Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Switch from nginx docker proxy to ALB
We used to handle load balancing using https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion. This broke and proved hard to fix. After trying Caddy, I gave up and switched to an AWS Application Load Balancer and the AWS Certificate Manager, at the cost of adding some ridiculously baroque setup. I need to go back and comment some of this, but for now, I need sleep.
- Loading branch information
Showing
15 changed files
with
207 additions
and
215 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
# Register this container with our AWS "application load balancer", which can | ||
# serve multiple domains with certificates. | ||
|
||
resource "aws_lb_target_group" "target_group" { | ||
name = "${var.name}" | ||
port = 80 | ||
protocol = "HTTP" | ||
vpc_id = "vpc-5abfab3c" | ||
} | ||
|
||
resource "aws_lb_listener_rule" "proxy" { | ||
listener_arn = "${var.listener_arn}" | ||
priority = "${var.listener_rule_priority}" | ||
|
||
action { | ||
type = "forward" | ||
target_group_arn = "${aws_lb_target_group.target_group.arn}" | ||
} | ||
|
||
condition { | ||
field = "host-header" | ||
values = ["${var.host}"] | ||
} | ||
} | ||
|
||
resource "aws_acm_certificate" "cert" { | ||
domain_name = "${var.host}" | ||
validation_method = "DNS" | ||
|
||
lifecycle { | ||
create_before_destroy = true | ||
} | ||
} | ||
|
||
resource "aws_route53_record" "cert_validation" { | ||
name = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_name}" | ||
type = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_type}" | ||
zone_id = "${var.zone_id}" | ||
records = ["${aws_acm_certificate.cert.domain_validation_options.0.resource_record_value}"] | ||
ttl = 60 | ||
} | ||
|
||
resource "aws_acm_certificate_validation" "cert" { | ||
certificate_arn = "${aws_acm_certificate.cert.arn}" | ||
validation_record_fqdns = ["${aws_route53_record.cert_validation.fqdn}"] | ||
} | ||
|
||
resource "aws_lb_listener_certificate" "cert" { | ||
listener_arn = "${var.listener_arn}" | ||
certificate_arn = "${aws_acm_certificate_validation.cert.certificate_arn}" | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
resource "aws_lb" "web_sites" { | ||
name = "web-sites" | ||
internal = false | ||
load_balancer_type = "application" | ||
security_groups = ["${aws_security_group.load_balancer.id}"] | ||
subnets = ["subnet-011dc549", "subnet-0f045d6a"] | ||
} | ||
|
||
resource "aws_lb_listener" "web_sites_https" { | ||
load_balancer_arn = "${aws_lb.web_sites.arn}" | ||
port = "443" | ||
protocol = "HTTPS" | ||
ssl_policy = "ELBSecurityPolicy-2015-05" | ||
certificate_arn = "${aws_acm_certificate_validation.language_learners.certificate_arn}" | ||
|
||
default_action { | ||
type = "redirect" | ||
redirect { | ||
host = "forum.language-learners.org" | ||
port = "443" | ||
protocol = "HTTPS" | ||
status_code = "HTTP_301" | ||
} | ||
} | ||
} | ||
|
||
# An AWS security group describing the firewall rules for a load balancer. | ||
resource "aws_security_group" "load_balancer" { | ||
name = "load-balancer" | ||
description = "Allow HTTP and HTTPS traffic." | ||
|
||
# Allow inbound HTTP traffic. | ||
ingress { | ||
from_port = 80 | ||
to_port = 80 | ||
protocol = "tcp" | ||
cidr_blocks = ["0.0.0.0/0"] | ||
} | ||
|
||
# Allow inbound HTTPS traffic. | ||
ingress { | ||
from_port = 443 | ||
to_port = 443 | ||
protocol = "tcp" | ||
cidr_blocks = ["0.0.0.0/0"] | ||
} | ||
|
||
# Allow all outbound traffic. | ||
egress { | ||
from_port = 0 | ||
to_port = 0 | ||
protocol = "-1" | ||
cidr_blocks = ["0.0.0.0/0"] | ||
} | ||
} | ||
|
||
resource "aws_acm_certificate" "language_learners" { | ||
domain_name = "language-learners.org" | ||
validation_method = "DNS" | ||
|
||
lifecycle { | ||
create_before_destroy = true | ||
} | ||
} | ||
|
||
resource "aws_route53_record" "language_learners_validation" { | ||
name = "${aws_acm_certificate.language_learners.domain_validation_options.0.resource_record_name}" | ||
type = "${aws_acm_certificate.language_learners.domain_validation_options.0.resource_record_type}" | ||
zone_id = "${aws_route53_zone.primary.zone_id}" | ||
records = ["${aws_acm_certificate.language_learners.domain_validation_options.0.resource_record_value}"] | ||
ttl = 60 | ||
} | ||
|
||
resource "aws_acm_certificate_validation" "language_learners" { | ||
certificate_arn = "${aws_acm_certificate.language_learners.arn}" | ||
validation_record_fqdns = ["${aws_route53_record.language_learners_validation.fqdn}"] | ||
} |
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.