You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Following this discussion and resolution I see that the recommended approach for e2e encryption is to use an Envoy sidecar that terminates SSL and acts as a reverse proxy.
Does copilot support e2e encryption without a sidecar?
Something like:
name: web
type: Load Balanced Web Service
http:
path: "/"
healthcheck: "/"
image:
build:
dockerfile: app/Dockerfile
port: 443
Where my app would bind directly to port 443 and handle SSL termination itself? Or is it a requirement to use the Envoy approach? The docs are somewhat ambiguous on this.
image.[port](https://aws.github.io/copilot-cli/docs/manifest/lb-web-service/#image-port) Integer
The port exposed in your Dockerfile. Copilot should parse this value for you from your EXPOSE instruction.
If the port is set to 443, then the protocol is set to HTTPS so that the load balancer establishes TLS connections with the Fargate tasks using certificates that you install on the container.
Seems to indicate that just setting the port to 443 will do the trick, but the examples all use the sidecar approach and this PR seems to only switch to HTTPS if the target_container's port is 443, and the target_container stanza seems specific to sidecars.
The text was updated successfully, but these errors were encountered:
I think by default target_container is set to main container and if you set the target_port to 443 for your main container which is running on 443.
With the above manifest spec, you should be able to have HTTPS from ALB to main container. as well with out using sidecar container. let me know if that does not work for you!
You are right, the manifest was setup correctly. It turned out that our health check command was using curl and not passing the --insecure flag to allow it to work with our self-signed cert.
That said, it took quite a while to figure that out since the healthchecks don't appear in the ECS logs. Are those accessible somewhere and I am just unaware of where?
Following this discussion and resolution I see that the recommended approach for e2e encryption is to use an Envoy sidecar that terminates SSL and acts as a reverse proxy.
Does copilot support e2e encryption without a sidecar?
Something like:
Where my app would bind directly to port 443 and handle SSL termination itself? Or is it a requirement to use the Envoy approach? The docs are somewhat ambiguous on this.
Seems to indicate that just setting the port to 443 will do the trick, but the examples all use the
sidecar
approach and this PR seems to only switch to HTTPS if thetarget_container
's port is 443, and thetarget_container
stanza seems specific to sidecars.The text was updated successfully, but these errors were encountered: