Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Can someone please help me deploy my app to ECS Fargate with HTTPS?

0

I am stuck trying to configure my service target groups, security groups and load balancer to deploy my app with HTTPS.

I already have the cluster, the domain name on Route 53, the certificate on ACM, and I also created a task definition following my docker-compose.yaml file:

version: "3.8"
services:
  api:
    build: ./api
    env_file:
      - .env

  client:
    build: ./client
    depends_on:
      - api

  nginx:
    restart: always
    build: ./nginx
    ports:
      - "80:80"
    depends_on:
      - api
      - client

I added the Nginx container to route traffic because I saw a tutorial saying that it would be necessary, but the setup there was a little different than mine.

Later I found some answers to a reddit question saying that the certificate should be placed in the load balancer and not on Nginx, if I understood it right.

So do I even need Nginx at all? Anyway, this is the current default.conf file and the Dockerfile at the Nginx folder:

upstream client {
    server client:3000;
}

upstream api {
    server api:5000;
}

server {
    listen 80;

    location / {
        proxy_pass http://client;
    }

    location /sockjs-node {
        proxy_pass http://client;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
    }

    location /api {
        rewrite /api/(.*) /$1 break;
        proxy_pass http://api;
    }
}

FROM nginx
COPY ./default.conf /etc/nginx/conf.d/default.conf

It is working on my machine, I run "docker compose up" and I can access the client on localhost:80, the client talks to the api and all.

Themen
ServerlosBehälterSicherheit, Identität & Konformität
Tags
AWS FargateAmazon Elastischer Container-ServiceAWS ZertifikatsmanagerApplication Load Balancer
Sprache
English
rePost-User-5821038
gefragt vor einem Jahr2811 Aufrufe
2 Antworten
1

Hi,

You don't need nginx as reverse proxy, you can directly use the ELB. Take a look at this article: https://exanubes.com/blog/adding-ssl-certificate-to-fargate-app The related documentation can be found here: https://docs.aws.amazon.com/AmazonECS/latest/userguide/create-application-load-balancer.html

Effectively you will have a Route53 -> Application Load Balancer 443 + certificate -> Target Group port 3000 for "client" -> ECS

profile pictureAWS
ab
beantwortet vor einem Jahr
0

It's a very common pattern to terminate your TLS connection at the ALB, but keep in mind that the ALB is not a web server, which is what you need NGINX for. If you need end to end HTTPS, there are a couple of different ways to achieve this: https://docs.aws.amazon.com/AmazonECS/latest/bestpracticesguide/security-network.html

To terminate TLS at the ALB, you'd simply have a listener on port 443 that points to your target group on port 80 (or whatever port you want to map). https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html

AWS
tparrott
beantwortet vor einem Jahr
  • rePost-User-5821038
    vor einem Jahr

    I created a security group with one inbound rule: https 443 anywhere ipv4

    A target group http 3000

    A Load balancer with one listener (https 443) pointing target group just I created, and the ACM certificate

    Created the task definition (the api exposes port 5000 and the client exposes port 3000)

    Then I Launched the service and tried to access by the dns name or to the domain name but the requests all timeout.

    Can you please point out what I am doing wrong?

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt