The Amazon EC2 container service (ECS) provides a highly scalable, high-performance container management service that supports Docker containers. It allows you to easily run applications on a managed cluster of Amazon EC2 instances. Amazon ECS eliminates the need for you to install, operate, and scale your own cluster management infrastructure. With simple API calls, you can launch and stop Docker-enabled applications and query the complete state of your cluster.
In the following example, we will see how to deploy a secured web application using two Docker containers, one containing a simple web application (application container), and the other containing a reverse proxy with throttling enabled (proxy container), which can be used to protect the web application. These containers will be deployed on the Amazon EC2 instance using ECS. As can be seen in the following diagram, all the network traffic will be routed through the proxy container that throttles requests. Also, we can perform activities such as filtering, logging, and intrusion detection at proxy containers using various security software.
The following are the steps to do so:
$ sudo yum install -y git $ git clone https://github.com/awslabs/ecs-demo-php-simple-app
ecs-demo-php-simple-app
folder:$ cd ecs-demo-php-simple-app
Dockerfile
as follows in order to understand the web application it will deploy:$ cat Dockerfile
$ docker build -t my-dockerhub-username/amazon-ecs-sample.
The image built over here is required to have dockerhub-username
(correct without spaces) as the first parameter.
The following figure depicts a hacker not able to access the web application, as the request is filtered via a proxy container and access is blocked:
$ docker login
$ docker info
$ docker push my-dockerhub-username/amazon-ecs-sample
$ mkdir proxy-container $ cd proxy-container $ nano Dockerfile FROM ubuntu RUN apt-get update && apt-get install -y nginx COPY nginx.conf /etc/nginx/nginx.conf RUN echo "daemon off;" >> /etc/nginx/nginx.conf EXPOSE 80 CMD service nginx start
In the previous Dockerfile we are using a base Ubuntu image and installing nginx and exposing it on port 80.
nginx.conf
, which will override the default nginx.conf
in order to ensure the reverse proxy is configured properly:user www-data; worker_processes 4; pid /var/run/nginx.pid; events { worker_connections 768; # multi_accept on; } http { server { listen 80; # Proxy pass to servlet container location / { proxy_pass http://application-container:80; } } }
$ docker build -t my-dockerhub-username/proxy-image. $ docker push my-dockerhub-username/proxy-image
SecurityApp
.Proxy-container: Container Name: proxy-container Image: username/proxy-image Memory: 256 Port Mappings Host port: 80 Container port: 80 Protocol: tcp CPU: 256 Links: application-container Application container: Container Name: application-container Image: username/amazon-ecs-sample Memory: 256 CPU: 256
Click the Create button in order to deploy the application.