AWS弹性Beanstalk,Dockerrun.aws.json和Docker上的多个端口运行 [英] AWS Elastic Beanstalk, Dockerrun.aws.json and multiple ports on docker run
问题描述
我希望使用AWS API在EC2实例中运行一个停靠点,并且我有一个 Dockerrun.aws.json 像这样:
{
AWSEBDockerrunVersion: 1,
验证:{
Bucket:< BUCKET>,
Key:.dockercfg
},
Image:{
Name:< NAME>:< TAG>,
Update:true
},
Ports [
{
ContainerPort:80
},
{
ContainerPort:443
}
]
}
像你可以看到,我有多个端口要公开,但弹性beanstalk只暴露他们中的第一个。
我在文档中发现了这个句子:您可以指定多个容器端口,但AWS Elastic Beanstalk仅使用第一个将容器连接到主机的反向代理和路由r我的问题是为什么?
我有一个使用Oauth2协议的身份验证,并且由于明显的安全原因我必须使用HTTPS协议。
有了这个限制,我只能选择HTTP或HTTPS,因为我只能公开端口80或443。
我试图修补ebextensions,使nginx重定向端口处于EC2级别的级别,但我失败了。
我该怎么办?
这个stackoverflow用户有同样的问题。
在弹性Beanstalk中暴露Docker的多个端口
提前谢谢你
我联系了亚马逊支持中心,我选择向你显示答案。
你好K ...,
使用Dockerrun.aws.json,弹性Beanstalk钩子脚本只能从JSON文件中读取
第一个端口。
这是因为在/ opt /elasticbeanstalk/hooks/appdeploy/pre/04run.sh:
if [
echo $ EB_CONFIG_DOCKER_PORT | wc -w-gt 1];然后
EB_CONFIG_DOCKER_PORT =echo $ EB_CONFIG_DOCKER_PORT | awk'{print $ 1}'warn只允许使用一个EXPOSE指令,使用第一个:
$ EB_CONFIG_DOCKER_PORTfi
钩子脚本必须为反向
代理指定一个随机端口,然后转发到您的Docker容器的
端口。目前只能设置一个端口映射。
关于nginx配置,实现
端口443聆听您的环境的最快方法是创建一个单独的服务器
部分在/etc/nginx/conf.d/例如custom-ssl.conf,它处理与客户端的
HTTPS握手。这意味着您必须
将您的SSL证书放在实例上,以便nginx可以
执行SSL握手。我稍后会通过一个样本
在nginx中配置一个b $ b的配置。
否则,如果你的环境是负载平衡的,你可以简单地
在ELB上设置一个HTTPS监听器,让ELB处理SSL
终止。
同时,如果还有其他问题,请不要犹豫要求!
最好的问候,
悉尼支持中心
*
你好再次K ...,
正如我之前的通信中所提到的,请找到
附上一个示例.ebextensions配置文件,该文件将在单个实例Docker环境中在nginx上设置一个https
服务器。你没有
让我知道你正在询问哪个环境,所以附加的
.ebextensions只适用于单一实例环境。
.ebextensions配置文件执行以下操作:
将nginx的https服务器配置文件添加为/ etc / nginx / sites-enabled /https.conf,它将
传入的https会话代理到Docker容器作为http。
将SSL密钥/证书组合文件添加到/etc/pki/tls/certs/my_ssl.crt,由上述HTTPS服务器要求。
向Beanstalk环境的EC2安全组添加了一个额外的入口规则允许传入的TCP:443连接到实例
请随意修改.ebextensions配置文件以适合您的
用例,并将其放置在应用程序的
根级别的.ebextensions /目录中,以部署在弹性Beanstalk中。如果
目录不存在,那么请创建它。
有关.ebextensions配置文件的更多信息,请参阅:
如果您处于负载平衡的环境中,则需要
通过AWS CLI将您的SSL证书上传到IAM,并配置
Beanstalk环境的ELB以启用其HTTPS侦听器。
说明将与上述不同:
请让我知道你如何使用.ebextensions配置文件,如果需要进一步的帮助,
让我知道! / p>
最好的问候,
悉尼支持中心
他给了我一个附件的例子。 01-nginx-ssl.config
文件:
/etc/nginx/sites-enabled/https.conf :
mode:000644
owner:root
group:root
content:|
server {
listen 443 ssl;
ssl_certificate_key /etc/pki/tls/certs/my_ssl.crt;
ssl_certificate /etc/pki/tls/certs/my_ssl.crt;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http:// docker;
proxy_http_version 1.1;
proxy_set_header连接$ connection_upgrade;
proxy_set_header升级$ http_upgrade;
proxy_set_header Host $ host;
proxy_set_header X-Real-IP $ remote_addr;
proxy_set_header X-Forwarded-For $ proxy_add_x_forwarded_for;
}
}
/etc/pki/tls/certs/my_ssl.crt:
模式:000400
所有者:root
组:root
内容:|
<您的密钥/证书对在这里>
资源:
AllowSSL:
类型:AWS :: EC2 :: SecurityGroupIngress
属性:
GroupId:{Ref:AWSEBSecurityGroup}
IpProtocol:tcp
ToPort:443
FromPort:443
CidrIp:0.0.0.0/0
I wish to run a docker in a EC2 instance with AWS API, and I have a Dockerrun.aws.json like this:
{
"AWSEBDockerrunVersion": "1",
"Authentication": {
"Bucket": "<BUCKET>",
"Key": ".dockercfg"
},
"Image": {
"Name": "<NAME>:<TAG>",
"Update": "true"
},
"Ports": [
{
"ContainerPort": "80"
},
{
"ContainerPort": "443"
}
]
}
Like you can see, I have multiple ports to expose, but elastic beanstalk expose only the first of they.
