Docker Community Forums

Share and learn in the Docker community.

How to serve multiple public facing web sites using HTTPS?


(Johnparn) #1

Expected behavior

To be able to serve multiple public facing web sites using HTTPS with ELB. Each site is running as a separate service in a Docker Swarm. Preferably the SSL/TLS would be terminated in ELB and the requests forwarded to the correct service based on the host header.

Actual behavior

At the moment, when setting up Docker for AWS one ELB is created. However the ELB is very rudimentary and can not do layer 7 routing, like checking host header. ELB doesn’t support multiple certs, hence termination of SSL/TLS can not be done for the sites.

Additional Information

One solution is to setup your own LB, like HAProxy or Nginx, as a service in the swarm that will terminate the SSL/TLS and route traffic to the proper docker service. This means more moving parts to attend and the LB must be notified when the number of containers are changing. One thing that you loose is that you can not make use of the AWS certificate management with automatic renewal of certs. Interlock and Nginx-proxy seems to like a possible solution, but it is perhaps more aimed at then build the swarm from scratch, not using Docker for AWS?

Another solution is to setup a separate cloud formation for each site, which means more overhead when it comes to the number of aws services and nodes that have to run.

Thanks!


(Nathan Le Claire) #2

For today, you must set up your own reverse proxy as you mention.

I’m not sure if I understand correctly here, but if you’re using docker service, you shouldn’t need to watch the containers in the cluster and re-write / regenerate LB/reverse proxy config automatically. Routing requests to the service name by containers on the same overlay network (e.g., blog service with 3 replicas) will load balance using IPVS between those container (“task”) instances automatically.

So you don’t need interlock, you could just have something like proxy_pass /blog blog:8080; (that’s “pseudo-config”).