copilot-cli icon indicating copy to clipboard operation
copilot-cli copied to clipboard
verified publisher icon aws

HTTPS from ALB to main container, without sidecar?

Open rynonl opened this issue 1 year ago • 3 comments

Following this discussion and resolution I see that the recommended approach for e2e encryption is to use an Envoy sidecar that terminates SSL and acts as a reverse proxy.

Does copilot support e2e encryption without a sidecar?

Something like:

name: web
type: Load Balanced Web Service

http:
  path: "/"
  healthcheck: "/"

image:
  build:
    dockerfile: app/Dockerfile
  port: 443

Where my app would bind directly to port 443 and handle SSL termination itself? Or is it a requirement to use the Envoy approach? The docs are somewhat ambiguous on this.

image.[port](https://aws.github.io/copilot-cli/docs/manifest/lb-web-service/#image-port) Integer
The port exposed in your Dockerfile. Copilot should parse this value for you from your EXPOSE instruction.
If the port is set to 443, then the protocol is set to HTTPS so that the load balancer establishes TLS connections with the Fargate tasks using certificates that you install on the container.

Seems to indicate that just setting the port to 443 will do the trick, but the examples all use the sidecar approach and this PR seems to only switch to HTTPS if the target_container's port is 443, and the target_container stanza seems specific to sidecars.

rynonl avatar Jul 27 '24 11:07 rynonl

Hello @rynonl !

I think by default target_container is set to main container and if you set the target_port to 443 for your main container which is running on 443.

With the above manifest spec, you should be able to have HTTPS from ALB to main container. as well with out using sidecar container. let me know if that does not work for you!

KollaAdithya avatar Jul 29 '24 16:07 KollaAdithya

Thanks for responding @KollaAdithya!

You are right, the manifest was setup correctly. It turned out that our health check command was using curl and not passing the --insecure flag to allow it to work with our self-signed cert.

That said, it took quite a while to figure that out since the healthchecks don't appear in the ECS logs. Are those accessible somewhere and I am just unaware of where?

rynonl avatar Jul 29 '24 20:07 rynonl

@KollaAdithya

I have a Backend service with an internal ALB and I need to use non standard TLS port on my container like 8443. That does not seem possible today with Copilot. Am I missing something? Can this be added as a feature?

kamal2311 avatar Dec 17 '24 01:12 kamal2311