I found this sentence in the documentation: You can specify multiple container ports, but AWS Elastic Beanstalk uses only the first one to connect your container to the host's reverse proxy and route requests from the public Internet.
My question is why ?
I have an authentication which use Oauth2 protocol, and I must use HTTPS protocol for obvious security reasons. With this restriction, I can only choose HTTP or HTTPS, because I can only expose port 80 or 443.
I tried to tinker ebextensions to make nginx redirections with ports at the level of EC2 instances, but i've failed. How can I do ?
This stackoverflow user has the same problem. Exposing multiple ports from Docker within Elastic Beanstalk
Thanking you in advance
I contacted the Amazon Support Center, and I chose to show you the answer.
Hello K...,
With Dockerrun.aws.json, Elastic Beanstalk hook scripts will only read the first port from the JSON file.
This is because in /opt/elasticbeanstalk/hooks/appdeploy/pre/04run.sh:
if [
echo $EB_CONFIG_DOCKER_PORT | wc -w-gt 1 ]; then EB_CONFIG_DOCKER_PORT=echo $EB_CONFIG_DOCKER_PORT | awk '{print $1}'warn "Only one EXPOSE directive is allowed, using the first one: $EB_CONFIG_DOCKER_PORT" fiThe hook scripts will have to specify a random port for the reverse proxy to forward to, which then forwards to your Docker container's port. Currently only one port mapping can be setup.
With regards to the nginx configuration, the quickest way to achieve a port 443 listening to your environment is to create a separate server section in /etc/nginx/conf.d/ e.g. custom-ssl.conf, which handles the HTTPS handshake with the client. This means that you will have to place your SSL certificates onto the instance so that nginx can perform the SSL handshake. I will get back to you later with a sample HTTPS configuration in nginx.
Otherwise, if your environment is a load balanced one, you can simply setup an HTTPS listener on the ELB, and let the ELB handle the SSL termination.
Meanwhile, if you have other questions, please do not hesitate to ask!
Best regards,
Sydney Support Centre
*
Hello again K...,
As I have mentioned in my previous correspondence, please find attached a sample .ebextensions config file which will setup an https server on nginx, on a single instance Docker environment. You did not let me know which environment you were enquiring about, so the attached .ebextensions will only work on single instance environments.
This .ebextensions config file performs the following:
Adds the https server config file for nginx as /etc/nginx/sites-enabled/https.conf, which reverse proxies the incoming https session to the Docker container as http.
Adds an SSL key/cert combined file into /etc/pki/tls/certs/my_ssl.crt, required by the HTTPS server above.
Adds an extra ingress rule to the Beanstalk environment's EC2 security group to allow incoming TCP:443 connections to the instance
Please feel free to modify the .ebextensions config file to suit your use case, and place this inside the .ebextensions/ directory at the root level of your application to be deployed in Elastic Beanstalk. If the directory is not there, then please create it.
For more information on .ebextensions config files, please see:
If you are on a load balanced environment, then you will need to upload your SSL certificate to IAM via the AWS CLI, and configure your Beanstalk environment's ELB to enable its HTTPS listener. The instructions will be different to the ones above:
Please let me know how you go with the .ebextensions config file, and let me know if you require further assistance!
Best regards,
Sydney Support Centre
And he gave me an example in attachment. 01-nginx-ssl.config
files:
"/etc/nginx/sites-enabled/https.conf":
mode: "000644"
owner: root
group: root
content: |
server {
listen 443 ssl;
ssl_certificate_key /etc/pki/tls/certs/my_ssl.crt;
ssl_certificate /etc/pki/tls/certs/my_ssl.crt;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://docker;
proxy_http_version 1.1;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
"/etc/pki/tls/certs/my_ssl.crt":
mode: "000400"
owner: root
group: root
content: |
<Your key/cert pair goes here>
Resources:
AllowSSL:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {Ref : AWSEBSecurityGroup}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
这篇关于AWS弹性Beanstalk,Dockerrun.aws.json和Docker上的多个端口运行的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
