terraform-aws-ecs-fargate-service icon indicating copy to clipboard operation
terraform-aws-ecs-fargate-service copied to clipboard

Published 20 hours ago verified publisher icon cn-terraform

Disable HTTPS

Open paambaati opened this issue 2 years ago • 4 comments

I use this module (and not ecs-fargate, as I could not understand the difference between the two), but I am able to successfully provision a cluster with tasks. However, I'm trying to disable HTTPS (i.s. remove listeners/target groups on 443) and have only 1 custom port (non-SSL) defined on the container that will be serving up health check responses, and I see no option to do this.

How does one disable all HTTPS with this module?

paambaati avatar Jun 16 '22 08:06 paambaati

Listener could be disabled with lb_https_ports = {}

But main question is how to setup health checks on target group to protocol HTTP different from lb listener (not HTTPS) It's a standard flow 443 HTTPS on LB listener >> 80 HTTP on targets (health check on target groups should be set up to 80 HTTP)

There is an target_group_health_check... but no protocol variable among them so only HTTPS now can be used

Variable HealthCheckProtocol from documentation

https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference/API_ModifyTargetGroup.html

will solve this.

okanaiki avatar Jul 03 '22 01:07 okanaiki

Ran into a similar issue where I just want to serve HTTP requests on the app end and have the LB deal with serving SSL. I was going nuts trying to understand why the service kept going down, and it was because nothing was being served on port 443 (it's not the usual way of doing it).

This is traditionally done with an HTTP listener that redirects requests to an HTTPS listener, and then the HTTPS listener points to the target group that talks to the service on HTTP.

There should be an option here to just redirect from HTTP listener -> HTTPS listener in this case, which is probably pretty common.

nijine avatar Jan 28 '23 01:01 nijine

I came up with a workaround to get the behavior that I mentioned above, which effectively eliminates the HTTPS target group but still serves an HTTPS page using an HTTP-only app.

lb_http_ports = { "default_http": { "listener_port": 80, "host": "#{host}", "path": "/#{path}", "protocol": "HTTPS", "query": "#{query}", "port": 443, "type": "redirect" } }

lb_https_ports = { "default_http": { "listener_port": 443, "target_group_port": 80, "target_group_protocol": "HTTP", "type": "forward" } }

nijine avatar Jan 28 '23 03:01 nijine

Hi everyone, how are you? Thanks for discussing and finding solutions for it, please feel free to raise all the PR that you consider necessary, contributions are always welcome, and I try to approve and release the changes as soon as they come!

jnonino avatar Feb 07 '23 12:02 jnonino