英文:
Aws security group whitelist, Nginx running in ecs -> load balancer
问题
我有一个位于公共子网中的Nginx容器,用于代理请求到相同公共子网中的负载均衡器。
以下是我的nginx.conf中的一个位置块:
location ~* "^/[a-z]{2}_[a-z]{2}/somelocation/(.*)$" {
proxy_pass https://my-lb.region.elb.amazonaws.com/rest/$request_uri;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Authorization $http_x_access_token;
}
我遇到的问题是,将Nginx ecs安全组列入ALB安全组的HTTPS协议的白名单中无法正常工作。
我可以确定是安全组引起了问题,因为当我将所有IP和协议列入白名单时,它按预期工作。
我尝试过多个安全组,甚至创建一个什么都不做的安全组添加到ALB中。
请求的确切流程如下:
客户端 -> alb#1 -> ecs中的nginx -> alb#2 -> EC2中的后端应用程序
ALB#1的安全组已列入nginx ecs容器的白名单,并连接正确。
英文:
I have an Nginx container in public subnets proxying requests to a load balancer in the same public subnets.
The following is a location block in my nginx.conf
location ~* "^/[a-z]{2}_[a-z]{2}/somelocation/(.*)$" {
proxy_pass https://my-lb.region.elb.amazonaws.com/rest/$request_uri;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Authorization $http_x_access_token;
}
The issue I'm having is that whitelisting the Nginx ecs security group on the ALB security group for the HTTPS protocol is not working
I can tell that it is the Security group causing issue as, when I whitelist ALL ips and protocols, it works as intended
I've tried multiple security groups, going so far as to create one that does nothing just to add to the alb.
The exact flow of a request is this:
Client -> alb#1 -> nginx in ecs -> alb#2 -> BE application in ec2
ALB#1s security group is whitelisted on the nginx ecs container and connects correctly.
答案1
得分: 1
这听起来像是您的负载均衡器是一个公共负载均衡器。这意味着它将具有公共 IP 地址,而不是内部 VPC IP 地址。在这种情况下,Nginx 正在解析负载均衡器的 IP 地址为 VPC 外部的地址,因此它将流量转发到 VPC 外部,然后 AWS 将流量路由回 VPC 到您的负载均衡器。不幸的是,当流量离开 VPC 并返回时,与原始安全组的关联会丢失,这就是为什么您的安全组规则无法工作的原因。
解决方法是将负载均衡器转换为“内部”负载均衡器,这样它将只能从 VPC 内部访问,且只有内部 VPC IP 地址。然后,从 Nginx 到负载均衡器的所有流量将保持在 VPC 内部,并保留与安全组的关联。
英文:
It sounds like your load balancer is a public load balancer. That means it will have a public IP address, not an internal VPC IP address. In this scenario, Nginx is resolving the IP address of the load balancer to be outside of the VPC, so it is forwarding the traffic out of the VPC, which AWS then routes back into the VPC to your load balancer. Unfortunately, when traffic exits the VPC and comes back in like that, the association with the originating security group is lost, which is why your security group rule isn't working.
The solution is to convert the load balancer to an internal load balancer, which will only be accessible from within the VPC and only have an internal VPC IP address. Then all traffic from Nginx to the load balancer will remain inside the VPC and retain the association with the security group.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论