Load Balancers

Once you have containers running, the next step is to allow them to be accessed from the Internet. Convox automatically sets up and configures load balancers appropriately to route traffic to your containers.

Configuration

Load balancers will be automatically created for any ports listed in your docker-compose.yml.

web:
  build: .
  command: bin/web
  ports:
    - 80:5000
worker:
  build: .
  command: bin/worker

In this example, Convox will create a load balancer in front of the web process. This load balancer will accept traffic from the Internet on port 80 and forward it to the web containers on port 5000.

Convox will only create a load balancer for ports in your docker-compose.yml file, not in your Dockerfile.

Balancer Hostname

You can find the load balancer hostname(s) for your application using convox apps info:

$ convox apps info
Name       docs
Status     running
Release    RHUFNNNVEAP
Processes  web
Endpoints  docs-web-R72RMTP-326048479.us-east-1.elb.amazonaws.com:80 (web)

Advanced Options

Internal Load Balancers

You can create a load balancer that is only accessible inside your Rack by specifying a single port:

web:
  ports:
    - "5000"

Note: Convox creates only one load balancer per service. If you specify both internal and external ports, only an internal load balancer will be created. This is due to the fact that while an ELB can have listeners on multiple ports, an ELB itself can only be either internal or external.

Balancer Protocol

You can specify one of four protocol types for a load balancer port in your docker-compose.yml:

web:
  labels:
    - convox.port.443.protocol=https
  ports:
    - "443:5000"
Protocol Notes
http Unencrypted HTTP (includes common HTTP headers but does not support websockets)
https Encrypted HTTP (includes common HTTP headers but does not support websockets)
tcp Unencrypted TCP (arbitrary TCP including websockets, no HTTP header injection)
tls Encrypted TCP (arbitrary TCP including websockets, no HTTP header injection)

If no protocol label is specified, the default of tcp will be used.

Health Check Options

By default Convox will set up a tcp health check to your application. For more information, see Health Checks.

End-to-end encryption

By default, HTTPS/TLS is terminated at the load balancer, and the resulting data is transmitted unencrypted to your application. This is OK, because traffic between your load balancer and your application happens entirely on your Rack’s internal network. However, for extra security you can encrypt the traffic between your load balancer and application by setting the convox.port.<port>.secure label.

web:
  labels:
    - convox.port.443.secure=true
    - convox.port.443.protocol=https
  ports:
    - "443:5001"

When you use this option you will need to terminate HTTPS or TLS directly inside your application or with a reverse proxy like nginx or haproxy.

PROXY protocol

When using the tcp or tls protocols, standard proxy HTTP headers like X-Forwarded-For are not injected. You can get access to information about the remote endpoint using the PROXY protocol. Once you configure your application to accept this extra header you can configure your load balancer to send it in your docker-compose.yml:

web:
  labels:
    - convox.port.443.protocol=tls
    - convox.port.443.proxy=true
  ports:
    - "443:5000"

Limited Application Access

For security reasons, access to an application might need to be limited. To achieve this, an existing security group can be applied to an application’s load balancer. For example, within said security group, access can be granted only to an office VPN.

This is done via an application parameter with a known security group ID:

convox apps params --app <name> set SecurityGroup=sg-123456

Validate the setting has been applied by running:

convox apps params --app <name>

For further reading on security groups, check out the AWS documentation and CLI reference.

See also