0

I have a Google Cloud VM which runs a docker image. The docker image runs a specific JAVA app which runs on port 1024. I have pointed my domain DNS to the VM public IP.

This works, as I can go to mydomain.com:1024 and access my app. Since Google Cloud directly exposes the docker port as a public port. However, I want to access the app through https://example.com (port 443). So basically map port 443 to port 1024 in my VM.

Note that my docker image starts a nginx service. Previously I configured the java app to run on port 443, then the nginx service listened to 443 and Google Cloud exposed this HTTPS port so everthing worked fine. But I cannot use the port 443 anymore for my app for specific reasons.

Any ideas? Can I configure nginx somehow to map to this port? Or do I setup a load balancer to proxy the traffic (which seems rather complex as this is all pretty new to me)?

Ps. in Google Cloud you cannot use "docker run -p 443:1024 ..." which basically does the same if I am right. But the containerized VMs do not allow this.

Marcel
  • 105
  • 6
  • you'd need to implement a load balancer and setup port forwarding https://cloud.google.com/load-balancing/docs/protocol-forwarding – Liam Oct 04 '22 at 15:17
  • It looks like [this question is a duplicate](https://stackoverflow.com/questions/45136282/how-to-port-forward-google-compute-engine-instance) – Liam Oct 04 '22 at 15:20
  • Thanks! I will look into this. I already looked into load balancing but then I needed to create a prox only subnet and specify a custom IP address range and it all got a bit too complicated for me.. I will look into the port forwarding specifcally. – Marcel Oct 04 '22 at 15:23
  • 1
    @Liam - your link is not a duplicate question. COS is a different beast to manage. – John Hanley Oct 05 '22 at 00:04

1 Answers1

1

Container Optimized OS maps ports one to one. Port 1000 in the container is mapped to 1000 on the public interface. I am not aware of a method to change that.

For your case, use Compute Engine with Docker or a load balancer to proxy connections.

Note: if you use a load balancer, your app does not need to manage SSL/TLS. Offload SSL/TLS to the load balancer and just publish HTTP within your application. Google can then manage your SSL certificate issuance and renewal for you. You will find that managing SSL certificates for containers is a deployment pain.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • Thanks John, this is helpful. I have been trying a day already to get the load balancer to work with SSL. But I constantly get upstream errors. For example, now I have upstream error, open SSL version blabla.. it might be that I have SSL on my docker container? My app is published on port 1024, so you suggest just nginx listen 1024 and then load balancer with SSL map 443 to 1024? – Marcel Oct 06 '22 at 10:34
  • @Marcel - yes, you could configure Nginx to proxy for your application. However, I recommend using a load balancer and offloading the proxying of connections, HTTP/HTTPS schemes, and SSL certificate management. – John Hanley Oct 06 '22 at 11:05
  • Ok thanks! Can my docker app still publish an nginx interface and I add a load balancer on top of this? I use a framework and the way this framework works, is it automatically starts an nginx server on top of the java app. So I have now deployed the docker image and I can access through myip:1024. This is already an nginx interface I am seeing. Now I would like to add example.com and point it to the load balancer. The load balancer has an SSL frontend and the backend points to the VM:1024. Is this possible? Because whatever I try, the load balancer results in some kind of error. – Marcel Oct 06 '22 at 12:39
  • Latest error from the load balancer: "upstream connect error or disconnect/reset before headers. retried and the latest reset reason: connection failure, transport failure reason: TLS error: 268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER " My docker image has only HTTP 1024 port exposed. My load balancer is an external HTTPs load balancer with the SSL certs for my domain added. Ps. I can change very little about my setup because I use a framework, even the docker image is a standarized format which I'd rather don't want to change. – Marcel Oct 06 '22 at 12:40
  • Never mind, I got it working in the end. The problem was that I had configured the backend to use HTTPS as protocol to communicate with my VM instance. I changed this to HTTP and it's working now. I pointed my domain to the load balancer frontend and it's showing the app on HTTPS with valid certificate. Is this the way it's supposed to work? An downsides or security risks? For sure I need to check the firewall I guess since I can still access serverip:1024 over HTTP. – Marcel Oct 06 '22 at 16:12
  • The typical configuration is to offload HTTPS to the load balancer and communicate via HTTP with the backends. That does mean that traffic between the load balancer and the backend is unencrypted. Unless you are in a high-security environment (government, military, banking, etc.), that is not a problem as traffic stays within the Google backbone. HTTPS encryption is a CPU intensive operation. By offloading HTTPS you will improve application performance plus the other benefits from having a load balancer (DoS protection, global POPs (Points of Presence), health checks, CDN, Cloud Armor, etc). – John Hanley Oct 06 '22 at 17:37