-
Notifications
You must be signed in to change notification settings - Fork 97
Setting up Poxa in Amazon Elastic Beanstalk with Docker
If you don't need SSL/HTTPS all you have to do is create two files and upload a zip to AWS Elastic Beanstalk configured for Docker platform, pretty straightforward.
Add a config file poxa.conf
and configure the HTTP Port and credentials.
# HTTP port
poxa.port = 80
# Pusher app key
poxa.app_key = "your_key"
# Pusher secret
poxa.app_secret = "your_secret"
# Pusher app id
poxa.app_id = "your_app_id"
Add a Dockerrun.aws.json
:
{
"AWSEBDockerrunVersion": "1",
"Image": {
"Name": "edgurgel/poxa",
"Update": "true"
},
"Ports": [
{
"ContainerPort": "80"
}
],
"Volumes": [
{
"HostDirectory": "/var/app/current/poxa.conf",
"ContainerDirectory": "/app/releases/0.4.3/poxa.conf"
}
],
"Logging": "/var/log/nginx"
}
You may have to adjust the ContainerDirectory
depending on the current version of the docker image, 0.4.3
is the most recent at this time.
Pack this files into a zip and upload it to a Elastic Beanstalk Web Server configured for Docker platform. You can also use EB Cli to deploy.
To use SSL you can use several different methods.
The best and easiest way to use SSL on Elastic Beastalk is through Elastic Load Balancer.You only have to upload de certificate and configure the load balancer to use them. In this approach, the SSL is handled by the Load Balancer and your server don't have to worry about it.
The only problem is the cost.
The poxa docker image has built-in support for SSL as stated here, but, is not so simple to use this with docker on Elastic Beanstalk. Mainly because of this limitation:
You can specify multiple container ports, but Elastic Beanstalk uses only the first one to connect your container to the host's reverse proxy and route requests from the public Internet.
More info: (documentation)
A possible workaround to this problem would be to change the nginx settings via ebextensions (not tested).
This method allows you to have a single instance server, which is cheaper than the option with Load Balancer.
In this case, there are two instances of nginx running. One of them is running on the EC2 provided by EB and the other one is running inside the docker image. This approach will configure the nginx on EC2 to be the ssl layer.
You need to create a ebextension to configure the nginx.
Create a file ./ebextensions/ssl.config
, which should look like this:
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {Ref : AWSEBSecurityGroup}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
files:
/etc/nginx/conf.d/ssl.conf:
content: |
# HTTPS server
server {
listen 443;
server_name *.your_domain.com.br;
ssl on;
ssl_certificate /etc/pki/tls/certs/STAR_your_domain_com_br.pem;
ssl_certificate_key /etc/pki/tls/certs/STAR_your_domain_com_br.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://localhost:80;
proxy_redirect off;
proxy_buffering off; # Optional
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
/etc/pki/tls/certs/STAR_your_domain_com.key:
content: |
-----BEGIN RSA PRIVATE KEY-----
***
-----END RSA PRIVATE KEY-----
/etc/pki/tls/certs/STAR_your_domain_com.pem:
content: |
-----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----
You have to replace your_domain
and add your certificates. Yeah, you have to put your certificates into this file, so, you can't use this approach on a public repository. Not ideal, of course, but, is the price that you pay for not use the expensive Load Balancer.