New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTTPS support / Let’s Encrypt #57

Open
fdcastel opened this Issue Feb 27, 2017 · 8 comments

Comments

Projects
None yet
6 participants
@fdcastel
Copy link
Contributor

fdcastel commented Feb 27, 2017

I'm using this image behind a nginx-proxy reverse firewall and with a little help from nginx-proxy-companion I got automatic Let’s Encrypt certificates setup and running with no effort (including automatic renewals).

This works very well. The only inconvenience is that it adds a little overhead (2 extra containers). Also, the server must be publicly accessible and have a registered domain name (since Let’s Encrypt CA must call it).

That said,

  1. Would you like me to write a new section in README detailing the instructions about how to make this setup?

  2. There are some plans to support a similar setup "natively"? (i.e. to provide automatic HTTPS certificates configuration using Let’s Encrypt?). I'm asking this because IMHO if done in the lower levels (nami tool?) it could be a huge benefit for several other Bitnami applications (e.g. WordPress).

@dbarranco

This comment has been minimized.

Copy link
Member

dbarranco commented Feb 28, 2017

Thanks for the feedback @fdcastel, it seems you have made a big effort to achieve it!

We have plans to add it to the containers, so for the moment it's not necessary to make a PR adding the steps to achieve it, but thank you so much for your effort.

@fdcastel

This comment has been minimized.

Copy link
Contributor

fdcastel commented Mar 2, 2017

it seems you have made a big effort to achieve it!

Actually, it was very straightforward. :) These projects (nginx-proxy and nginx-proxy-companion) are excellent. Simply set some environment vars and you are done.

There are, however, some extra steps to watch with phabricator. I will try to compile them here.

@fdcastel

This comment has been minimized.

Copy link
Contributor

fdcastel commented Mar 2, 2017

For reference, these are the steps I'm doing. I hope it could help you somehow. Or any other user who wishes to make a similar setup, meanwhile.

This will setup a Bitnami Phabricator instance behind a HTTPS nginx proxy. It will request certificates for Let's Encrypt and will update them automatically. For more information, please see nginx-proxy and nginx-proxy-companion project pages.

Run the following commands in an elevated bash prompt. You can just copy & paste them.

  1. Start with some variables:

    # Your docker-compose.yml location
    SITE_DIR=/opt/bitnami-phabricator
    
    # Your Phabricator public address
    SITE_URL=myphabricator.CHANGE-ME.com
    
    # Your email address for Let's Encrypt
    CERTIFICATES_EMAIL=certificates@CHANGE-ME.com

    Important: The DNS address in SITE_URL must resolve to the computer you´re installing.

    In CERTIFICATES_EMAIL put an email address you check often (Let's Encrypt will warn you through it if your certificate are expiring -- just in case anything broke 😉).

  2. Create directories and docker-compose.yml file:

    mkdir -p $SITE_DIR/certs
    mkdir -p $SITE_DIR/vhost.d
    mkdir -p $SITE_DIR/html
    
    cat > $SITE_DIR/docker-compose.yml <<EOF
    version: '2'
    
    services:
      proxy:
        image: jwilder/nginx-proxy:alpine
        container_name: proxy
        ports:
          - "80:80"
          - "443:443"
        volumes:
          - /var/run/docker.sock:/tmp/docker.sock:ro
          - $SITE_DIR/vhost.d:/etc/nginx/vhost.d
          - $SITE_DIR/certs:/etc/nginx/certs:ro
          - $SITE_DIR/html:/usr/share/nginx/html
        networks:
          - public
    
      proxy-companion:
        image: jrcs/letsencrypt-nginx-proxy-companion
        container_name: proxy-companion
        volumes:
          - $SITE_DIR/certs:/etc/nginx/certs:rw
          - /var/run/docker.sock:/var/run/docker.sock:ro
        volumes_from:
          - proxy
    
