AWS弹性魔豆,Dockerrun.aws.json和泊坞窗运行多个端口 [英] AWS Elastic Beanstalk, Dockerrun.aws.json and multiple ports on docker run
问题描述
我想与AWS API一个EC2实例运行一个码头工人,和我有一个<一个href="http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/create_deploy_docker_image.html">Dockerrun.aws.json像这样的:
I wish to run a docker in a EC2 instance with AWS API, and I have a Dockerrun.aws.json like this:
{
"AWSEBDockerrunVersion": "1",
"Authentication": {
"Bucket": "<BUCKET>",
"Key": ".dockercfg"
},
"Image": {
"Name": "<NAME>:<TAG>",
"Update": "true"
},
"Ports": [
{
"ContainerPort": "80"
},
{
"ContainerPort": "443"
}
]
}
就像你看到的,我有多个端口暴露,但只有弹性的豆茎露出第一,他们的。
Like you can see, I have multiple ports to expose, but elastic beanstalk expose only the first of they.
我发现这句话的文档中:您可以指定多个集装箱码头,但AWS弹性魔豆只使用第一个你的容器从公共Internet连接到主机的反向代理和路由请求
I found this sentence in the documentation: You can specify multiple container ports, but AWS Elastic Beanstalk uses only the first one to connect your container to the host's reverse proxy and route requests from the public Internet.
我的问题是,为什么?
我有使用Oauth2协议的验证,我必须使用HTTPS协议进行明显的安全原因。 有了这个限制,我只能选择HTTP或HTTPS,因为我只能暴露的端口80或443。
I have an authentication which use Oauth2 protocol, and I must use HTTPS protocol for obvious security reasons. With this restriction, I can only choose HTTP or HTTPS, because I can only expose port 80 or 443.
我试着鼓捣ebextensions使nginx的重定向与在EC2实例的水平端口,但我失败了。 我该怎么办?
I tried to tinker ebextensions to make nginx redirections with ports at the level of EC2 instances, but i've failed. How can I do ?
这计算器用户有同样的问题。 <一href="http://stackoverflow.com/questions/25829296/exposing-multiple-ports-from-docker-within-elastic-beanstalk">Exposing从泊坞窗内的弹性魔豆多个端口
This stackoverflow user has the same problem. Exposing multiple ports from Docker within Elastic Beanstalk
请多关照
推荐答案
我联系了亚马逊的支持中心,我选择告诉你答案。
I contacted the Amazon Support Center, and I chose to show you the answer.
您好ķ...
通过Dockerrun.aws.json,弹性魔豆钩子脚本将只读取 从JSON文件中的第一个端口。
With Dockerrun.aws.json, Elastic Beanstalk hook scripts will only read the first port from the JSON file.
这是因为在/opt/elasticbeanstalk/hooks/appdeploy/$p$p/04run.sh:
This is because in /opt/elasticbeanstalk/hooks/appdeploy/pre/04run.sh:
如果[回声$ EB_CONFIG_DOCKER_PORT | WC -w -gt 1];然后
EB_CONFIG_DOCKER_PORT = 回声$ EB_CONFIG_DOCKER_PORT | awk的'{打印$ 1}
警告只有人检举揭发指令都允许,使用第一种:
$ EB_CONFIG_DOCKER_PORT网络
if [ echo $EB_CONFIG_DOCKER_PORT | wc -w -gt 1 ]; then
EB_CONFIG_DOCKER_PORT=echo $EB_CONFIG_DOCKER_PORT | awk '{print $1}'
warn "Only one EXPOSE directive is allowed, using the first one:
$EB_CONFIG_DOCKER_PORT" fi
挂钩脚本可以指定一个随机端口反向 代理转发到,然后转发给您的泊坞容器 端口。目前只有一个端口映射可以设定。
The hook scripts will have to specify a random port for the reverse proxy to forward to, which then forwards to your Docker container's port. Currently only one port mapping can be setup.
