Can someone please help me deploy my app to ECS Fargate with HTTPS?


I am stuck trying to configure my service target groups, security groups and load balancer to deploy my app with HTTPS.

I already have the cluster, the domain name on Route 53, the certificate on ACM, and I also created a task definition following my docker-compose.yaml file:

version: "3.8"
    build: ./api
      - .env

    build: ./client
      - api

    restart: always
    build: ./nginx
      - "80:80"
      - api
      - client

I added the Nginx container to route traffic because I saw a tutorial saying that it would be necessary, but the setup there was a little different than mine.

Later I found some answers to a reddit question saying that the certificate should be placed in the load balancer and not on Nginx, if I understood it right.

So do I even need Nginx at all? Anyway, this is the current default.conf file and the Dockerfile at the Nginx folder:

upstream client {
    server client:3000;

upstream api {
    server api:5000;

server {
    listen 80;

    location / {
        proxy_pass http://client;

    location /sockjs-node {
        proxy_pass http://client;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";

    location /api {
        rewrite /api/(.*) /$1 break;
        proxy_pass http://api;
FROM nginx
COPY ./default.conf /etc/nginx/conf.d/default.conf

It is working on my machine, I run "docker compose up" and I can access the client on localhost:80, the client talks to the api and all.

2 Antworten


You don't need nginx as reverse proxy, you can directly use the ELB. Take a look at this article: The related documentation can be found here:

Effectively you will have a Route53 -> Application Load Balancer 443 + certificate -> Target Group port 3000 for "client" -> ECS

profile pictureAWS
beantwortet vor einem Jahr

It's a very common pattern to terminate your TLS connection at the ALB, but keep in mind that the ALB is not a web server, which is what you need NGINX for. If you need end to end HTTPS, there are a couple of different ways to achieve this:

To terminate TLS at the ALB, you'd simply have a listener on port 443 that points to your target group on port 80 (or whatever port you want to map).

beantwortet vor einem Jahr
  • I created a security group with one inbound rule: https 443 anywhere ipv4

    A target group http 3000

    A Load balancer with one listener (https 443) pointing target group just I created, and the ACM certificate

    Created the task definition (the api exposes port 5000 and the client exposes port 3000)

    Then I Launched the service and tried to access by the dns name or to the domain name but the requests all timeout.

    Can you please point out what I am doing wrong?

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen