我目前正在使用 Docker Compose AWS ECS 部署后端服务器。后端服务器当前正在监听端口 80。我拥有一个在 Route 53 上具有专用托管区域的域。
我想创建一个指向后端服务器的子域(又名 server.dev.example.com),但在弄清楚如何成功将子域关联到后端服务器时遇到了极大的困难。子域 server.dev.example.com 已通过 Amazon 的证书管理器认证,并且我已在 AWS 托管区域中创建了相应的 CNAME 记录。目前我有以下 docker-compose.yml 文件:
version: "3.9"
services:
backend-server:
image: PATH_TO_ECR_URL
ports:
- "80:80"
x-aws-cloudformation:
Resources:
BackendserverTCP80Listener:
Properties:
Certificates:
- CertificateArn: "ARN_TO_CERTIFIED_SUBDOMAIN"
Protocol: HTTPS
Port: 443
我可以成功部署到 AWS,但是当我 curl 子域(又名 server.dev.example.com)时,我收到了curl: (6) Could not resolve host。浏览器报告DNS address could not be found. Diagnosing the problem. DNS_PROBE_POSSIBLE。
我如何正确设置 docker-compose.yml 文件以便将子域与部署关联?'
从docker-compose文件生成的CloudFormation模板文件如下:
AWSTemplateFormatVersion: 2010-09-09
Resources:
CloudMap:
Properties:
Description: Service Map for Docker Compose project server
Name: server.local
Vpc: vpc-xxx
Type: AWS::ServiceDiscovery::PrivateDnsNamespace
Cluster:
Properties:
ClusterName: backend-server
Tags:
- Key: com.docker.compose.project
Value: backend-server
Type: AWS::ECS::Cluster
Default80Ingress:
Properties:
CidrIp: 0.0.0.0/0
Description: backend-server:80/tcp on default network
FromPort: 80
GroupId:
Ref: DefaultNetwork
IpProtocol: TCP
ToPort: 80
Type: AWS::EC2::SecurityGroupIngress
DefaultNetwork:
Properties:
GroupDescription: backend-server Security Group for default network
Tags:
- Key: com.docker.compose.project
Value: backend-server
- Key: com.docker.compose.network
Value: backend-server_default
VpcId: vpc-xxx
Type: AWS::EC2::SecurityGroup
DefaultNetworkIngress:
Properties:
Description: Allow communication within network default
GroupId:
Ref: DefaultNetwork
IpProtocol: "-1"
SourceSecurityGroupId:
Ref: DefaultNetwork
Type: AWS::EC2::SecurityGroupIngress
LoadBalancer:
Properties:
Scheme: internet-facing
SecurityGroups:
- Ref: DefaultNetwork
Subnets:
- subnet-xxx
- subnet-xxx
- subnet-xxx
- subnet-xxx
- subnet-xxx
- subnet-xxx
Tags:
- Key: com.docker.compose.project
Value: backend-server
Type: application
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
LogGroup:
Properties:
LogGroupName: /docker-compose/backend-server
Type: AWS::Logs::LogGroup
BackendserverService:
DependsOn:
- BackendserverTCP80Listener
Properties:
Cluster:
Fn::GetAtt:
- Cluster
- Arn
DeploymentConfiguration:
MaximumPercent: 200
MinimumHealthyPercent: 100
DeploymentController:
Type: ECS
DesiredCount: 1
LaunchType: FARGATE
LoadBalancers:
- ContainerName: backend-server
ContainerPort: 80
TargetGroupArn:
Ref: BackendserverTCP80TargetGroup
NetworkConfiguration:
AwsvpcConfiguration:
AssignPublicIp: ENABLED
SecurityGroups:
- Ref: DefaultNetwork
Subnets:
- subnet-xxx
- subnet-xxx
- subnet-xxx
- subnet-xxx
- subnet-xxx
- subnet-xxx
PlatformVersion: 1.4.0
PropagateTags: SERVICE
SchedulingStrategy: REPLICA
ServiceRegistries:
- RegistryArn:
Fn::GetAtt:
- BackendserverServiceDiscoveryEntry
- Arn
Tags:
- Key: com.docker.compose.project
Value: backend-server
- Key: com.docker.compose.service
Value: backend-server
TaskDefinition:
Ref: BackendserverTaskDefinition
Type: AWS::ECS::Service
BackendserverServiceDiscoveryEntry:
Properties:
Description: '"backend-server" service discovery entry in Cloud Map'
DnsConfig:
DnsRecords:
- TTL: 60
Type: A
RoutingPolicy: MULTIVALUE
HealthCheckCustomConfig:
FailureThreshold: 1
Name: backend-server
NamespaceId:
Ref: CloudMap
Type: AWS::ServiceDiscovery::Service
BackendserverTCP80Listener:
Properties:
DefaultActions:
- ForwardConfig:
TargetGroups:
- TargetGroupArn:
Ref: BackendserverTCP80TargetGroup
Type: forward
LoadBalancerArn:
Ref: LoadBalancer
Port: 443
Protocol: HTTPS
Certificates:
- CertificateArn: CERT_ARN
Type: AWS::ElasticLoadBalancingV2::Listener
BackendserverTCP80TargetGroup:
Properties:
Port: 80
Protocol: HTTP
Tags:
- Key: com.docker.compose.project
Value: backend-server
TargetType: ip
VpcId: vpc-xxx
Type: AWS::ElasticLoadBalancingV2::TargetGroup
BackendserverTaskDefinition:
Properties:
ContainerDefinitions:
- Command:
- us-east-1.compute.internal
- backend-server.local
Essential: false
Image: docker/ecs-searchdomain-sidecar:1.0
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group:
Ref: LogGroup
awslogs-region:
Ref: AWS::Region
awslogs-stream-prefix: backend-server
Name: Backendserver_ResolvConf_InitContainer
- DependsOn:
- Condition: SUCCESS
ContainerName: Backendserver_ResolvConf_InitContainer
Essential: true
Image: IMAGE_URL
LinuxParameters: {}
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group:
Ref: LogGroup
awslogs-region:
Ref: AWS::Region
awslogs-stream-prefix: backend-server
Name: backend-server
PortMappings:
- ContainerPort: 80
HostPort: 80
Protocol: tcp
Cpu: "256"
ExecutionRoleArn:
Ref: BackendserverTaskExecutionRole
Family: backend-server
Memory: "512"
NetworkMode: awsvpc
RequiresCompatibilities:
- FARGATE
Type: AWS::ECS::TaskDefinition
BackendserverTaskExecutionRole:
Properties:
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Condition: {}
Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Version: 2012-10-17
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
- arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
Tags:
- Key: com.docker.compose.project
Value: backend-server
- Key: com.docker.compose.service
Value: backend-server
Type: AWS::IAM::Role
答案1
我发现我的负载均衡器中缺少接受端口 443 的入口规则。这是通过在我的 docker-compose 文件中添加以下选项来完成的:
x-aws-cloudformation:资源:BackendserverTCP80Listener:属性:证书:-CertificateArn:“ARN_CERT”协议:HTTPS 端口:443
# This is what I added below
Default443Ingress:
Properties:
CidrIp: 0.0.0.0/0
Description: backend-server:443/https on default network
FromPort: 443
GroupId:
Ref: DefaultNetwork
IpProtocol: TCP
ToPort: 443
Type: AWS::EC2::SecurityGroupIngress