如何使用 AWS ALB ECS .netcore API 设置 https?
How do I get https set up with AWS ALB ECS .netcore API?
我有以下设置:
- AWS 弹性容器注册表
- 弹性容器服务
- 应用程序负载均衡器
- 集群,
- 服务
- 任务
我的 API 暂时无法获得 503 服务。我确定这意味着我的目标组中没有任何实例。
当我将集群、服务、任务创建的实例添加到目标组时,它加入了几分钟,然后在我没有做任何事情的情况下开始耗尽。早些时候它一直存在但被确定为不健康,当它像那样时我得到了一个 502 错误的网关。在我看来,它需要健康才能留下来?有什么我想念的吗?
服务
任务 Json 定义
{
"ipcMode": null,
"executionRoleArn": null,
"containerDefinitions": [
{
"dnsSearchDomains": null,
"environmentFiles": null,
"logConfiguration": {
"logDriver": "awslogs",
"secretOptions": null,
"options": {
"awslogs-group": "/ecs/api-task-definition",
"awslogs-region": "us-east-1",
"awslogs-stream-prefix": "ecs"
}
},
"entryPoint": null,
"portMappings": [
{
"hostPort": 443,
"protocol": "tcp",
"containerPort": 443
},
{
"hostPort": 80,
"protocol": "tcp",
"containerPort": 80
}
],
"command": null,
"linuxParameters": null,
"cpu": 0,
"environment": [
{
"name": "DB",
"value": "Test"
}
],
"resourceRequirements": null,
"ulimits": null,
"dnsServers": null,
"mountPoints": [],
"workingDirectory": null,
"secrets": null,
"dockerSecurityOptions": null,
"memory": null,
"memoryReservation": null,
"volumesFrom": [],
"stopTimeout": null,
"image": "502589988723.dkr.ecr.us-east-1.amazonaws.com/api:latest",
"startTimeout": null,
"firelensConfiguration": null,
"dependsOn": null,
"disableNetworking": null,
"interactive": null,
"healthCheck": null,
"essential": true,
"links": null,
"hostname": null,
"extraHosts": null,
"pseudoTerminal": null,
"user": null,
"readonlyRootFilesystem": null,
"dockerLabels": null,
"systemControls": null,
"privileged": null,
"name": "api"
}
],
"placementConstraints": [],
"memory": "512",
"taskRoleArn": null,
"compatibilities": [
"EXTERNAL",
"EC2"
],
"taskDefinitionArn": "arn:aws:ecs:us-east-1:502589988723:task-definition/api-task-definition:6",
"family": "api-task-definition",
"requiresAttributes": [
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.logging-driver.awslogs"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.ecr-auth"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.19"
}
],
"pidMode": null,
"requiresCompatibilities": [
"EC2"
],
"networkMode": null,
"runtimePlatform": null,
"cpu": "512",
"revision": 6,
"status": "ACTIVE",
"inferenceAccelerators": null,
"proxyConfiguration": null,
"volumes": []
}
负载平衡器设置
目标群体
我的Docker文件
FROM mcr.microsoft.com/dotnet/aspnet:5.0.0-buster-slim AS base
WORKDIR /app
EXPOSE 80
EXPOSE 443
FROM mcr.microsoft.com/dotnet/sdk:5.0 AS build
WORKDIR /src
COPY ["API/API.csproj", ""]
RUN dotnet restore "./API.csproj"
COPY . .
WORKDIR "/src/."
RUN dotnet build "API/API.csproj" -c Release -o /app/build
FROM build AS publish
RUN dotnet publish "API/API.csproj" -c Release -o /app/publish
FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .
ENTRYPOINT ["dotnet", "API.dll"]
Should the target group use HTTP instead? Is that a setting between the load balancer and the instance instead?
