Hey everyone,
I'm looking to host a webservice through Docker on ECS. I'm trying to set up https for it but I'm having no luck in doing so. I've tried many different configs, but I have a lack of understanding in this space.
These are my relevant files:
docker-compose.yml
reverse_proxy:
platform: linux/amd64
build:
context: .
dockerfile: ./Dockerfile
target: reverse_proxy
image: "$REGISTRY_URL/reverse_proxy"
environment:
AWS_REGION: "ap-southeast-2"
x-aws-role:
Statement:
- Effect: "Allow"
Action:
- "ecs:ListClusters"
- "ecs:DescribeClusters"
- "ecs:ListTasks"
- "ecs:DescribeTasks"
- "ecs:DescribeContainerInstances"
- "ecs:DescribeTaskDefinition"
- "ec2:DescribeInstances"
- "ssm:DescribeInstanceInformation"
Resource:
- "*"
- Effect: "Allow"
Action:
- "iam:PassRole"
Resource:
- "*"
Condition:
StringLike:
iam:PassedToService: "ecs-tasks.amazonaws.com"
webserver:
platform: linux/amd64
build:
context: .
dockerfile: ./Dockerfile
target: webserver
image: "$REGISTRY_URL/deploy_ecs/webserver"
# container_name: webserver
command: "dagster-webserver -h 0.0.0.0 -p 80 -w workspace.yaml"
expose:
- "80"
labels:
- traefik.enable=true
- traefik.http.routers.webserver.rule=Host(`{HOST}`)
- traefik.http.routers.webserver.tls=true
- traefik.http.routers.webserver.tls.certresolver=myresolver
- traefik.http.services.webserver.loadbalancer.server.port=80
environment:
DAGSTER_POSTGRES_DB: "postgres_db"
DAGSTER_POSTGRES_HOSTNAME: "postgresql"
DAGSTER_POSTGRES_PASSWORD: "postgres_password"
DAGSTER_POSTGRES_USER: "postgres_user"
depends_on:
- postgresql
- user_code
x-aws-role:
Statement:
- Effect: "Allow"
Action:
- "ecs:DescribeTasks"
- "ecs:StopTask"
Resource:
- "*"
- Effect: "Allow"
Action:
- "iam:PassRole"
Resource:
- "*"
Condition:
StringLike:
iam:PassedToService: "ecs-tasks.amazonaws.com"
My traefik_ecs.yaml:
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
providers:
ecs:
exposedByDefault: false
autoDiscoverClusters: false
clusters:
- dagster
region: ap-southeast-2
certificatesResolvers:
myresolver:
# Enable ACME (Let's Encrypt): automatic SSL.
acme:
email: "ian@thelookoutway.com"
storage: "acme.json"
httpChallenge:
entryPoint: web
My Dockerfile
# Traefik
FROM traefik:v2.10 as reverse_proxy
COPY traefik_ecs.yaml /etc/traefik/traefik.yaml
RUN touch /etc/traefik/acme.json
RUN chmod +x /etc/traefik/acme.json
I've tried to follow the documentation here, but that doesn't seem to have worked for me.
This is the error on the reverse_proxy ECS service:
time="2023-09-22T01:34:32Z" level=error msg="Unable to obtain ACME certificate for domains \"{HOST}\": unable to generate a certificate for the domains [HOST]: error: one or more domains had a problem:\n[HOST] acme: error: 400 :: urn:ietf:params:acme:error:connection :: 13.236.26.10: Fetching {host}/.well-known/acme-challenge/9XNME3B88lo_43qdeL66d1z0JHqVuAJkm: Timeout during connect (likely firewall problem)\n" routerName=websecure-webserver@ecs rule="Host(`HOST`)" ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=myresolver.acme
I've replaced the host name with HOST above.
I'd very much appreciate any help as to how to set up HTTPS. 