-
Notifications
You must be signed in to change notification settings - Fork 413
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable HTTPS connection between ALB and ECS Task ENI #2981
Comments
Hi folks! I just built a tiny prototype to get an understanding of how we could support this in Copilot and the changes are pretty tiny from our end! I just wanted to validate a few things:
I know the issue mentions creating a sidecar that generates a self-signed cert, but wouldn't that require importing the self-signed certificate to ACM and attaching it to the load balancer by the sidecar? that seems to go against IaC best practices. |
Hi @efekarakus Thanks for your effort, but we're no longer using Copilot, so I can't really provide any more feedback for this. We were running Apache in the sidecar to terminate TLS. WRT self-signed certificates, yes generating them in the container probably isn't the best idea. |
…4021) When the target container's port is set to 443 for Load Balanced Web Services or Backend Services with internal ALB then we set the TargetGroup's protocols to HTTPS allowing for e2e encryption even within the VPC. Resolves #1582, resolves #2981 By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the Apache 2.0 License.
This feature is now released in v1.22 🚀 ! For the blog post: https://aws.github.io/copilot-cli/blogs/release-v122/ |
We're deploying a Load-balanced web service. It consists of a Rails app container with an Apache Modproxy based reverse proxy container running as a sidecar.
In our current deployment, Apache is configured to server HTTPS traffic. To deploy with Copilot, we currently need to disable this and serve HTTP traffic instead. This is likely to raise questions from our auditors about whether we truly still have end-to-end encryption. It also means that we can't easily use the same image in an environment where there isn't something else to terminate the SSL connection.
Ideally, we could indicate in our
manifest.yml
that a service is listening on port 443 and it would be assumed to be expecting HTTPS. Alternatively, an explicit flag would be fine.As I understand it, we can use any self-signed certificate because the ALB won't verify it. We would use Copilot's existing secrets feature to supply the certificate and key to our Apache sidecar. Alternatively, we could generate a certificate in the container on startup.
We do not need HTTP in addition to HTTPS. It would be sufficient for the ALB to redirect HTTP -> HTTPS.
To make this feature easy for anyone to incorporate into their project, you could provide a Docker image that acts as a reverse proxy that generates its own certificate. It might be documented as follows:
Copilot terminates your HTTPS connection at the ALB. The connection from the ALB to your container is HTTP (unencrypted). This is adequate security for most purposes. If you have audit requirements that require end-to-end encryption, you may achieve this by adding an HTTPS enabled reverse-proxy sidecar. Update your manifest to include:
The text was updated successfully, but these errors were encountered: