无法将 Growthbook 服务(A/B 测试)与用于处理 SSL/TLS 加密的 Nginx sidecar 容器一起部署到 Amazon ECS 中

Unable to deploy Growthbook service (A/B Testing) together with Nginx sidecar container for handling SSL/TLS encryption into Amazon ECS

提问人:Sree Teja 提问时间:12/6/2022 更新时间:12/6/2022 访问量:374

问:

我想将 Growthbook(A/B 测试工具)容器以及用于处理 SSL/TLS 加密(即 SSL 终止)的 Nginx 反向代理部署到 AWS ECS 中。我尝试使用Docker compose文件(即Docker ECS上下文)进行部署。问题是,它正在创建所有必要的资源,如网络负载平衡、目标组、ECS 任务定义等。并且突然无法创建 ECS 服务,并尝试删除我在运行时创建的所有资源。它说的原因是“Nginx sidecar 容器退出”。docker compose --project-name growthbook up

这是我的文件:docker-compose.yml

# docker-compose.yml
version: "3"
x-aws-vpc: "vpc-*************"
services:
  growthbook:
    image: "growthbook/growthbook:latest"
    ports:
      - 3000:3000
      - 3100:3100
    environment:
      - MONGODB_URI=<mongo_db_connection_string>
      - JWT_SECRET=<jwt_secret>
    volumes:
      - uploads:/usr/local/src/app/packages/back-end/uploads
  nginx-tls-sidecar:
    image: <nginx_sidecar_image>
    ports:
      - 443:443
    links:
      - growthbook
volumes:
  uploads:

这里是用来构建nginx sidecar镜像的:Dockerfile

FROM nginx
COPY nginx.conf /etc/nginx/nginx.conf
COPY ssl.key /etc/nginx/ssl.key
COPY ssl.crt /etc/nginx/ssl.crt

在上面,SSL密钥和证书是自签名生成的,并且是有序的。Dockerfileopenssl

这是我的文件:nginx.conf

# nginx Configuration File
# https://wiki.nginx.org/Configuration

# Run as a less privileged user for security reasons.
user nginx;

worker_processes auto;

events {
  worker_connections 1024;
}

pid        /var/run/nginx.pid;

http {

    #Redirect to https, using 307 instead of 301 to preserve post data

    server {
        listen [::]:443 ssl;
        listen 443 ssl;

        server_name localhost;

        # Protect against the BEAST attack by not using SSLv3 at all. If you need to support older browsers (IE6) you may need to add
        # SSLv3 to the list of protocols below.
        ssl_protocols              TLSv1.2;

        # Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
        ssl_ciphers                ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
        ssl_prefer_server_ciphers  on;

        # Optimize TLS/SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive TLS/SSL handshakes.
        # The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection.
        # By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state.
        # Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS.
        ssl_session_cache    shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
        ssl_session_timeout  24h;


        # Use a higher keepalive timeout to reduce the need for repeated handshakes
        keepalive_timeout 300; # up from 75 secs default

        # remember the certificate for a year and automatically connect to HTTPS
        add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains';

        ssl_certificate      /etc/nginx/ssl.crt;
        ssl_certificate_key  /etc/nginx/ssl.key;

        location / {
            proxy_pass http://localhost:3000; # TODO: replace port if app listens on port other than 80

            proxy_set_header Connection "";
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $remote_addr;
        }

        location / {
            proxy_pass http://localhost:3100; # TODO: replace port if app listens on port other than 80

            proxy_set_header Connection "";
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $remote_addr;
        }
    }
}

基本上,Growthbook 在 和 上公开其服务。而 Nginx sidecar 容器只监听 port 。我需要能够代理到Growthbook从Nginx端口公开的两个端点。http://localhost:3000http://localhost:3100443443

如果你们在我的配置:)中发现任何错误,非常感谢帮助

默认情况下,Growthbook 服务不提供 TLS 加密。所以我使用 Nginx 作为处理 SSL 终止的 sidecar。最终,我需要能够使用 AWS ECS 上托管的 TLS 加密来运行 Growthbook 服务。

docker nginx 亚马逊-ECS

评论

0赞 Mark B 12/6/2022
由于 Nginx 容器即将退出,您是否在退出之前检查了 CloudWatch 日志中是否有来自 Nginx 的任何日志输出?其中可能有一条错误消息,有助于查明问题。
0赞 Sree Teja 12/6/2022
这是棘手的部分,我也删除了与 nginx 关联的 cloudwatch 日志。那么如何弄清楚:(
0赞 Mark B 12/6/2022
尝试在部署开始后立即跟踪日志?或者使用无权删除日志的 IAM 用户运行部署?

答: 暂无答案

上一个:使用 Terraform 的 AWS Lambda 预置并发问题

下一个:如何使用bash-oo-framework在bash脚本中实现try-catch?