Elastic-beanstalk service listening to non-standard port

Question

I am trying to deploy on AWS Elastic Beanstalk a Dockerized server (actually Minecraft/Forge server) that listens to port 25565. The configuration I'd like to use is a simple single-container docker configuration.

I tested the Docker image locally on my desktop and it works as expected (a Minecraft client can connect to it).

I can see that the AWS EB environment is started correctly (green) and the logs of my server indicate that it comes up correctly. As the environment is brought up, I see that a new security group is created for it. I go and edit it to open the 25565 TCP and UDP port, allowing connection from anywhere.

However, all connections from the internet to the allocated Elastic IP are refused no matter what I do - tested from both a minecract client and a stupid netcat command-line.

I tried to redeploy the environment with and without a proxy, with the same results.

What am I missing?

Answer 1

Fixed. Answering myself, for future reference.

There were two basic problems:

1. EB really (really!) wants to get connections on port 80 from the public internet. At deployment time it creates a new security group for the environment, which opens port 80. Editing that group to open more ports does not help because of problem #2.
2. The default configuration for a single-instance docker environment will deploy with nginx as a reverse proxy, mapping port 80 of the instance to whatever port was configured as the HostPort in Dockerrun.aws.json (or to the ContainerPort if no HostPort is defined). This is a problem for a Minecraft client/server connection, because nginx is at bottom a web server, and the client sends packets that are not valid HTTP requests.

So, the solution is to:

1. Make the client connect to port 80, specifying it as IP_ADDRESS:80
2. Remove nginx from the configuration. The easiest way to do so is through the Web UI: after the EB environment launches, click the Configuration link, then the Modify button in the Software section; select None from the Proxy Server pulldown at the top, then click the Apply Configuration button. The environment will be re-deployed, but with port 80 mapped straight to the docker container through iptables, without a reverse proxy in between.