通过关于nginx的配置,最快捷的方式,实现了 443听着你的环境的端口是创建一个单独的服务器 在/etc/nginx/conf.d/例如节定制ssl.conf中,它处理 HTTPS握手与客户端。这意味着,你将不得不 把你的SSL证书上的实例,以便nginx的能 执行SSL握手。我会尽快给您回复后用样本 在nginx的HTTPS配置。
With regards to the nginx configuration, the quickest way to achieve a port 443 listening to your environment is to create a separate server section in /etc/nginx/conf.d/ e.g. custom-ssl.conf, which handles the HTTPS handshake with the client. This means that you will have to place your SSL certificates onto the instance so that nginx can perform the SSL handshake. I will get back to you later with a sample HTTPS configuration in nginx.
另外,如果你的环境是一个负载均衡的,你可以简单地 安装在ELB HTTPS侦听器,并让ELB处理SSL 终止。
Otherwise, if your environment is a load balanced one, you can simply setup an HTTPS listener on the ELB, and let the ELB handle the SSL termination.
同时,如果您还有其他疑问,请不要犹豫,问!
Meanwhile, if you have other questions, please do not hesitate to ask!
最好的问候,
悉尼支援中心
*
您好再次ķ...
正如我刚才提到的我的previous信件,请找 附样本.ebextensions配置文件,该文件将设置一个HTTPS 服务器上的nginx,在单一实例多克尔环境。你没有 让我知道这环境你查询,所以 附.ebextensions只能在单实例环境。
As I have mentioned in my previous correspondence, please find attached a sample .ebextensions config file which will setup an https server on nginx, on a single instance Docker environment. You did not let me know which environment you were enquiring about, so the attached .ebextensions will only work on single instance environments.
这.ebextensions配置文件执行以下操作:
This .ebextensions config file performs the following:
-
添加HTTPS服务器配置文件的nginx作为/etc/nginx/sites-enabled/https.conf,其中反向代理的 传入的HTTPS会话泊坞窗容器为HTTP。
Adds the https server config file for nginx as /etc/nginx/sites-enabled/https.conf, which reverse proxies the incoming https session to the Docker container as http.
添加SSL密钥/证书文件合并成/etc/pki/tls/certs/my_ssl.crt,通过HTTPS服务器上面的要求。
Adds an SSL key/cert combined file into /etc/pki/tls/certs/my_ssl.crt, required by the HTTPS server above.
添加一个额外的进入规则,魔豆环境的EC2安全组允许传入的TCP:443连接到实例
Adds an extra ingress rule to the Beanstalk environment's EC2 security group to allow incoming TCP:443 connections to the instance
请随意修改.ebextensions配置文件,以满足您 使用情况,并将此.ebextensions /目录下的内 部署在弹性魔豆你的应用程序的根目录下。如果 该目录不存在,那么请创建它。
Please feel free to modify the .ebextensions config file to suit your use case, and place this inside the .ebextensions/ directory at the root level of your application to be deployed in Elastic Beanstalk. If the directory is not there, then please create it.
有关.ebextensions配置文件的详细信息,请访问:
For more information on .ebextensions config files, please see:
- http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers.html
如果你是一个负载均衡的环境中,那么你就需要 通过AWS CLI上传您的SSL证书(IAM),并配置 青苗环境的ELB,以使其HTTPS侦听器。该 指令将是不同的,以上面的那些:
If you are on a load balanced environment, then you will need to upload your SSL certificate to IAM via the AWS CLI, and configure your Beanstalk environment's ELB to enable its HTTPS listener. The instructions will be different to the ones above:
- http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https.html
请让我知道你怎么去用.ebextensions配置文件, 我们如果您需要进一步的帮助,我知道!
Please let me know how you go with the .ebextensions config file, and let me know if you require further assistance!
最好的问候,
悉尼支援中心
和他给我一个例子,附件。 01-nginx的-ssl.config
And he gave me an example in attachment. 01-nginx-ssl.config
files:
"/etc/nginx/sites-enabled/https.conf":
mode: "000644"
owner: root
group: root
content: |
server {
listen 443 ssl;
ssl_certificate_key /etc/pki/tls/certs/my_ssl.crt;
ssl_certificate /etc/pki/tls/certs/my_ssl.crt;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://docker;
proxy_http_version 1.1;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
"/etc/pki/tls/certs/my_ssl.crt":
mode: "000400"
owner: root
group: root
content: |
<Your key/cert pair goes here>
Resources:
AllowSSL:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {Ref : AWSEBSecurityGroup}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
这篇关于AWS弹性魔豆,Dockerrun.aws.json和泊坞窗运行多个端口的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