是的。通常是这样完成的:
Client --- (HTTPS) ---> ALB ---- (HTTP) ---> Targets
因此,您应该在您的应用程序使用的正常端口(猜猜它是 80)上将所有目标设置为 HTTP。
我有以下设置:
- AWS 弹性容器注册表
- 弹性容器服务
- 应用程序负载均衡器
- 集群,
- 服务
- 任务
我的 API 暂时无法获得 503 服务。我确定这意味着我的目标组中没有任何实例。
当我将集群、服务、任务创建的实例添加到目标组时,它加入了几分钟,然后在我没有做任何事情的情况下开始耗尽。早些时候它一直存在但被确定为不健康,当它像那样时我得到了一个 502 错误的网关。在我看来,它需要健康才能留下来?有什么我想念的吗?
服务
{
"ipcMode": null,
"executionRoleArn": null,
"containerDefinitions": [
{
"dnsSearchDomains": null,
"environmentFiles": null,
"logConfiguration": {
"logDriver": "awslogs",
"secretOptions": null,
"options": {
"awslogs-group": "/ecs/api-task-definition",
"awslogs-region": "us-east-1",
"awslogs-stream-prefix": "ecs"
}
},
"entryPoint": null,
"portMappings": [
{
"hostPort": 443,
"protocol": "tcp",
"containerPort": 443
},
{
"hostPort": 80,
"protocol": "tcp",
"containerPort": 80
}
],
"command": null,
"linuxParameters": null,
"cpu": 0,
"environment": [
{
"name": "DB",
"value": "Test"
}
],
"resourceRequirements": null,
"ulimits": null,
"dnsServers": null,
"mountPoints": [],
"workingDirectory": null,
"secrets": null,
"dockerSecurityOptions": null,
"memory": null,
"memoryReservation": null,
"volumesFrom": [],
"stopTimeout": null,
"image": "502589988723.dkr.ecr.us-east-1.amazonaws.com/api:latest",
"startTimeout": null,
"firelensConfiguration": null,
"dependsOn": null,
"disableNetworking": null,
"interactive": null,
"healthCheck": null,
"essential": true,
"links": null,
"hostname": null,
"extraHosts": null,
"pseudoTerminal": null,
"user": null,
"readonlyRootFilesystem": null,
"dockerLabels": null,
"systemControls": null,
"privileged": null,
"name": "api"
}
],
"placementConstraints": [],
"memory": "512",
"taskRoleArn": null,
"compatibilities": [
"EXTERNAL",
"EC2"
],
"taskDefinitionArn": "arn:aws:ecs:us-east-1:502589988723:task-definition/api-task-definition:6",
"family": "api-task-definition",
"requiresAttributes": [
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.logging-driver.awslogs"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.ecr-auth"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.19"
}
],
"pidMode": null,
"requiresCompatibilities": [
"EC2"
],
"networkMode": null,
"runtimePlatform": null,
"cpu": "512",
"revision": 6,
"status": "ACTIVE",
"inferenceAccelerators": null,
"proxyConfiguration": null,
"volumes": []
}
负载平衡器设置
目标群体
我的Docker文件
FROM mcr.microsoft.com/dotnet/aspnet:5.0.0-buster-slim AS base
WORKDIR /app
EXPOSE 80
EXPOSE 443
FROM mcr.microsoft.com/dotnet/sdk:5.0 AS build
WORKDIR /src
COPY ["API/API.csproj", ""]
RUN dotnet restore "./API.csproj"
COPY . .
WORKDIR "/src/."
RUN dotnet build "API/API.csproj" -c Release -o /app/build
FROM build AS publish
RUN dotnet publish "API/API.csproj" -c Release -o /app/publish
FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .
ENTRYPOINT ["dotnet", "API.dll"]
Should the target group use HTTP instead? Is that a setting between the load balancer and the instance instead?
是的。通常是这样完成的:
Client --- (HTTPS) ---> ALB ---- (HTTP) ---> Targets
因此,您应该在您的应用程序使用的正常端口(猜猜它是 80)上将所有目标设置为 HTTP。