The goal of the https-auth-proxy is to secure the application traffic
inside of the virtual network and add an authentication layer.
The image was tested on an aws fargate cluster. The clusters LB
accepts self-signed certificates. This way the https-auth-proxy can accept
encrypted traffic from the LB which already terminated the public
traffic encryption and re-encrypt it to be forwarded to your application.
This setup only works on services like aws fargate where all containers
of a service are using the same shared network interface. This way
the incoming traffic can be forwarded by the proxy to
localhost:PORT. If you are using a service where every container
has it's own interface feel free to fork the source code and implement
your own solution. This should be done in default.conf and perhaps
in Dockerfile and / or entrypoint.sh.
The PORT variable was changed to TARGET_HOST_PORT which consists of the IP
(or hostname) and the port, separated by a colon (e.g. 127.0.0.1:5000).
Configure your load balancer to forward all traffic to your application
on port 8443. This is necessary since only high-ports can be used
inside a fargate service.
Make sure your ACLs and security groups do also match the new
set port.
Configure your service to open only port 8443 on the public interface.
It's important to remove the previous port forwarding to your
applications port.
To set your internal application port on the proxy container you have
to pass on the value as an environment variable TARGET_HOST_PORT e.g. TARGET_HOST_PORT=127.0.0.1:5000.
The https-proxy's entrypoint.sh script uses this variable to set the
required parameters in default.conf. Furthermore, the variables HEALTHCHECK_PATH
and ADMIN_PASSWORD have to be set.
The DockerHub credentials included in the docker_push.sh file have to be added
to the travis-ci.org configuration for the https-auth-proxy. This can be done by
logging in with the GitHub credentials into travis-ci and add or change the variables:
DOCKERHUB_USERNAMEDOCKERHUB_PASSWORD
These are the login credentials for the DockerHub.
resource "aws_ecs_task_definition" "task_definition" {
...
container_definitions = templatefile("./container_definition.json", {
CONTAINER_PORT = 5000
})
...
}
resource "aws_ecs_service" "aws_ecs_service" {
...
load_balancer {
container_name = "myApp-https-proxy"
container_port = 8443
}
...
}
[
{
...
"name": "myApp",
"image": "imageURL",
...
},
{
...
"name": "myApp-https-proxy",
"image": "hlag/https-proxy:latest",
"portMappings": [
{
"containerPort": 8443,
"protocol": "tcp"
}
],
"environment": [
{
"name": "TARGET_HOST_PORT",
"value": "127.0.0.1:${CONTAINER_PORT}"
},
{
"name": "HEALTHCHECK_PATH",
"value": "api/ping"
}
],
"secrets" : [
{
"name" : "ADMIN_PASSWORD",
"valueFrom" : "pathToKeyStore"
}
...
}
]