<div dir="ltr">Great, thanks, that helps clear things up for me.</div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Apr 28, 2017 at 4:17 PM, Carlos Agüero <span dir="ltr"><<a href="mailto:caguero@osrfoundation.org" target="_blank">caguero@osrfoundation.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">As far as I understand I'm using an EC2 instance with Nginx and a Dockerized Girder. <div><br></div><div>Having said that, the load balancer machine also has its own Nginx server, that's why there are two Nginx servers involved.</div><div><br></div><div>Nginx (load balancer)->Nginx (instance)->Girder Docker</div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 27, 2017 at 1:03 PM, Michael Grauer <span dir="ltr"><<a href="mailto:michael.grauer@kitware.com" target="_blank">michael.grauer@kitware.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thanks for sharing this Carlos, it is really helpful and will give us quite a leg up when we get back to Girder on EBS.<div><br></div><div>We'll let you know if we run into those same 301 issues with the health checker when we get there.</div><div><br></div><div><br></div><div>A quick question for you, what are your Girder instances, in terms of EBS containers? Are you using an EC2 instance with Nginx and a Dockerized Girder? At first I was thinking you were using the Docker runtime of EBS with Girder, and I couldn't figure out where the secondary Nginx was living, but it sounds more like EC2 (Nginx, Dockerized Girder) to me.</div><div><div class="m_727761573351780596h5"><div><br></div><div><div><br></div><div><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 27, 2017 at 1:33 PM, Carlos Agüero <span dir="ltr"><<a href="mailto:caguero@osrfoundation.org" target="_blank">caguero@osrfoundation.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 27, 2017 at 7:04 AM, Michael <span id="m_727761573351780596m_8861249892395694162m_-6589136797542046892:anu.1">Grauer</span> <span dir="ltr"><<a href="mailto:michael.grauer@kitware.com" target="_blank"><span id="m_727761573351780596m_8861249892395694162m_-6589136797542046892:anu.2">michael</span>.<span id="m_727761573351780596m_8861249892395694162m_-6589136797542046892:anu.3">grauer</span>@<span id="m_727761573351780596m_8861249892395694162m_-6589136797542046892:anu.4">kitware</span>.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>[...]</div></div></blockquote><span><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>I hope you don't mind if I ask you some follow-up questions :) Just trying to understand your setup and choices in more detail.</div></div></blockquote><div><br></div></span><div>Of course! </div><span><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>I agree that your security setup sounds reasonable, HTTPS to load balancer, HTTP from load balancer to Girder (though I have more questions on this below), assuming the instances are not visible to the outside world and only to the LB via the VPN, and Mongo/Instances talking to each other inside the same VPN. Out of curiosity (rather than suggesting a policy), how do you handle ssh, are each of the machines accessible to ssh or do you have a VPN ssh gateway machine?</div></div></blockquote><div><br></div></span><div>Both the Girder instances and the EC2 machine with the <span id="m_727761573351780596m_8861249892395694162m_-6589136797542046892:anu.5">Mongo</span> database have public <span id="m_727761573351780596m_8861249892395694162m_-6589136797542046892:anu.6">IP</span> addresses, share the same <span id="m_727761573351780596m_8861249892395694162m_-6589136797542046892:anu.7">VPC</span> (private network) and all the machines support ssh access from the outside. On the instances under the Elastic Beanstalk (Girder instances), this is the default behavior (you can create a key pair .<span id="m_727761573351780596m_8861249892395694162m_-6589136797542046892:anu.8">pem</span> file for <span id="m_727761573351780596m_8861249892395694162m_-6589136797542046892:anu.9">sshing</span>). On the EC2 instance with the <span id="m_727761573351780596m_8861249892395694162m_-6589136797542046892:anu.10">Mongo</span> DB, you have to attach a security group that configures the access. The inbound rule for port 22 is set to 0.0.0.0 allowing access from machines outside the private network. On the other hand, the rule for port 27017 restricts the access only from machines belonging to the same <span id="m_727761573351780596m_8861249892395694162m_-6589136797542046892:anu.11">VPC</span>. </div><span><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div></div><div>When you say load balancer, does that mean Elastic Load Balancer or something else? I'm confused about how you use Nginx, are you using ELB + Nginx, and if so how does ELB hand off to Nginx? Where does Nginx live, is it in a separate Docker container that redirects to the Girder instances?</div></div></blockquote><div><br></div></span><div>I meant the load <span id="m_727761573351780596m_8861249892395694162m_-6589136797542046892:anu.12">balancer</span> provided by Elastic Beanstalk. If I'm not wrong, the request hits the <span id="m_727761573351780596m_8861249892395694162m_-6589136797542046892:anu.13">Nginx</span> running on the load <span id="m_727761573351780596m_8861249892395694162m_-6589136797542046892:anu.14">balancer</span>. Then, the request is forwarded to one of the Girder instances running another <span id="m_727761573351780596m_8861249892395694162m_-6589136797542046892:anu.15">Nginx</span>. Then, the request is forwarded to the HTTP server running within the Docker container. You can SSH into all the machines (including the load <span id="m_727761573351780596m_8861249892395694162m_-6589136797542046892:anu.16">balancer</span>) if you want to poke around and see configurations, logs, etc. I was playing with /etc/<span id="m_727761573351780596m_8861249892395694162m_-6589136797542046892:anu.17">nginx</span>/<span id="m_727761573351780596m_8861249892395694162m_-6589136797542046892:anu.18">conf</span>.d/ configurations, restarting the service, like in any regular machine.</div><div><br></div><div>EB offers a way (although a bit convoluted in my opinion) to overload <span id="m_727761573351780596m_8861249892395694162m_-6589136797542046892:anu.19">Nginx</span> configuration files when you deploy new versions of your code. I'm doing this for tweaking the <span id="m_727761573351780596m_8861249892395694162m_-6589136797542046892:anu.20">Nginx</span> configuration in the Girder instances for redirecting non-https requests to https. The solution involves creating files under the .<span id="m_727761573351780596m_8861249892395694162m_-6589136797542046892:anu.21">ebextension</span> directory with some specific syntax. I managed to solve the http-->https redirection in a non-<span id="m_727761573351780596m_8861249892395694162m_-6589136797542046892:anu.22">dockerized</span> instance but I still have some issues here using Docker for Girder. In particular, EB includes a health checker that monitors the instances. When I enable the redirection, the load <span id="m_727761573351780596m_8861249892395694162m_-6589136797542046892:anu.23">balancer</span> receives a 301 response with the https URL redirection. The expected response was a 200 OK, and that makes the load <span id="m_727761573351780596m_8861249892395694162m_-6589136797542046892:anu.24">balancer</span> think that the instances are not behaving correctly. Maybe you have more experience than me dealing with <span id="m_727761573351780596m_8861249892395694162m_-6589136797542046892:anu.25">Nginx</span> configurations. </div><div> </div></div></div></div>
</blockquote></div><br></div></div></div></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>