Can someone please help me deploy my app to ECS Fargate with HTTPS?


I am stuck trying to configure my service target groups, security groups and load balancer to deploy my app with HTTPS.

I already have the cluster, the domain name on Route 53, the certificate on ACM, and I also created a task definition following my docker-compose.yaml file:

version: "3.8"
    build: ./api
      - .env

    build: ./client
      - api

    restart: always
    build: ./nginx
      - "80:80"
      - api
      - client

I added the Nginx container to route traffic because I saw a tutorial saying that it would be necessary, but the setup there was a little different than mine.

Later I found some answers to a reddit question saying that the certificate should be placed in the load balancer and not on Nginx, if I understood it right.

So do I even need Nginx at all? Anyway, this is the current default.conf file and the Dockerfile at the Nginx folder:

upstream client {
    server client:3000;

upstream api {
    server api:5000;

server {
    listen 80;

    location / {
        proxy_pass http://client;

    location /sockjs-node {
        proxy_pass http://client;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";

    location /api {
        rewrite /api/(.*) /$1 break;
        proxy_pass http://api;
FROM nginx
COPY ./default.conf /etc/nginx/conf.d/default.conf

It is working on my machine, I run "docker compose up" and I can access the client on localhost:80, the client talks to the api and all.

2 Respostas


You don't need nginx as reverse proxy, you can directly use the ELB. Take a look at this article: The related documentation can be found here:

Effectively you will have a Route53 -> Application Load Balancer 443 + certificate -> Target Group port 3000 for "client" -> ECS

profile pictureAWS
respondido há um ano

It's a very common pattern to terminate your TLS connection at the ALB, but keep in mind that the ALB is not a web server, which is what you need NGINX for. If you need end to end HTTPS, there are a couple of different ways to achieve this:

To terminate TLS at the ALB, you'd simply have a listener on port 443 that points to your target group on port 80 (or whatever port you want to map).

respondido há um ano
  • I created a security group with one inbound rule: https 443 anywhere ipv4

    A target group http 3000

    A Load balancer with one listener (https 443) pointing target group just I created, and the ACM certificate

    Created the task definition (the api exposes port 5000 and the client exposes port 3000)

    Then I Launched the service and tried to access by the dns name or to the domain name but the requests all timeout.

    Can you please point out what I am doing wrong?

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas