This repository is for historic purposes only. Use traefik or another sensible https proxy.
https-proxy terminates a HTTPS connection for a linked dockers unencrypted web service. If you bind both https-proxy ports, 80 and 443 to the host, port 80 will redirect all requests to port 443.
This docker is configured to get A+ on sslabs.com.
-
6
,6.1
Apache hardening.
Header set Referrer-Policy "strict-origin"
-
6.0
Upped to Debian Stable slim base image.
-
5
Upped to Debian Buster.
-
4
,4.1
Pull request from triplepoint: Dockerfile Add proxypass configuration option as an environment variable. ProxyPass directive is now configurable, see Apache
mod_proxy
ProxyPass directive for more information.PROXYPASS_CONFIG retry=60
-
4.0
Updated for easier use with letsencrypt.org, see under certificate naming. Added new environment variables for certificate names
SSL_CERT_FILE /etc/ssl/private/cert.pem SSL_PRIVKEY_FILE /etc/ssl/private/privkey.pem SSL_CHAIN_FILE /etc/ssl/private/chain.pem
-
3.2
Added recommendations from httpoxy.org.
RequestHeader unset Proxy early
-
3.1: Give the application a hint that it receives connection from a ssl proxy.
RequestHeader set X-Forwarded-Proto "https"
-
3.0: Added ability to redirect multiple ports. New environment varibles as following.
PORT_HTTP 80 PORT_HTTPS 443 PORT_REDIRECT 80
-
2.1: Fixed generation of private SSL cert during build. Added certificate stapling in SSL config.
SSLUseStapling on SSLStaplingCache "shmcb:logs/stapling-cache(150000)" SSLStaplingResponseMaxAge 900
-
2.1: Set SSL compression off in SSL config.
SSLCompression off
-
2.0: Apache header hardening with the following.
Header set X-Content-Type-Options "nosniff" Header set X-XSS-Protection "1; mode=block" Header set X-Robots-Tag "none" Header set X-Frame-Options "SAMEORIGIN"
-
1.1: Added ProxyPreserveHost to config.
-
1.0.1: Updated documentation for docker.
-
1.0: Basic customizable SSL proxy based on
debian:jessie
and jessies version of Apache. Proxying port 80 is supported in this version.
docker run -d --name my_proxy -p 80:80 -p 443:443 \
-v ./my_certs:/etc/ssl/private \
-e SERVER_NAME=www.mydomain.com \
-e SERVER_ADMIN=webmaster@mydomain.com \
--link www_container:http \
aheimsbakk/https-proxy:4
Start the docker with referering to letsencrypt.org certificate.
docker run -d --name my_proxy -p 80:80 -p 443:443
-v /etc/letsencrypt:/etc/ssl/private
-e SERVER_NAME=www.mydomain.com
-e SERVER_ADMIN=webmaster@mydomain.com
-e SSL_CERT_FILE=/etc/ssl/private/live/www.mydomain.com/cert.pem
-e SSL_PRIVKEY_FILE=/etc/ssl/private/live/www.mydomain.com/privkey.pem
-e SSL_CHAIN_FILE=/etc/ssl/private/live/www.mydomain.com/chain.pem
--link www_container:http
aheimsbakk/https-proxy:4
Create a cronjob to keep your letsencrypt.org certificate up to date with something like this.
docker stop my_proxy
docker run -it --rm -p 80:80 -p 443:443
-v /etc/letsencrypt:/etc/letsencrypt
-v /var/lib/letsencrypt:/var/lib/letsencrypt
quay.io/letsencrypt/letsencrypt:latest --standalone -t renew -q
docker start my_proxy
-
SERVER_NAME
- your full server name - FQDNdefault:
localhost
-
SERVER_ADMIN
- your webmaster emaildefault
webmaster@${SERVER_NAME}
-
SSL_CIPHERS
- your preferred SSL ciphersdefault:
EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
-
SSL_STRICT_TRANSPORT
- strict transport optionsdefault:
max-age=31536000; includeSubDomains
-
PORT_HTTP
- port which accepts HTTP traffic and redirects to firstPORT_HTTPS
default:
80
-
PORT_HTTPS
- port or space separated list of HTTPS portsdefault:
443
-
PORT_REDIRECT
- maps one to one with PORTS_HTTPS, and redirect to port on linked containerdefault:
80
-
SSL_CERT_FILE
- name of certificate filedefault:
/etc/ssl/private/cert.pem
-
SSL_PRIVKEY_FILE
- name of certificate private key filedefault:
/etc/ssl/private/privkey.pem
-
SSL_CHAIN_FILE
- name of certificate chain filedefault:
/etc/ssl/private/chain.pem
-
PROXYPASS_CONFIG
- additional configuration for the ProxyPass directive, see the Apache ProxyPass documentation.default:
retry=60
/etc/ssl/private
- where certificate resides
In /etc/ssl/private
certificate filename is important to make Apache work with your own certificate.
- Private key file is
privkey.pem
- Public certificate is
cert.pem
- Certificate chain is
chain.pem
This is the default names used with letsencrypt.org under your /etc/letsencrypt/live/$SERVER_NAME
folder.
Get the certificate chain from your CA if you don't have it at hand.
Getting certificate from letsencrypt.org
Example of getting certificate.
docker run -it --rm
-p 80:80 -p 443:443
-v /etc/letsencrypt:/etc/letsencrypt
-v /var/lib/letsencrypt:/var/lib/letsencrypt
quay.io/letsencrypt/letsencrypt:latest certonly --standalone --agree-tos -t -d www.mydomain.com -m webmaster@mydomain.com