Add docs for new docker for aws ELB HTTPS protocol feature#3945
Add docs for new docker for aws ELB HTTPS protocol feature#3945mdlinville merged 3 commits intodocker:vnext-enginefrom
Conversation
Signed-off-by: Ken Cochrane <kencochrane@gmail.com>
docker-for-aws/load-balancer.md
Outdated
|
|
||
| ### HTTPS vs SSL load balancer protocols | ||
|
|
||
| The elastic load balancer allows you to configure which protocol your listener will support. Originally, only `TCP` and `SSL` was supported. This was limiting because when you use `TCP` or `SSL` it doesn't include the HTTP headers that most applications use to determine the requestor's original IP address. `TCP` and `SSL` does support the [Proxy Protocol](http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-proxy-protocol.html#proxy-protocol), but most applications aren't setup to support it. |
There was a problem hiding this comment.
I don't think the docs should have the history of the product embedded, but it's great we cover the trade-offs between the two options and proxy-protocol stuff.
There was a problem hiding this comment.
Open to suggestions, but I feel it is important to let people know how it used to work and how it works now, so they are not confused with the change. We can remove this once it becomes a standard feature in a stable release.
There was a problem hiding this comment.
Docker for AWS version 17.07.0 and later also support the HTTPS listener protocol when using ACM certificates.
Use the HTTPS protocol if your app relies on checking the `X-Forwarded-For` header for resolving the client IP address. Note that the client IP is also available with `SSL` by using the [Proxy Protocol](http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-proxy-protocol.html#proxy-protocol), but many apps and app frameworks don't support this.
The only valid options are `HTTPS` and `SSL`. Specifying any other value will cause `SSL` to be selected. For backwards compatibility the default protocol is `SSL`.
docker-for-aws/load-balancer.md
Outdated
|
|
||
| The elastic load balancer allows you to configure which protocol your listener will support. Originally, only `TCP` and `SSL` was supported. This was limiting because when you use `TCP` or `SSL` it doesn't include the HTTP headers that most applications use to determine the requestor's original IP address. `TCP` and `SSL` does support the [Proxy Protocol](http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-proxy-protocol.html#proxy-protocol), but most applications aren't setup to support it. | ||
|
|
||
| Starting with `Docker for AWS 17.07.0` it is now possible to specify if you want `HTTPS` or `SSL` as the load balancer protocol when using an ACM certificate. If you do not specify the protocol it will default to `SSL (TCP)` so that it is backwards compatible with older versions. The only valid options are `HTTPS` or `SSL`, if you put any other value, it will default to `SSL`. |
There was a problem hiding this comment.
I think ideally we should error on invalid input. A user (not having read these docs) providing invalid input and getting back SSL might surmise that there's a bug in the product.
There was a problem hiding this comment.
The problem is there is no place to show the error, it is in the l4controller on the master node so it is hidden. Better to default to something and still work, then break silently and be confusing for the person.
docker-for-aws/load-balancer.md
Outdated
| com.docker.aws.lb.arn="arn:...@443" | ||
| ``` | ||
|
|
||
| #### A SSL (TCP) listener on port 443 |
There was a problem hiding this comment.
Move with the above header, as an equivalent to @SSL:443
FrenchBen
left a comment
FrenchBen
left a comment
There was a problem hiding this comment.
Small comment, otherwise LGTM
Signed-off-by: Ken Cochrane <kencochrane@gmail.com>
Signed-off-by: Ken Cochrane <kencochrane@gmail.com>
|
@friism better? |
|
lgtm! |
|
This relies upon a version of Docker that is not yet released, and needs to be based on the |
|
@mstanleyjones thank you! |
5 participants
Proposed changes
I added some documentation for a new feature that is added to docker for aws 17.07.0 related to the AWS ELB
Signed-off-by: Ken Cochrane kencochrane@gmail.com
/cc @FrenchBen @ddebroy @friism