ufo 4.0.1 → 4.0.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/docs/_docs/ssl-support.md +3 -3
- data/lib/cfn/stack.yml +4 -0
- data/lib/template/.ufo/settings/cfn/default.yml.tt +15 -15
- data/lib/ufo/stack/context.rb +7 -1
- data/lib/ufo/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 90a5d05cdf6d22404d21a414946933e467f5ab1f85c153f4154512824ebfb58d
|
4
|
+
data.tar.gz: fd67d3241ea05d7508480ebaad399602f5bcd3ea51dbba4a65c63ffeab0edfc0
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 456582ec11bd18087728e5318b61709c9c468887cd2e8ff1b03834ab52f1af324a3407af90bb39cd69f140f092f1cac0d39eb7e8d0c2ac5c062692a2d670a496
|
7
|
+
data.tar.gz: 5f05000fd4e83a257aac2e13ec075b58f1c470dc26838f96b16ebbaadccfaf9d814349e063fd74e8b1bc3d381a07e040c67dac71aa7fdb2f58b409b5d4bfd1a2
|
data/CHANGELOG.md
CHANGED
@@ -3,6 +3,11 @@
|
|
3
3
|
All notable changes to this project will be documented in this file.
|
4
4
|
This project *tries* to adhere to [Semantic Versioning](http://semver.org/), even before v1.0.
|
5
5
|
|
6
|
+
## [4.0.2]
|
7
|
+
- Merge pull request #45 from tongueroo/ssl2
|
8
|
+
- default deregistration_delay 10
|
9
|
+
- improve ssl support, only create ssl listener when configured
|
10
|
+
|
6
11
|
## [4.0.1]
|
7
12
|
- Merge pull request #44 from tongueroo/ssl
|
8
13
|
- add listener_ssl resource for better ssl support
|
data/docs/_docs/ssl-support.md
CHANGED
@@ -4,7 +4,7 @@ title: SSL Support
|
|
4
4
|
|
5
5
|
## Application Load Balancers
|
6
6
|
|
7
|
-
If you are using an Application Load Balancer you can configure SSL support by
|
7
|
+
If you are using an Application Load Balancer you can configure SSL support by uncomment the `listener_ssl` option in `.ufo/settings/cfn/default.yml`. Here's an example:
|
8
8
|
|
9
9
|
```
|
10
10
|
listener_ssl:
|
@@ -22,7 +22,7 @@ Once this is configured, you deploy the app again:
|
|
22
22
|
|
23
23
|
## Network Load Balancers
|
24
24
|
|
25
|
-
Network Load Balancers work at layer 4, so they do not support SSL termination because SSL happens higher up in the OSI model
|
25
|
+
Network Load Balancers work at layer 4, so they do not support SSL termination because SSL happens higher up in the OSI model. With Network Load Balancers you must handle SSL termination within your app with the server you are using. For example, apache, nginx or tomcat.
|
26
26
|
|
27
27
|
You also will need to also configure the target group to check the port that your app server is listening to and configure the health_check_protocol to HTTPS. Here's an example:
|
28
28
|
|
@@ -34,7 +34,7 @@ target_group:
|
|
34
34
|
health_check_protocol: HTTPS
|
35
35
|
```
|
36
36
|
|
37
|
-
The protocol in the case of the network load balancer is TCP and is configured to TCP by default by ufo for Network Load Balancers, so you don't have to configure
|
37
|
+
The protocol in the case of the network load balancer is TCP and is configured to TCP by default by ufo for Network Load Balancers, so you don't have to configure the protocol.
