We set up the health check on route 53 and it looks good. However, the health check on the target group shows that the hosts are unhealthy. It seems the connection between ALB and the ECS is broken.
Our collector config is as follows:
collector {
# The collector runs as a web service specified on the following interface and port.
interface = 0.0.0.0
port = 8000
# optional SSL/TLS configuration
ssl {
enable = true
# whether to redirect HTTP to HTTPS
redirect = true
port = 9543
}
The security groups code snippet for ALB and the target group in terraform:
resource "aws_security_group" "lb" {
name = "${var.load_balancer_security_group_name}-${var.stage}"
description = "controls access to the ALB"
vpc_id = var.vpc_id
ingress {
protocol = "tcp"
from_port = var.ssl_port
to_port = var.ssl_port
cidr_blocks = ["0.0.0.0/0"]
}
egress {
protocol = "tcp"
from_port = var.container_port
to_port = var.container_port
security_groups = [aws_security_group.ecs_tasks.id]
}
}
resource "aws_security_group" "ecs_tasks" {
name = "${var.ecs_tasks_security_group_name}-${var.stage}"
description = "allow inbound access from the ALB only"
vpc_id = var.vpc_id
egress {
protocol = "-1"
from_port = 0
to_port = 0
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_security_group_rule" "ingress_for_ecs" {
description = "This rule defines the ingress to ecs sg to avoid cyclic dependency."
type = "ingress"
from_port = var.container_port
to_port = var.container_port
protocol = "tcp"
source_security_group_id = aws_security_group.lb.id
security_group_id = aws_security_group.ecs_tasks.id
}
We are not sure what to choose as a container port while operating on https, 8000 or 9543?
In the CloudWatch we also see REST interface bound to both 8000 and 9543 ports as seen in the screenshot.
1 Like
Unfortunately, I am still stuck with this issue. Collector container returns code 143. This is how I changed the security groups:
resource"aws_security_group""lb" {ββββββββ
name ="${ββββββββvar.load_balancer_security_group_name}ββββββββ-${ββββββββvar.stage}ββββββββ"
description ="Application Load Balancer Security Group for the inbound (https) and outbound (container) connections"
vpc_id =var.vpc_id
ingress {ββββββββ
protocol ="tcp"
from_port =var.ssl_port
to_port =var.ssl_port
cidr_blocks =["0.0.0.0/0"]
}ββββββββ
ingress {ββββββββ
protocol ="tcp"
from_port =var.green_ssl_port
to_port =var.green_ssl_port
cidr_blocks =["0.0.0.0/0"]
}ββββββββ
egress {ββββββββ
protocol ="tcp"
from_port =var.container_ssl_port
to_port =var.container_ssl_port
security_groups =[aws_security_group.sp_collector_ecs_tasks.id]
}ββββββββ
tags ={ββββββββ
Environment = var.stage
SnowplowModule = var.snowplow_module
}ββββββββ
}ββββββββ
resource"aws_security_group""sp_collector_ecs_tasks" {ββββββββ
name ="${ββββββββvar.ecs_tasks_security_group_name}ββββββββ-${ββββββββvar.stage}ββββββββ"
description ="Traffic to the collector cluster should only come from the ALB"
vpc_id =var.vpc_id
egress {ββββββββ
protocol ="tcp"
from_port =var.ssl_port
to_port =var.ssl_port
cidr_blocks =["0.0.0.0/0"]
}ββββββββ
egress {ββββββββ
protocol ="tcp"
from_port =53
to_port =53
cidr_blocks =["0.0.0.0/0"]
}ββββββββ
egress {ββββββββ
protocol ="udp"
from_port =53
to_port =53
cidr_blocks =["0.0.0.0/0"]
}ββββββββ
}ββββββββ
resource"aws_security_group_rule""ingress_for_ecs" {ββββββββ
description ="This rule defines the ingress to ecs sg to avoid cyclic dependency."
type ="ingress"
from_port =var.container_ssl_port
to_port =var.container_ssl_port
protocol ="tcp"
source_security_group_id =aws_security_group.lb.id
security_group_id =aws_security_group.sp_collector_ecs_tasks.id
}ββββββββ
Do I need to set the following block following the instructions here :
ssl-config {
keyManager = {
stores = [
{type = "PKCS12", classpath = false, path = ${CERT_FILE}, password = "pass" }
]
}
}
If yes, would you please guide me how to do it?
josh
November 26, 2020, 12:28pm
3
Hi @dadasami how you have configured the collector you are forcing the connection to be upgraded to TLS without having a valid TLS connection.
IF you want to terminate TLS at the load balancer you should update your config like so:
# optional SSL/TLS configuration
ssl {
enable = false
# whether to redirect HTTP to HTTPS
redirect = false
port = 9543
}
IF you do want to use the TLS port on the Collector you need to configure a local SSL certificate private key for the collector to use - to generate a self-signed cert in bash you would do something like this:
ssl_dir=/opt/snowplow/ssl
mkdir -p ${ssl_dir}
sudo openssl req \
-x509 \
-newkey rsa:4096 \
-keyout ${ssl_dir}/collector_key.pem \
-out ${ssl_dir}/collector_cert.pem \
-days 3650 \
-nodes \
-subj "/C=UK/O=Acme/OU=DevOps/CN=*.acme.com"
sudo openssl pkcs12 \
-export \
-out ${ssl_dir}/collector.p12 \
-inkey ${ssl_dir}/collector_key.pem \
-in ${ssl_dir}/collector_cert.pem \
-passout pass:
sudo chmod 644 ${ssl_dir}/collector.p12
You then configure the path to the βp12β file in your config:
ssl-config {
debug = {
ssl = true
}
keyManager = {
stores = [
{type = "PKCS12", classpath = false, path = "/snowplow/ssl/collector.p12", password = "" }
]
}
loose {
disableHostnameVerification = true
}
}
Note : If you are using a verified certificate you should not disable hostname verification.
2 Likes
