Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS Elastic Beanstalk, Dockerrun.aws.json and multiple ports on docker run [duplicate]

I wish to run a docker in a EC2 instance with AWS API, and I have a Dockerrun.aws.json like this:

{
  "AWSEBDockerrunVersion": "1",
  "Authentication": {
    "Bucket": "<BUCKET>",
    "Key": ".dockercfg"
  },
  "Image": {
    "Name": "<NAME>:<TAG>",
    "Update": "true"
  },
  "Ports": [
    {
      "ContainerPort": "80"
    },
    {
      "ContainerPort": "443"
    }
  ]
}

Like you can see, I have multiple ports to expose, but elastic beanstalk expose only the first of they.

I found this sentence in the documentation: You can specify multiple container ports, but AWS Elastic Beanstalk uses only the first one to connect your container to the host's reverse proxy and route requests from the public Internet.

My question is why ?

I have an authentication which use Oauth2 protocol, and I must use HTTPS protocol for obvious security reasons. With this restriction, I can only choose HTTP or HTTPS, because I can only expose port 80 or 443.

I tried to tinker ebextensions to make nginx redirections with ports at the level of EC2 instances, but i've failed. How can I do ?

This stackoverflow user has the same problem. Exposing multiple ports from Docker within Elastic Beanstalk

Thanking you in advance

like image 457
Kmaschta Avatar asked Jan 08 '15 20:01

Kmaschta


People also ask

What is Dockerrun AWS JSON file?

A Dockerrun. aws. json file is an Elastic Beanstalk–specific JSON file that describes how to deploy a set of Docker containers as an Elastic Beanstalk application. You can use a Dockerrun.

How do you use Elastic Beanstalk with Docker?

Deploy to the Cloud Using the Elastic Beanstalk Console Choose “AWS Cloud9” and “Go To Your Dashboard.” Choose “Services” and “Elastic Beanstalk.” At the top right, choose “Create Application.” Paste flask-app for the “Application Name.” For “Platform,” choose “Docker.” Leave the Docker settings as is.

How do I deploy Docker image to Elastic Beanstalk?

Use the Elastic Beanstalk CLI (EB CLI) to configure your local repository for deployment to Elastic Beanstalk. Set your application's Dockerfile at the root of the directory. (Optional) Use the eb local run command to build and run your container locally. To learn more about the eb local command, see eb local.

Does Elastic Beanstalk support Docker?

Elastic Beanstalk supports the deployment of web applications from Docker containers. With Docker containers, you can define your own runtime environment.


Video Answer


1 Answers

I contacted the Amazon Support Center, and I chose to show you the answer.

Hello K...,

With Dockerrun.aws.json, Elastic Beanstalk hook scripts will only read the first port from the JSON file.

This is because in /opt/elasticbeanstalk/hooks/appdeploy/pre/04run.sh:

if [ echo $EB_CONFIG_DOCKER_PORT | wc -w -gt 1 ]; then EB_CONFIG_DOCKER_PORT=echo $EB_CONFIG_DOCKER_PORT | awk '{print $1}' warn "Only one EXPOSE directive is allowed, using the first one: $EB_CONFIG_DOCKER_PORT" fi

The hook scripts will have to specify a random port for the reverse proxy to forward to, which then forwards to your Docker container's port. Currently only one port mapping can be setup.

With regards to the nginx configuration, the quickest way to achieve a port 443 listening to your environment is to create a separate server section in /etc/nginx/conf.d/ e.g. custom-ssl.conf, which handles the HTTPS handshake with the client. This means that you will have to place your SSL certificates onto the instance so that nginx can perform the SSL handshake. I will get back to you later with a sample HTTPS configuration in nginx.

Otherwise, if your environment is a load balanced one, you can simply setup an HTTPS listener on the ELB, and let the ELB handle the SSL termination.

Meanwhile, if you have other questions, please do not hesitate to ask!

Best regards,

Sydney Support Centre

*

Hello again K...,

As I have mentioned in my previous correspondence, please find attached a sample .ebextensions config file which will setup an https server on nginx, on a single instance Docker environment. You did not let me know which environment you were enquiring about, so the attached .ebextensions will only work on single instance environments.

This .ebextensions config file performs the following:

  • Adds the https server config file for nginx as /etc/nginx/sites-enabled/https.conf, which reverse proxies the incoming https session to the Docker container as http.

  • Adds an SSL key/cert combined file into /etc/pki/tls/certs/my_ssl.crt, required by the HTTPS server above.

  • Adds an extra ingress rule to the Beanstalk environment's EC2 security group to allow incoming TCP:443 connections to the instance

Please feel free to modify the .ebextensions config file to suit your use case, and place this inside the .ebextensions/ directory at the root level of your application to be deployed in Elastic Beanstalk. If the directory is not there, then please create it.

For more information on .ebextensions config files, please see:

  • http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers.html

If you are on a load balanced environment, then you will need to upload your SSL certificate to IAM via the AWS CLI, and configure your Beanstalk environment's ELB to enable its HTTPS listener. The instructions will be different to the ones above:

  • http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https.html

Please let me know how you go with the .ebextensions config file, and let me know if you require further assistance!

Best regards,

Sydney Support Centre

And he gave me an example in attachment. 01-nginx-ssl.config

files:
  "/etc/nginx/sites-enabled/https.conf":
    mode: "000644"
    owner: root
    group: root
    content: |
      server {
        listen  443 ssl;
        ssl_certificate_key /etc/pki/tls/certs/my_ssl.crt;
        ssl_certificate /etc/pki/tls/certs/my_ssl.crt;
        ssl_protocols       SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers         HIGH:!aNULL:!MD5;

        location / {
          proxy_pass          http://docker;
          proxy_http_version  1.1;

          proxy_set_header    Connection          $connection_upgrade;
          proxy_set_header    Upgrade             $http_upgrade;
          proxy_set_header    Host                $host;
          proxy_set_header    X-Real-IP           $remote_addr;
          proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
        }
      } 

  "/etc/pki/tls/certs/my_ssl.crt":
    mode: "000400"
    owner: root
    group: root
    content: |
      <Your key/cert pair goes here>


Resources:
  AllowSSL: 
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {Ref : AWSEBSecurityGroup}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0
like image 57
Kmaschta Avatar answered Oct 13 '22 06:10

Kmaschta