_server_group.be01.id
server_id = alicloud_instance.instance02.id
port = 80
weight = 100
type = "ecs"
}
resource "alicloud_slb_listener" "lis01" {
load_balancer_id = alicloud_slb_load_balancer.clb01.id
backend_port = 80
frontend_port = 80
protocol = "http"
bandwidth = 1
description = "lis01"
scheduler = "wrr"
sticky_session = "off"
health_check = "on"
health_check_type = "http"
health_check_uri = "/"
health_check_connect_port = 80
healthy_threshold = 3
unhealthy_threshold = 3
health_check_timeout = 5
health_check_interval = 2
health_check_http_code = "http_2xx,http_3xx"
health_check_method = "head"
gzip = "true"
idle_timeout = 15
request_timeout = 60
listener_forward = "off"
server_group_id = alicloud_slb_server_group.be01.id
}
EOF
cat <<-'EOF' > outputs.tf
output "vpc01_id" {
value = alicloud_vpc.vpc01.id
description = "vpc01.id"
}
output "sw01_id" {
value = alicloud_vswitch.sw01.id
description = "sw01.id"
}
output "sg01_id" {
value = alicloud_security_group.sg01.id
description = "sg01.id"
}
output "instance01_id" {
value = alicloud_instance.instance01.id
description = "instance01.id"
}
output "instance02_id" {
value = alicloud_instance.instance02.id
description = "instance02.id"
}
output "clb01_id" {
value = alicloud_slb_load_balancer.clb01.id
description = "clb01.id"
}
EOF
terraform init
terraform fmt
terraform -version
terraform plan
terraform apply -auto-approve
terraform destroy -auto-approve
-- 2. サーバー証明書のアップロード
CLIでエラーとなるのでCLB/証明書画面から実施
証明書ソース: サードパーティの証明書
証明書名: cert01
証明書のタイプ: サーバー証明書
証明書: cert2.pem
秘密鍵: privkey2.pem
秘密鍵はそのままではアップロードできない。下記のように文言修正必要
-----BEGIN PRIVATE KEY-----
↓
-----BEGIN RSA PRIVATE KEY-----
-----END PRIVATE KEY-----
↓
-----END RSA PRIVATE KEY-----
-- 3. リスナー変更
HTTPリスナー削除
aliyun slb DeleteLoadBalancerListener \
--LoadBalancerId lb-111111111111111111111 \
--ListenerPort 80
HTTPSリスナー作成
aliyun slb CreateLoadBalancerHTTPSListener \
--Bandwidth 1 \
--HealthCheck on \
--ListenerPort 443 \
--LoadBalancerId lb-111111111111111111111 \
--StickySession off \
--Description lis02 \
--Gzip on \
--HealthCheckConnectPort 80 \
--HealthCheckHttpCode "http_2xx,http_3xx" \
--HealthCheckInterval 2 \
--HealthCheckMethod head \
--HealthCheckTimeout 5 \
--HealthCheckURI "/" \
--HealthyThreshold 3 \
--IdleTimeout 15 \
--RequestTimeout 60 \
--UnhealthyThreshold 3 \
--VServerGroupId rsp-1111111111111 \
--ServerCertificateId 1111111111111111_11111111111_-1111111111_111111111
HTTPSリスナーの起動
aliyun slb StartLoadBalancerListener \
--LoadBalancerId lb-111111111111111111111 \
--ListenerPort 443
HTTPSリスナーの停止
aliyun slb StopLoadBalancerListener \
--LoadBalancerId lb-111111111111111111111 \
--ListenerPort 443
HTTPSリスナー削除
aliyun slb DeleteLoadBalancerListener \
--LoadBalancerId lb-111111111111111111111 \
--ListenerPort 443
-- 4. 動作確認
hostsファイルの設定
証明書の変換
openssl x509 -outform der -in cert2.pem -out cert2.crt
証明書のインポート