ssl redirection in docker container on aws ecs

0
votes

I have a frontend angular application running in a nginx docker container in aws ecs ec2. This is a saas product and other third party domain names will be pointed to this frontend docker container. I have set the default rule to that target group, But I wonder how to set up the ssl for each domain. ALB currently support only 100 listener rules ie in effect each listener will have only 50 rules( considering 80 and 443)

30 rules are already filled by the backend apis.

if I have 150 domains needs to be pointed to this frontend how can I set the ssl? if I set a 301 redirection in the port 80 vhost of nginx like

return 301 https://$host$request_uri

the request will again pass to the application load balancer port 443 and it will take the defaul ssl and may cause ssl error. Is there any chance we can make the nginx https redirection with out going again back port 443 of application load balancer? or any other method? I think the multidomain ssl certificate is an option here so that making it as a defaul ssl on the load balancer.

2
nginxamazon-ecsamazon-elb

2 Answers

0
votes

Do you have access to SSL certs for all these domains? If yes, you can configure them in the nginx container. Use a network load balancer instead of ALB and add a TCP listener on port 443 which will not terminate SSL and redirect traffic to nginx container which will terminate certificate.

You can also dynamically reload nginx configuration to setup certificates dynamically.

0
votes

AWS load balancers now support SSL redirection so you don't have to do it on your containers.

In addition, your 443 listener can have multiple certificates added to it. So just add all your certs to the 443 listener on your load balancer.

Then in your 443 listener rules, just have a single rule with:

  • IF: Requests otherwise not routed
  • THEN:
    • HTTPS, Port 443
    • Redirect to 'Original host, path, query'
    • '301 - permanently moved' as the status

Now all your http requests will be sent back to the user with a redirect back to HTTPS without ever hitting your container or nginx. When they come back as HTTPS, AWS ALB has all the certificates there for it.

If you run up against limits on the load balancer, you may have to 'chunk' them up into 2 or 3 ALBs, but I find this easier to manage especially when cert change time comes around.