Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTTPS from ALB to main container, without sidecar? #5888

Open
rynonl opened this issue Jul 27, 2024 · 2 comments
Open

HTTPS from ALB to main container, without sidecar? #5888

rynonl opened this issue Jul 27, 2024 · 2 comments

Comments

@rynonl
Copy link

rynonl commented Jul 27, 2024

Following this discussion and resolution I see that the recommended approach for e2e encryption is to use an Envoy sidecar that terminates SSL and acts as a reverse proxy.

Does copilot support e2e encryption without a sidecar?

Something like:

name: web
type: Load Balanced Web Service

http:
  path: "/"
  healthcheck: "/"

image:
  build:
    dockerfile: app/Dockerfile
  port: 443

Where my app would bind directly to port 443 and handle SSL termination itself? Or is it a requirement to use the Envoy approach? The docs are somewhat ambiguous on this.

image.[port](https://aws.github.io/copilot-cli/docs/manifest/lb-web-service/#image-port) Integer
The port exposed in your Dockerfile. Copilot should parse this value for you from your EXPOSE instruction.
If the port is set to 443, then the protocol is set to HTTPS so that the load balancer establishes TLS connections with the Fargate tasks using certificates that you install on the container.

Seems to indicate that just setting the port to 443 will do the trick, but the examples all use the sidecar approach and this PR seems to only switch to HTTPS if the target_container's port is 443, and the target_container stanza seems specific to sidecars.

@KollaAdithya
Copy link
Contributor

Hello @rynonl !

I think by default target_container is set to main container and if you set the target_port to 443 for your main container which is running on 443.

With the above manifest spec, you should be able to have HTTPS from ALB to main container. as well with out using sidecar container. let me know if that does not work for you!

@rynonl
Copy link
Author

rynonl commented Jul 29, 2024

Thanks for responding @KollaAdithya!

You are right, the manifest was setup correctly. It turned out that our health check command was using curl and not passing the --insecure flag to allow it to work with our self-signed cert.

That said, it took quite a while to figure that out since the healthchecks don't appear in the ECS logs. Are those accessible somewhere and I am just unaware of where?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants