Docker Community Forums

Share and learn in the Docker community.

Supporting https traffic with Docker for AWS?


(Marcus Crafter) #1

Hi Guys,

Thanks for all the work on Docker for AWS, awesome.

Just wondering how I might configure Docker for AWS to terminate https traffic in an ELB listener created via a ‘service create’ command and allow http to pass through to our app service containers running in the swarm?

I’ve tried a few things including:

  • adding a new https 443 to http 80 listener manually on the ELB created by Docker for AWS, it was promptly removed though I presume by CloudFormation/Docker. While it was created, both port 80 and 443 wouldn’t accept any requests and hung.

  • published port 443 (external) to port 3000 (container ie. our app port), this created a ELB mapping 443 to 443 but with a tcp/tcp layer - I tried changing it to https/http and it kind of worked, curling it gave me the certificate details in a http trace, but loading the actual page contents timed out.

  • published port 80 to port 3000 and changed the port 80 listener from tcp to https, but similar results as above. First request went through (not all assets on the page loaded), and subsequent requests timed out.

Any recommendations for how I should be handling https traffic with the ELBs in Docker for AWS?

Cheers,

Marcus


(Gaberoffman) #2

Hi Marcus… I tried the same thing and got the same results except that I was able to get to https after I manually added a mapping in the ELB from 443 to 80 and selected a cert. This seems like a very common scenario. I know that I want to do it… to terminate SSL at the load balancer for my hosted APIs and forward a decrypted request to a container.
Trying to do docker service create --name myproxy -p 443:80 nginx just created a 443 tcp to 443 tcp mapping.
Seems like we need to do something to support
docker service create --name myproxy -p 443:80 --ssl-cert arn:aws:acm:*.* nginx
where the presence of the ssl-cert flag would trigger the different type of mapping in the LB.


(Gaberoffman) #3

I would be ok with having to add this mapping manually to the ELB but there then has to be a way for it not to get removed when another service is created.


(Kevinmcgarry) #4

has there been any update on this? This is something I have been trying to accomplish as well but haven’t figured out a way to do it yet.


(Mobe91) #5

Hi, I have an issue that is somewhat related to this topic.
I need a HTTP/HTTPS listener on the ELB instead of the TCP listeners that are created by docker-for-aws in order to have the X-Forwarded-for header available when processing requests in the upstream.
So is it already possible to accomplish this somehow manually/automatically?

Thanks


(Mobe91) #6

Alternatively, it would be nice to have some option to enable proxy protocol for the ELB listeners created by docker-for-aws.


(Garycowell) #7

I don’t have much of an answer for you , but I do have the same requirement.

You can launch with an IAM tls certificate like this

--label com.docker.aws.lb.arn="arn:aws:iam::nnnnnnnnnn:server-certificate/nnnnnnn"

And this creates the SSL 443 listener.

I then use AWS Console to change this to a https listener, for the exact reason of X-Forwarded-For ,

For me, it does not seem to reset the ELB, as in our swarm we have only one single service with published ports, and this never changes.

It would be nice if these aws.lb labels could be used to provide additional ELB settings, ssl offloading, ports etc.


(Mobe91) #8

Check out https://docs.docker.com/docker-for-aws/load-balancer/ for a way to do this.
The trick is to specify the certificate arn as follows:

com.docker.aws.lb.arn="arn:...@HTTPS:443,8080"

This will configure a HTTPS type ELB listener on port 443 and a TCP SSL listener on port 8080. HTTPS is forwarded to HTTP - there is currently no way to change this but at least the X-Forwarded-For headers will be appended to the request.