AWS Elastic Beanstalk,Dockerrun.aws.json 和 docker 上的多个端口运行
AWS Elastic Beanstalk, Dockerrun.aws.json and multiple ports on docker run
我希望使用 AWS API 在 EC2 实例中运行 docker,并且我有这样的 Dockerrun.aws.json:
{
"AWSEBDockerrunVersion": "1",
"Authentication": {
"Bucket": "<BUCKET>",
"Key": ".dockercfg"
},
"Image": {
"Name": "<NAME>:<TAG>",
"Update": "true"
},
"Ports": [
{
"ContainerPort": "80"
},
{
"ContainerPort": "443"
}
]
}
如您所见,我有多个端口要公开,但 elastic beanstalk 只公开其中的第一个。
我在文档中找到了这句话:您可以指定多个容器端口,但 AWS Elastic Beanstalk 仅使用第一个将您的容器连接到主机的反向代理并路由来自 public Internet 的请求。
我的问题是为什么?
我有一个使用 Oauth2 协议的身份验证,出于明显的安全原因,我必须使用 HTTPS 协议。
有了这个限制,我只能选择HTTP或者HTTPS,因为我只能暴露80或者443端口
我试图修改 ebextensions 以在 EC2 实例级别使用端口进行 nginx 重定向,但我失败了。
我该怎么办?
这位Whosebug用户遇到了同样的问题。
Exposing multiple ports from Docker within Elastic Beanstalk
提前致谢
我联系了亚马逊支持中心,我选择给你看答案。
Hello K...,
With Dockerrun.aws.json, Elastic Beanstalk hook scripts will only read
the first port from the JSON file.
This is because in /opt/elasticbeanstalk/hooks/appdeploy/pre/04run.sh:
if [ echo $EB_CONFIG_DOCKER_PORT | wc -w -gt 1 ]; then
EB_CONFIG_DOCKER_PORT=echo $EB_CONFIG_DOCKER_PORT | awk '{print }'
warn "Only one EXPOSE directive is allowed, using the first one:
$EB_CONFIG_DOCKER_PORT" fi
The hook scripts will have to specify a random port for the reverse
proxy to forward to, which then forwards to your Docker container's
port. Currently only one port mapping can be setup.
With regards to the nginx configuration, the quickest way to achieve a
port 443 listening to your environment is to create a separate server
section in /etc/nginx/conf.d/ e.g. custom-ssl.conf, which handles the
HTTPS handshake with the client. This means that you will have to
place your SSL certificates onto the instance so that nginx can
perform the SSL handshake. I will get back to you later with a sample
HTTPS configuration in nginx.
Otherwise, if your environment is a load balanced one, you can simply
setup an HTTPS listener on the ELB, and let the ELB handle the SSL
termination.
Meanwhile, if you have other questions, please do not hesitate to ask!
Best regards,
Sydney Support Centre
*
Hello again K...,
As I have mentioned in my previous correspondence, please find
attached a sample .ebextensions config file which will setup an https
server on nginx, on a single instance Docker environment. You did not
let me know which environment you were enquiring about, so the
attached .ebextensions will only work on single instance environments.
This .ebextensions config file performs the following:
Adds the https server config file for nginx as /etc/nginx/sites-enabled/https.conf, which reverse proxies the
incoming https session to the Docker container as http.
Adds an SSL key/cert combined file into /etc/pki/tls/certs/my_ssl.crt, required by the HTTPS server above.
Adds an extra ingress rule to the Beanstalk environment's EC2 security group to allow incoming TCP:443 connections to the instance
Please feel free to modify the .ebextensions config file to suit your
use case, and place this inside the .ebextensions/ directory at the
root level of your application to be deployed in Elastic Beanstalk. If
the directory is not there, then please create it.
For more information on .ebextensions config files, please see:
If you are on a load balanced environment, then you will need to
upload your SSL certificate to IAM via the AWS CLI, and configure your
Beanstalk environment's ELB to enable its HTTPS listener. The
instructions will be different to the ones above:
Please let me know how you go with the .ebextensions config file, and
let me know if you require further assistance!
