Skip to content
This repository was archived by the owner on Nov 27, 2023. It is now read-only.

Configuring Target Group to Forward 443 to 80 #693

Closed
ajlozier opened this issue Aug 31, 2020 · 5 comments
Closed

Configuring Target Group to Forward 443 to 80 #693

ajlozier opened this issue Aug 31, 2020 · 5 comments
Labels
ecs

Comments

@ajlozier
Copy link

My initial docker-compose.yml file contained an entry for an nginx task, e.g.

  webserver:
    x-aws-pull_credentials: "xxxxx"
    image: nginx
    ports:
      - "80:80"
      - "443:443"

This causes an additional target group to be created checking the health on port 443. Since I have not configured nginx to accept connections on port 443, nor an installed cert, the health checks of course fail.

What I instead want to do is configure the load balancer to forward connections to port 443 to port 80, which I believe is best practice.

Is there a way to specify this in the docker-compose.yml file, or is this currently a manual change I would need to make either directly or using the cloudformation template?
@ndeloof
Copy link
Collaborator

ndeloof commented Sep 2, 2020

An initial implementation did supported port forwarding as 443:80, but as this only applied to external access to services, not service-to-service, this was highly confusing. So we decided not to support port translation, and container port is exposed as-is on LoadBalancer.

If your service only expose port 80, why does your compose file declare port 443?

About HTTPS termination managed by AWS LoadBalancer and forwarded to services as HTTP:80 this is indeed a relevant use-case. Maybe we should introduce a custom extension for this purpose, which would look like:

  webserver:
    image: nginx
    x-aws-pull_credentials: "xxxxx"
    ports:
      - target 80
        published: 80
        x-aws-ssl-certificate: ./myserver.crt

@ajlozier
Copy link
Author

ajlozier commented Sep 2, 2020

Thanks for responding! What would you think about, as another option besides the .crt file, we gave the option of providing an AWS SSLCertificateId as is done in ELB configurations? I don't know if this is feasible. This is my first foray into ECS. I must say this tool has dramatically decreased the learning curve for me, so thank you for that!

@millarm
Copy link

millarm commented Sep 4, 2020
edited
Loading

I'd very much like to be able to terminate SSL at the load balancer and then forward over http to the ECS cluster.

Even better would be to allow the SSL certificate to be specified as a URN for an AWS SSL cert, e.g.

webserver:
  image: nginx
  ports:
    - target: 80
       published: 443
       x-aws-ssl-certificate: arn:aws:acm:us-east-1:NNNNNNNNN:certificate/XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

As an example -> so connections to the load balancer on port 443 are terminated there and forwarded to port 80 on the container?

@ndeloof ndeloof transferred this issue from docker-archive/ecs-plugin Sep 28, 2020
@ndeloof ndeloof added the ecs label Sep 28, 2020
@flaviostutz
Copy link
Contributor

I like the x-aws-ssl-certificate option for defining certificates at the TLS endpoint.

Regarding to the internal forwarding, @ajlozier, do you think #777 would help you with this issue?

@ndeloof
Copy link
Collaborator

ndeloof commented Jan 13, 2021

Ability to tweak the CloudFormation template to patch Listener configuration and associate a certificate has been released, see https://deploy-preview-12080--docsdocker.netlify.app//cloud/ecs-integration/#setting-ssl-termination-by-load-balancer

@ndeloof ndeloof closed this as completed Jan 13, 2021
@flaviostutz flaviostutz mentioned this issue Mar 15, 2021
Closed
@joshuakcockrell joshuakcockrell mentioned this issue May 12, 2022
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
ecs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ajlozier @ndeloof @millarm @flaviostutz