How to add lets encrypt to a multi container running on Elastic Beanstalk
Question
I am try to add https to my domain using lets encrypt on aws eb. I am on a tight budget so I can't afford to use the AWS cert and load balancer. I have combed the web to find the best way to go about this but I seem to find only implementation using single containers hence the use of .ebextensions The only documentation I have found on stack overflow that came close was HTTPS on Elastic Beanstalk (Docker Multi-container)
I also found a documentation on how to use Dockerrun.aws.json on Free HTTPS on AWS Elastic Beanstalk without Load Balancer
but I can not seem to get the config right. I already have an nginx server already. How do I configure jwilder/nginx-proxy, jrcs/letsencrypt-nginx-proxy-companion and nginx
Dockerrun.aws.json
{
"AWSEBDockerrunVersion": 2,
"volumes": [{
"name": "home-ec2-user-certs",
"host": {
"sourcePath": "/home/ec2-user/certs"
}
},
{
"name": "etc-nginx-vhost-d",
"host": {
"sourcePath": "/etc/nginx/vhost.d"
}
},
{
"name": "usr-share-nginx-html",
"host": {
"sourcePath": "/usr/share/nginx/html"
}
},
{
"name": "var-run-docker-sock",
"host": {
"sourcePath": "/var/run/docker.sock"
}
}
],
"containerDefinitions": [{
"name": "client",
"image": "example/site-client",
"hostname": "client",
"essential": false,
"memory": 128,
"environment": [{
"name": "VIRTUAL_HOST",
"value": "www.example.com, example.com"
},
{
"name": "LETSENCRYPT_HOST",
"value": "www.example.com, example.com"
}
]
},
{
"name": "server",
"image": "example/site-server",
"hostname": "api",
"essential": false,
"memory": 128
},
{
"name": "admin",
"image": "example/site-admin",
"hostname": "admin",
"essential": false,
"memory": 128,
"environment": [{
"name": "VIRTUAL_HOST",
"value": "admin.example.com"
},
{
"name": "LETSENCRYPT_HOST",
"value": "admin.example.com"
}
]
},
{
"name": "worker",
"image": "example/site-worker",
"hostname": "worker",
"essential": false,
"memory": 128
},
{
"name": "sales",
"image": "example/site-payment",
"hostname": "sales",
"essential": false,
"memory": 128
},
{
"name": "nginx-proxy",
"image": "jwilder/nginx-proxy",
"essential": true,
"memoryReservation": 128,
"dockerLabels": {
"com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy": "true"
},
"portMappings": [{
"containerPort": 80,
"hostPort": 80
},
{
"containerPort": 443,
"hostPort": 443
}
],
"mountPoints": [{
"sourceVolume": "home-ec2-user-certs",
"containerPath": "/etc/nginx/certs",
"readOnly": true
},
{
"sourceVolume": "etc-nginx-vhost-d",
"containerPath": "/etc/nginx/vhost.d"
},
{
"sourceVolume": "usr-share-nginx-html",
"containerPath": "/usr/share/nginx/html"
},
{
"sourceVolume": "var-run-docker-sock",
"containerPath": "/tmp/docker.sock",
"readOnly": true
}
]
},
{
"name": "letsencrypt-nginx-proxy-companion",
"image": "jrcs/letsencrypt-nginx-proxy-companion",
"essential": true,
"memoryReservation": 128,
"volumesFrom": [{
"sourceContainer": "nginx-proxy"
}],
"mountPoints": [{
"sourceVolume": "home-ec2-user-certs",
"containerPath": "/etc/nginx/certs"
},
{
"sourceVolume": "var-run-docker-sock",
"containerPath": "/var/run/docker.sock",
"readOnly": true
}
]
},
{
"name": "nginx",
"image": "example/site-nginx",
"hostname": "nginx",
"essential": true,
"portMappings": [{
"hostPort": 80,
"containerPort": 80
}],
"links": ["client", "server", "admin", "sales"],
"memory": 128
}
]
}
And my nginx file
upstream client {
server client:3000;
}
upstream admin {
server admin:8000;
}
upstream sales {
server sales:8626;
}
upstream api {
server api:5000;
}
{
listen 80;
server_name example.com www.example.com;
return 301 https://$host$request_ur;
}
server {
# listen 80;
listen 443 ssl;
server_name example.com www.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem.;
ssl_certificate_key /etc/letsencrypt/live/example.com/fullchain.pem.;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
location / {
proxy_pass http://client;
}
location /sales {
rewrite /sales/(.*) /$1 break;
proxy_pass http://sales;
}
location /api {
rewrite /api/(.*) /$1 break;
proxy_pass http://api;
}
}
server {
listen 80;
server_name admin.example.com;
location / {
proxy_pass http://admin;
}
}
1 answers
solution1
2 ACCPTED 2020-08-20 12:37:39
One could "Dockerize" the nginx server and run a few configuration scripts when setting up. So something like this:
FROM nginx:1.16-alpine
RUN apk add --no-cache certbot
RUN mkdir /var/lib/certbot
COPY scripts/setup.sh /setup.sh
RUN chmod +x /setup.sh
COPY config/nginx.conf /etc/nginx/nginx.conf
ENTRYPOINT [ "../setup.sh" ]
The script:
#!/bin/sh
certbot certonly -n -d DOMAINS \
--standalone --preferred-challenges http --email EMAIL --agree-tos --expand
/usr/sbin/nginx -g "daemon off;"
And then just add the ssl certificate and the key to your nginx configuration as you normally would.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.