Best regards,
Sydney Support Centre
并且他在附件中给了我一个例子。 01-nginx-ssl.config
files:
"/etc/nginx/sites-enabled/https.conf":
mode: "000644"
owner: root
group: root
content: |
server {
listen 443 ssl;
ssl_certificate_key /etc/pki/tls/certs/my_ssl.crt;
ssl_certificate /etc/pki/tls/certs/my_ssl.crt;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://docker;
proxy_http_version 1.1;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
"/etc/pki/tls/certs/my_ssl.crt":
mode: "000400"
owner: root
group: root
content: |
<Your key/cert pair goes here>
Resources:
AllowSSL:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {Ref : AWSEBSecurityGroup}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
我希望使用 AWS API 在 EC2 实例中运行 docker,并且我有这样的 Dockerrun.aws.json:
{
"AWSEBDockerrunVersion": "1",
"Authentication": {
"Bucket": "<BUCKET>",
"Key": ".dockercfg"
},
"Image": {
"Name": "<NAME>:<TAG>",
"Update": "true"
},
"Ports": [
{
"ContainerPort": "80"
},
{
"ContainerPort": "443"
}
]
}
如您所见,我有多个端口要公开,但 elastic beanstalk 只公开其中的第一个。
我在文档中找到了这句话:您可以指定多个容器端口,但 AWS Elastic Beanstalk 仅使用第一个将您的容器连接到主机的反向代理并路由来自 public Internet 的请求。
我的问题是为什么?
我有一个使用 Oauth2 协议的身份验证,出于明显的安全原因,我必须使用 HTTPS 协议。 有了这个限制,我只能选择HTTP或者HTTPS,因为我只能暴露80或者443端口
我试图修改 ebextensions 以在 EC2 实例级别使用端口进行 nginx 重定向,但我失败了。 我该怎么办?
这位Whosebug用户遇到了同样的问题。 Exposing multiple ports from Docker within Elastic Beanstalk
提前致谢
我联系了亚马逊支持中心,我选择给你看答案。
Hello K...,
With Dockerrun.aws.json, Elastic Beanstalk hook scripts will only read the first port from the JSON file.
This is because in /opt/elasticbeanstalk/hooks/appdeploy/pre/04run.sh:
if [
echo $EB_CONFIG_DOCKER_PORT | wc -w-gt 1 ]; then EB_CONFIG_DOCKER_PORT=echo $EB_CONFIG_DOCKER_PORT | awk '{print }'warn "Only one EXPOSE directive is allowed, using the first one: $EB_CONFIG_DOCKER_PORT" fiThe hook scripts will have to specify a random port for the reverse proxy to forward to, which then forwards to your Docker container's port. Currently only one port mapping can be setup.
With regards to the nginx configuration, the quickest way to achieve a port 443 listening to your environment is to create a separate server section in /etc/nginx/conf.d/ e.g. custom-ssl.conf, which handles the HTTPS handshake with the client. This means that you will have to place your SSL certificates onto the instance so that nginx can perform the SSL handshake. I will get back to you later with a sample HTTPS configuration in nginx.
Otherwise, if your environment is a load balanced one, you can simply setup an HTTPS listener on the ELB, and let the ELB handle the SSL termination.
Meanwhile, if you have other questions, please do not hesitate to ask!
Best regards,
Sydney Support Centre
*
Hello again K...,
As I have mentioned in my previous correspondence, please find attached a sample .ebextensions config file which will setup an https server on nginx, on a single instance Docker environment. You did not let me know which environment you were enquiring about, so the attached .ebextensions will only work on single instance environments.
This .ebextensions config file performs the following:
Adds the https server config file for nginx as /etc/nginx/sites-enabled/https.conf, which reverse proxies the incoming https session to the Docker container as http.
Adds an SSL key/cert combined file into /etc/pki/tls/certs/my_ssl.crt, required by the HTTPS server above.
Adds an extra ingress rule to the Beanstalk environment's EC2 security group to allow incoming TCP:443 connections to the instance
Please feel free to modify the .ebextensions config file to suit your use case, and place this inside the .ebextensions/ directory at the root level of your application to be deployed in Elastic Beanstalk. If the directory is not there, then please create it.
For more information on .ebextensions config files, please see:
If you are on a load balanced environment, then you will need to upload your SSL certificate to IAM via the AWS CLI, and configure your Beanstalk environment's ELB to enable its HTTPS listener. The instructions will be different to the ones above:
Please let me know how you go with the .ebextensions config file, and let me know if you require further assistance!
Best regards,
Sydney Support Centre
并且他在附件中给了我一个例子。 01-nginx-ssl.config
files:
"/etc/nginx/sites-enabled/https.conf":
mode: "000644"
owner: root
group: root
content: |
server {
listen 443 ssl;
ssl_certificate_key /etc/pki/tls/certs/my_ssl.crt;
ssl_certificate /etc/pki/tls/certs/my_ssl.crt;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://docker;
proxy_http_version 1.1;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
"/etc/pki/tls/certs/my_ssl.crt":
mode: "000400"
owner: root
group: root
content: |
<Your key/cert pair goes here>
Resources:
AllowSSL:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {Ref : AWSEBSecurityGroup}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0