Skip to content

Reverse proxy for AWS ECS. Lets you address your docker containers by sub domain.

License

Notifications You must be signed in to change notification settings

codesuki/ecs-nginx-proxy

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

29 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ecs-nginx-proxy

License Build Status nginx latest Docker Pulls

ecs-nginx-proxy lets you run a nginx reverse proxy in an AWS ECS cluster.
Uses ecs-gen to automatically make containers accessible by subdomain as they are started.
My use case is using a wildcard domain to make per branch test environments accessible by branch.domain.com. Heavily inspired by nginx-proxy.

Security notice

Currently I am only using this for a development cluster in a private network. I advise against using this in a production environment. If you want to do this consider using ecs-gen to create your own nginx config + container setup which is as secure as you need it to be.

Sample use case

ecs-nginx-proxy You want to spin up development environments on AWS ECS for each pull request on your project. How do you make this easy to use? Do you look up the instance IP and connect directly?
The easiest, at least for me, is to setup a wildcard DNS record and route to each deployed branch based on the subdomain, e.g. *.domain.com, branch.domain.com.
This projects enables you to do that.

Usage

Requirements

  • Wildcard domain like *.domain.com
  • ELB/ALB for this domain
  • ECS Cluster

IAM Policy

  • EC2 instances in the cluster need a role including ecs:Describe*, ecs:List* and ec2:Describe*
  • Easiest is to use AmazonEC2ContainerServiceFullAccess although that gives more permissions than needed

Setup

  • Create a new ECS task
  • Add a container using the codesuki/ecs-nginx-proxy docker image and make port 80 accessible
  • Create a new service using the above task and a ELB
  • Connect to the ELB serving the wildcard domain

Adding containers

Each container you want to make accessible needs to have its corresponding port mapped (can be random mapping) and the environment variable VIRTUAL_HOST set to the hostname it should respond to.

You can customize nginx settings per container by adding environment variables prefixed by NGINX_GEN_. For examples, you could add an environment variable named NGINX_GEN_client_max_body_size to configure the nginx client_max_body_size setting.

Sample ECS task and service description

For reference JSON descriptions for the ecs-nginx-proxy task, service and a sample task can be found in the examples/ folder. Check out the commands below or just the sample descriptions if you already know how to work with AWS ECS.

To register the sample tasks and services with your AWS ECS cluster run the following commands.

Register task

Requirements

  • ECS Cluster
  • Cluster EC2 instances need ecs:Describe* and ecs:List* permissions (see Requirements above)
aws ecs register-task-definition --cli-input-json file:https://./examples/task.json

Register service

Requirements

  • ELB or ALB + Target Group
  • Service role for the ELB/ALB containing AmazonEC2ContainerServiceRole

If you use ELB

You need to supply the load balancer name.

aws ecs create-service --cluster <NAME> --role <NAME> --load-balancers loadBalancerName=<NAME>,containerName=ecs-nginx-proxy,containerPort=80 --cli-input-json file:https://./examples/service.json

If you use ALB

You need to supply the target group ARN.

aws ecs create-service --cluster <NAME> --role <NAME> --load-balancers targetGroupArn=<ARN>,containerName=ecs-nginx-proxy,containerPort=80 --cli-input-json file:https://./examples/service.json

Register sample task

Before running the commands below change the VIRTUAL_HOST environment variable in examples/samples_task.json to a domain corresponding to your load balancer setup.

aws ecs register-task-definition --cli-input-json file:https://./examples/sample_task.json

Register sample service

aws ecs create-service --cluster <NAME> --service-name sample-service --task-definition sample-task --desired-count 1

TODO

  • Support SSL connections (for now you can do SSL termination at the ALB)
  • Support path based routing (e.g. domain.com/service)