|
38
38
|
|
39
39
|
<a id="prev" class="btn btn-basic" href="{% link _docs/security-groups.md %}">Back</a>
|
40
40
|
<a id="next" class="btn btn-primary" href="{% link _docs/route53-support.md %}">Next Step</a>
|
data/lib/cfn/stack.yml
CHANGED
@@ -125,6 +125,7 @@ Resources:
|
|
125
125
|
Protocol: <%= @default_listener_protocol %>
|
126
126
|
<%= custom_properties(:Listener) %>
|
127
127
|
|
128
|
+
<% if @create_listener_ssl -%>
|
128
129
|
ListenerSsl:
|
129
130
|
Type: AWS::ElasticLoadBalancingV2::Listener
|
130
131
|
Condition: CreateElbIsTrue
|
@@ -136,6 +137,7 @@ Resources:
|
|
136
137
|
LoadBalancerArn: !Ref Elb
|
137
138
|
Protocol: <%= @default_listener_ssl_protocol %>
|
138
139
|
<%= custom_properties(:ListenerSsl) %>
|
140
|
+
<% end -%>
|
139
141
|
|
140
142
|
<% if @elb_type == "application" -%>
|
141
143
|
ElbSecurityGroup:
|
@@ -149,10 +151,12 @@ Resources:
|
|
149
151
|
FromPort: '<%= cfn[:listener][:port] %>'
|
150
152
|
ToPort: '<%= cfn[:listener][:port] %>'
|
151
153
|
CidrIp: 0.0.0.0/0
|
154
|
+
<% if @create_listener_ssl -%>
|
152
155
|
- IpProtocol: tcp
|
153
156
|
FromPort: '<%= cfn[:listener_ssl][:port] %>'
|
154
157
|
ToPort: '<%= cfn[:listener_ssl][:port] %>'
|
155
158
|
CidrIp: 0.0.0.0/0
|
159
|
+
<% end -%>
|
156
160
|
SecurityGroupEgress:
|
157
161
|
- IpProtocol: tcp
|
158
162
|
FromPort: '0'
|
@@ -25,7 +25,7 @@ target_group:
|
|
25
25
|
# unhealthy_threshold_count: 10
|
26
26
|
target_group_attributes:
|
27
27
|
- key: deregistration_delay.timeout_seconds
|
28
|
-
value:
|
28
|
+
value: 10
|
29
29
|
|
30
30
|
# https://docs.aws.amazon.com/fr_fr/elasticloadbalancing/latest/APIReference/API_CreateListener.html
|
31
31
|
#
|
@@ -43,21 +43,21 @@ listener:
|
|
43
43
|
|
44
44
|
# If HTTPS and SSL is required then the listener_ssl config is what you need.
|
45
45
|
# Application ELBs support SSL termination.
|
46
|
-
# Network load balancers do not
|
46
|
+
# Network load balancers do not and must pass the request through to the app
|
47
|
+
# to handle SSL termination.
|
47
48
|
#
|
48
|
-
# ufo
|
49
|
-
#
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
# - certificate_arn: arn:aws:acm:us-east-1:111111111111:certificate/11111111-2222-3333-4444-555555555555
|
49
|
+
# ufo creates an ssl listener when listener_ssl is set.
|
50
|
+
# listener_ssl:
|
51
|
+
# port: 443
|
52
|
+
# # protocol: TCP # valid values - application elb: HTTP HTTPS, network elb: TCP
|
53
|
+
# # ufo handles setting the defaults:
|
54
|
+
# # application elb: HTTPS
|
55
|
+
# # network elb: TCP
|
56
|
+
# # Certificates are supported by application load balancers only.
|
57
|
+
# # Network load balancers do not support SSL termination so do not support
|
58
|
+
# # certificates.
|
59
|
+
# # certificates:
|
60
|
+
# # - certificate_arn: arn:aws:acm:us-east-1:111111111111:certificate/11111111-2222-3333-4444-555555555555
|
61
61
|
|
62
62
|
|
63
63
|
# Configure dns to automatically be associated with the ELB dns name.
|
data/lib/ufo/stack/context.rb
CHANGED
@@ -32,6 +32,7 @@ class Ufo::Stack
|
|
32
32
|
default_target_group_protocol: default_target_group_protocol,
|
33
33
|
default_listener_protocol: default_listener_protocol,
|
34
34
|
default_listener_ssl_protocol: default_listener_ssl_protocol,
|
35
|
+
create_listener_ssl: create_listener_ssl?,
|
35
36
|
}
|
36
37
|
# puts "vars:".colorize(:cyan)
|
37
38
|
# pp vars
|
@@ -52,7 +53,12 @@ class Ufo::Stack
|
|
52
53
|
|
53
54
|
def default_listener_ssl_protocol
|
54
55
|
return 'TCP' if elb_type == 'network'
|
55
|
-
|
56
|
+
'HTTPS'
|
57
|
+
end
|
58
|
+
|
59
|
+
# if the configuration is set to anything then enable it
|
60
|
+
def create_listener_ssl?
|
61
|
+
cfn[:listener_ssl] && cfn[:listener_ssl][:port]
|
56
62
|
end
|
57
63
|
|
58
64
|
def container
|
data/lib/ufo/version.rb
CHANGED