I am currently in progress of setting up the official Docker image on AWS ECS.
While running on EC2 the docker image works perfectly fine.
However after starting it on ECS with the same configuration, I end up with broken avatar images.
Related errors:
Could not find file in the store located at url: //x-dev-xx-xxx-x.s3.dualstack.eu-central-1.amazonaws.com/original/1X/761c151e2d0ebedff3330dc6ec7a27050fef43f9.jpeg
and
Failed to process hijacked response correctly : FinalDestination::SSRFDetector::LookupFailedError : FinalDestination: lookup failed
The file is in the bucket and the access rights are the same as for the EC2 instance.
Can somebody please point me where I can dig deeper and find the root cause?
Yes. I use the environment variables that the run-cmd command generates. I could not spot an error so far.
Unfortunately I could not find some ECS examples for Discourse so far.
I found the root cause. Due to my setup of the Discourse AI plugin I had added a private Zone to the VPC to make the diverse services available VPC internally.
When running Discourse on an EC2 instance in a Docker container, the container gets a host name like 12-34-56-78-app. When running as an ECS task however you can not set the host name when in awsvpc mode, neither you can’t configure the DNS search domain. This leads to the fact that DNS resolution is different on ECS, in my case adding a search domain like xxxx.internal.
After digging around I found using tcpdump that Discourse tries to resolve its own FQDN as part of the SSRF checks. If this fails, the check fail. As a subsequent error the call to S3 fails with the bogus error message above.
The fix in my case was to add the FQDN record which is an alias to my Cloudfront distribution to my private DNS zone.
