Elastic Beanstalk上的HTTPS(Docker多容器)
[英]HTTPS on Elastic Beanstalk (Docker Multi-container)
问题描述
I've been looking around and haven't found much content with regards to a best practice when it comes to setting up HTTPS/SSL on Amazon Elastic Beanstalk with a Multi-container Docker environment. 
我一直在环顾四周,并且在使用多容器Docker环境在Amazon Elastic Beanstalk上设置HTTPS / SSL时,没有找到关于最佳实践的太多内容。
There is a bunch of stuff when it comes to single container configuration, but nothing when it comes to multi-container. 关于单容器配置,有很多东西,但是对于多容器,则没有。
My Dockerrun.aws.json looks like this: 我的Dockerrun.aws.json看起来像这样:
{
"AWSEBDockerrunVersion": 2,
"volumes": [
{
"name": "app-frontend",
"host": {
"sourcePath": "/var/app/current/app-frontend"
}
},
{
"name": "app-backend",
"host": {
"sourcePath": "/var/app/current/app-backend"
}
}
],
"containerDefinitions": [
{
"name": "app-backend",
"image": "xxxxx/app-backend",
"memory": 512,
"mountPoints": [
{
"containerPath": "/app/app-backend",
"sourceVolume": "app-backend"
}
],
"portMappings": [
{
"containerPort": 4000,
"hostPort": 4000
}
],
"environment": [
{
"name": "PORT",
"value": "4000"
},
{
"name": "MIX_ENV",
"value": "dev"
},
{
"name": "PG_PASSWORD",
"value": "xxxx"
},
{
"name": "PG_USERNAME",
"value": "xx"
},
{
"name": "PG_HOST",
"value": "xxxxx"
}
]
},
{
"name": "app-frontend",
"image": "xxxxxxx/app-frontend",
"memory": 512,
"links": [
"app-backend"
],
"command": [
"npm",
"run",
"production"
],
"mountPoints": [
{
"containerPath": "/app/app-frontend",
"sourceVolume": "app-frontend"
}
],
"portMappings": [
{
"containerPort": 3000,
"hostPort": 80
}
],
"environment": [
{
"name": "REDIS_HOST",
"value": "xxxxxx"
}
]
}
],
"family": ""
}
My thinking thus far is I would need to bring an nginx container into the mix in order to proxy the two services and handle things like mapping different domain names to different services. 到目前为止,我的想法是我需要将nginx容器引入混合以代理这两个服务并处理诸如将不同的域名映射到不同的服务之类的事情。
Would I go the usual route of just setting up nginx and configuring the SSL as normal, or is there a better way, like I've seen for the single containers using the .ebextensions method ( http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance-docker.html ) ? 我会选择设置nginx并正常配置SSL还是通常的方法,还是有更好的方法,就像我使用.ebextensions方法看到的单个容器( http://docs.aws.amazon。 com / elasticbeanstalk / latest / dg / https-singleinstance-docker.html )?
2 个解决方案
解决方案1
1 2017-05-15 18:56:48
This is more of an idea (I haven't actually done this and not sure if it would work). 这更多是一个主意(我实际上还没有做到这一点,也不知道它是否会起作用)。 But the components appear to be all available to create a ALB that could direct traffic to one process or another based on path rules. 但是这些组件似乎都可用于创建ALB,该ALB可以根据路径规则将流量定向到一个或另一个进程。
Here is what I am thinking that could be done via .ebextensions config files based on the options available from http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html : 这是我认为可以根据http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html中提供的选项通过.ebextensions配置文件完成的操作:
- Use
aws:elasticbeanstalk:environment:process:defaultto make sure the default application port and health check is set the way you intend (let's say port 80 is your default in this case.使用aws:elasticbeanstalk:environment:process:default来确保默认应用程序端口和运行状况检查按照您的aws:elasticbeanstalk:environment:process:default方式设置(在这种情况下,假设端口80是您的默认设置)。 - Use
aws:elasticbeanstalk:environment:process:process_nameto create abackendprocess that goes to your second service (port 4000 in this case).使用aws:elasticbeanstalk:environment:process:process_name创建去往第二个服务(在本例中为端口4000)的backend进程。 - Create a rule for your backend with
aws:elbv2:listenerrule:backendwhich would use something like/backend/*as the path.使用aws:elbv2:listenerrule:backend为后端创建规则,该规则将使用/backend/*类的路径。 - Create the SSL listener with
aws:elbv2:listener:443(example at http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environments-cfg-applicationloadbalancer.html ) that uses this new backend rule.使用这个新的后端规则,使用aws:elbv2:listener:443(例如http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environments-cfg-applicationloadbalancer.html上的示例)创建SSL监听器。
I am not sure if additional rules need to be created for the default listener of aws:elbv2:listener:default . 我不确定是否需要为aws:elbv2:listener:default的默认侦听器创建其他规则。 It seems like the default might just match /* so in this case anything sent to /backend/* would go to port 4000 container and anything else goes to the port 3000 container. 似乎默认值可能只匹配/*因此在这种情况下,发送到/backend/*都将到达端口4000容器,而其他任何内容都将到达端口3000容器。
解决方案2
1 2017-12-14 13:26:41
You will definitely need an nginx container, for the simple fact that a multicontainer ELB setup does not provide one by default. 您肯定需要一个nginx容器,因为一个简单的事实,即多容器ELB设置默认情况下不提供一个。 The reason that you see a single container setup on ELB with these .ebextension configs, is that for this type of setup the ELB does provide nginx. 您在ELB上看到具有这些.ebextension配置的单个容器设置的原因是,对于这种类型的安装,ELB确实提供了nginx。
The benefit of having your own nginx container is that you won't need a frontend container (assuming you are serving static files). 拥有自己的nginx容器的好处是您不需要前端容器(假设您正在提供静态文件)。 You can write our nginx config so that you serve static files straight. 您可以编写我们的nginx配置,以便直接提供静态文件。
Here is my Dockerrun file: 这是我的Dockerrun文件:
{
"AWSEBDockerrunVersion": 2,
"volumes": [
{
"name": "dist",
"host": {
"sourcePath": "/var/app/current/frontend/dist"
}
},
{
"name": "nginx-proxy-conf",
"host": {
"sourcePath": "/var/app/current/compose/production/nginx/nginx.conf"
}
}
],
"containerDefinitions": [
{
"name": "backend",
"image": "abc/xyz",
"essential": true,
"memory": 256,
},
{
"name": "nginx-proxy",
"image": "nginx:latest",
"essential": true,
"memory": 128,
"portMappings": [
{
"hostPort": 80,
"containerPort": 80
}
],
"depends_on": ["backend"],
"links": [
"backend"
],
"mountPoints": [
{
"sourceVolume": "dist",
"containerPath": "/var/www/app/frontend/dist",
"readOnly": true
},
{
"sourceVolume": "awseb-logs-nginx-proxy",
"containerPath": "/var/log/nginx"
},
{
"sourceVolume": "nginx-proxy-conf",
"containerPath": "/etc/nginx/nginx.conf",
"readOnly": true
}
]
}
]
}
I also highly recommend to use AWS services for setting up your SSL: Route 53 and Certificate manager. 我还强烈建议使用AWS服务来设置SSL:Route 53和证书管理器。 They play nice together and if I understand correctly, it allows you to apply SSL on load balancing level. 他们在一起玩的很好,如果我理解正确,它可以让您在负载平衡级别上应用SSL。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.