uotn's questions

我正在使用 ssh 将本地端口转发到堡垒服务器（10.20.30.40），连接到远程 RDS 数据库。

ssh -i ~/.ssh/id_rsa -f -N -L 5432:db1.cluster-1.region.rds.amazonaws.com:5432 10.20.30.40 -v
...
Authenticated to 10.20.30.40 ([10.20.30.40]:22).
debug1: Local connections to LOCALHOST:5432 forwarded to remote address db1.cluster-1.region.amazonaws.com:5432
debug1: Local forwarding listening on ::1 port 5432.
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on 127.0.0.1 port 5432.
debug1: channel 1: new [port listener]
debug1: Requesting [email protected]
debug1: forking to background
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype [email protected] want_reply 0

将使用本地端口上的 5432。如果创建一个新的转发

ssh -i ~/.ssh/id_rsa -f -N -L 5433:db1.cluster-1.region.rds.amazonaws.com:5432 10.20.30.40 -v

将使用 5433 端口。

如果在新终端中启动 5432，它将失败，因为它已经在使用中。

Authenticated to 10.20.30.40 ([10.20.30.40]:22).
debug1: Local connections to LOCALHOST:5432 forwarded to remote address db1.cluster-1.region.rds.amazonaws.com:5432
debug1: Local forwarding listening on ::1 port 5432.
bind [::1]:5432: Address already in use
debug1: Local forwarding listening on 127.0.0.1 port 5432.
bind [127.0.0.1]:5432: Address already in use
channel_setup_fwd_listener_tcpip: cannot listen to port: 5432
Could not request local forwarding.
debug1: Requesting [email protected]
debug1: forking to background
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype [email protected] want_reply 0

如何释放这些端口连接？

我在 VPC 中构建了这条流量路由。

Route53->ACM(SSL)->Public ALB->EC2(Nginx proxy)->Private ALB->ECS(Internal App)

EC2 的安全组允许 tcp 80 和 443。ECS 的安全组允许来自 EC2 的安全组的 80。

当我访问注册在 Route53 中的域时，出现504 DNS look up failed错误。访问公共 ALB 的 DNS 名称时503 Service Temporarily Unavailable出错。

我确定 ACM 正在设置并且公共 LB 的 DNS 名称正在使用域注册到 Route53。

公共子网上的 ALB 设置由 Terraform 执行

resource "aws_lb_listener" "http" {
  load_balancer_arn = aws_lb.this.arn
  port              = "80"
  protocol          = "HTTP"

  default_action {
    type = "redirect"

    redirect {
      port        = "443"
      protocol    = "HTTPS"
      status_code = "HTTP_301"
    }
  }
}

resource "aws_lb_listener_rule" "http_redirect" {
  listener_arn = aws_lb_listener.proxy.arn
  priority     = 1

  action {
    type = "redirect"

    redirect {
      port        = "443"
      protocol    = "HTTPS"
      status_code = "HTTP_301"
    }
  }

  condition {
    path_pattern {
      values = ["/*"]
    }
  }
}

resource "aws_lb_listener_rule" "http_forward" {
  listener_arn = aws_lb_listener.http.arn
  priority     = 2

  action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.proxy.arn
  }

  condition {
    host_header {
      values = ["proxy.portsite.com"]
    }
  }
}

resource "aws_lb_listener_rule" "https_forward" {
  listener_arn = aws_lb_listener.https.arn

  action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.proxy.arn
  }

  condition {
    host_header {
      values = ["proxy.portsite.com"]
    }
  }
}

两者都是路由的必要条件吗http_redirect？http_forward还是只有http_redirect好的？而且，问题是由它引起的吗？

我想在 ALB 后面公开一个 EC2 服务，流程看起来像

User -> Route53(Domain) -> ALB -> EC2

EC2 应该存在哪个子网？私人的还是公众的？在这种情况下，是否需要 EIP？