By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Can someone please help me deploy my app to ECS Fargate with HTTPS?

0

I am stuck trying to configure my service target groups, security groups and load balancer to deploy my app with HTTPS.

I already have the cluster, the domain name on Route 53, the certificate on ACM, and I also created a task definition following my docker-compose.yaml file:

version: "3.8"
services:
  api:
    build: ./api
    env_file:
      - .env

  client:
    build: ./client
    depends_on:
      - api

  nginx:
    restart: always
    build: ./nginx
    ports:
      - "80:80"
    depends_on:
      - api
      - client

I added the Nginx container to route traffic because I saw a tutorial saying that it would be necessary, but the setup there was a little different than mine.

Later I found some answers to a reddit question saying that the certificate should be placed in the load balancer and not on Nginx, if I understood it right.

So do I even need Nginx at all? Anyway, this is the current default.conf file and the Dockerfile at the Nginx folder:

upstream client {
    server client:3000;
}

upstream api {
    server api:5000;
}

server {
    listen 80;

    location / {
        proxy_pass http://client;
    }

    location /sockjs-node {
        proxy_pass http://client;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
    }

    location /api {
        rewrite /api/(.*) /$1 break;
        proxy_pass http://api;
    }
}

FROM nginx
COPY ./default.conf /etc/nginx/conf.d/default.conf

It is working on my machine, I run "docker compose up" and I can access the client on localhost:80, the client talks to the api and all.

Topics
ServerlessContainersSecurity, Identity, & Compliance
Tags
AWS FargateAmazon Elastic Container ServiceAWS Certificate ManagerApplication Load Balancer
Language
English
rePost-User-5821038
asked a year ago2718 views
2 Answers
1

Hi,

You don't need nginx as reverse proxy, you can directly use the ELB. Take a look at this article: https://exanubes.com/blog/adding-ssl-certificate-to-fargate-app The related documentation can be found here: https://docs.aws.amazon.com/AmazonECS/latest/userguide/create-application-load-balancer.html

Effectively you will have a Route53 -> Application Load Balancer 443 + certificate -> Target Group port 3000 for "client" -> ECS

profile pictureAWS
ab
answered a year ago
0

It's a very common pattern to terminate your TLS connection at the ALB, but keep in mind that the ALB is not a web server, which is what you need NGINX for. If you need end to end HTTPS, there are a couple of different ways to achieve this: https://docs.aws.amazon.com/AmazonECS/latest/bestpracticesguide/security-network.html

To terminate TLS at the ALB, you'd simply have a listener on port 443 that points to your target group on port 80 (or whatever port you want to map). https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html

AWS
tparrott
answered a year ago
  • rePost-User-5821038
    a year ago

    I created a security group with one inbound rule: https 443 anywhere ipv4

    A target group http 3000

    A Load balancer with one listener (https 443) pointing target group just I created, and the ACM certificate

    Created the task definition (the api exposes port 5000 and the client exposes port 3000)

    Then I Launched the service and tried to access by the dns name or to the domain name but the requests all timeout.

    Can you please point out what I am doing wrong?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content