Enable SSL termination for the container for local dev

Dockerfile

@@ -10,6 +10,7 @@ ENV CONTAINER_ROLE=web \
 # Using a non-privileged port to prevent having to use setcap internally
 EXPOSE ${CONTAINER_PORT}
 
+# - Update security packages, only, plus ca-certificates for https
 # - Update security packages, only
 # - Install pre-reqs
 # - Install latest nginx (development PPA is actually mainline development)
@@ -22,6 +23,7 @@ RUN /bin/bash -e /security_updates.sh && \
     apt-get update -yqq && \
     apt-get install -yqq --no-install-recommends \
         nginx-light \
+        ca-certificates \
     && \
     apt-get remove --purge -yq \
         manpages \

Dockerfile-alpine

@@ -18,6 +18,7 @@ RUN adduser -D -S -H $NOT_ROOT_USER
 RUN apk update --no-cache && \
     apk add \
         nginx \
+        ca-certificates \
     && \
     /bin/bash -e /clean.sh
 

README.md

@@ -44,6 +44,7 @@ Variable | Example | Description
 `SERVER_LOG_MINIMAL` | `SERVER_LOG_MINIMAL=1` | Minimize the logging format, appropriate for development environments
 `S6_KILL_FINISH_MAXTIME` | `S6_KILL_FINISH_MAXTIME=1000` | Wait time (in ms) for zombie reaping before sending a kill signal
 `S6_KILL_GRACETIME` | `S6_KILL_GRACETIME=500` | Wait time (in ms) for S6 finish scripts before sending kill signal
+`SERVER_ENABLE_SSL` | `SERVER_ENABLE_SSL=` | Enable SSL directives in default configuration
 
 
 ### Startup/Runtime Modification
@@ -52,6 +53,20 @@ To inject changes just before runtime, shell scripts (ending in .sh) may be plac
 `/etc/cont-init.d` folder. For example, the above environment variables are used to drive nginx configuration at runtime.
 As part of the process manager, these scripts are run in advance of the supervised processes. @see https://github.com/just-containers/s6-overlay#executing-initialization-andor-finalization-tasks
 
+### HTTPS/SSL support for local development
+
+Follow these steps to create an image and run a container that hosts a static website or a service using nginx.
+
+* On your development machine, download or generate an x509 certificate and key appropriate for use with apache or nginx. Install these with the names certificate.crt and certificate.key, respectively, in a local folder.
+* Add an entry to your /etc/hosts to map 127.0.0.1 to the server host name corresponding to your certificate.
+* Run the image using --env SERVER_ENABLE_SSL=true
+* Start a container using:
+  * -v {folder-containing-certificate.crt}:/etc/nginx/certs:ro
+  * -v {folder-containing-certificate.key}:/etc/nginx/certs:ro
+  * -p 443:8080 (or whatever host port you are using)
+* Test
+  * curl https://{your-server-hostname}, or,
+  * curl -k https://localhost
 
 ### Advanced Modification
 

container/root/etc/cont-init.d/10-nginx.sh

@@ -74,3 +74,10 @@ then
   echo "[nginx] setting client_body_buffer_size to ${SERVER_CLIENT_BODY_BUFFER_SIZE}"
   sed -i "s/client_body_buffer_size .*;/client_body_buffer_size ${SERVER_CLIENT_BODY_BUFFER_SIZE};/" $CONF_NGINX_SERVER
 fi
+
+if [[ $SERVER_ENABLE_SSL ]]
+then
+  echo "[nginx] enabling ssl"
+  sed -ig "s/^[ ]*#ssl/  ssl/" $CONF_NGINX_SITE
+fi
+

container/root/etc/nginx/sites-available/default

@@ -1,6 +1,15 @@
 server {
   listen 8080;
 
+  #ssl on;
+  #ssl_protocols TLSv1.2;
+  #ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+  ######ssl_dhparam /etc/nginx/certs/dhparams.pem;
+  #ssl_prefer_server_ciphers on;
+  #ssl_session_cache shared:SSL:10m;
+  #ssl_certificate /etc/nginx/certs/certificate.crt;
+  #ssl_certificate_key /etc/nginx/certs/certificate.key;
+
   root /var/www/html;
 
   # Doesn't broadcast version level of server software