      mariadb:
        image: bitnami/mariadb:latest
        container_name: mariadb
        volumes:
          - mariadb_data:/bitnami/mariadb
        networks:
          - private
    
      phabricator:
        image: bitnami/phabricator:latest
        container_name: phabricator
        environment:
          - VIRTUAL_HOST=$SITE_URL
          - LETSENCRYPT_HOST=$SITE_URL
          - LETSENCRYPT_EMAIL=$CERTIFICATES_EMAIL
          - PHABRICATOR_HOST=$SITE_URL
        depends_on:
          - mariadb
        expose:
          - 80
        volumes:
          - phabricator_data:/bitnami/phabricator
          - apache_data:/bitnami/apache
          - php_data:/bitnami/php
        networks:
          - public
          - private
    
    volumes:
      mariadb_data:
      phabricator_data:
      apache_data:
      php_data:
    
    networks:
      public:
      private:
    EOF
  3. Start containers and follow the logs. Wait until the initial setup is done:

    cd $SITE_DIR
    docker-compose up -d
    docker logs phabricator -f
  4. Set some initial settings and stop the containers:

    CONFIG="docker exec phabricator /opt/bitnami/phabricator/bin/config"
    
    # Set base uri
    $CONFIG set phabricator.base-uri https://$SITE_URL
    
    # Allows access to repositories only via https
    $CONFIG set security.require-https 'true'
    
    # Stop containers
    docker-compose down
  5. Edit docker-compose.yml and add the following line in services: > phabricator: > volumes:

    - ./preamble.php:/opt/bitnami/phabricator/support/preamble.php
  6. Start containers:

    docker-compose up -d
  7. Create preamble.php file inside the container:

    (docker exec -i phabricator bash -c "cat > /opt/bitnami/phabricator/support/preamble.php")<<'EOF'
    <?php
    
    $_SERVER['HTTPS'] = true;
    EOF
  8. Restart phabricator

    docker-compose restart phabricator

And you're done!

Important: The preamble.php file (steps 5~7) should not exist during the initial setup (step 3) or you will get an ELOOP: too many symbolic links encountered error. Please see #41 for more information.

@dbarranco

This comment has been minimized.

Copy link
Member

dbarranco commented Mar 2, 2017

Hi @fdcastel

That's awesome!
Thank you so much for sharing that with us, we will take a look at it.

Best regards!

@beltran-rubo beltran-rubo added the faq label Mar 13, 2017

@akolnoochenko

This comment has been minimized.

Copy link

akolnoochenko commented Nov 29, 2017

@fdcastel , is it possible to get values of phabricator config variables from preamble.php? Something like

if (GET_CONFIG_VALUE('security.require-https'))
{
    $_SERVER['HTTPS'] = true;
}

In that case it could be possible to mount preamble.php and eliminate the need in recreation of container.

@tompizmor

This comment has been minimized.

Copy link
Member

tompizmor commented Jan 26, 2018

Hello @akolnoochenko, @fdcastel

We have released Phabricator 2018.3.0-r1 including a setting in the Apache configuration that helps when phabricator is behind a LoadBalancer. The configuration is SetEnvIf X-Forwarded-Proto https HTTPS=on.

With this apache configuration, the use of the preamble.php script is not necessary.

@SimZor

This comment has been minimized.

Copy link

SimZor commented Jun 17, 2018

How can I make this persistent so data is not lost if I remove the containers?

Also:
After completing the installation steps successfully, I end up with ERR_CONNECTION_REFUSED when using https before the domain name. I've made sure that HTTPS ports are open, but this seems to be more of a problem with nginx. Any ideas?

@tompizmor

This comment has been minimized.

Copy link
Member

tompizmor commented Jun 19, 2018

Hi @SimZor, which is the data that you would like to persist?
By default the persisted folders for phabricator are /opt/bitnami/phabricator/data, /opt/bitnami/phabricator/conf and /opt/bitnami/phabricator/repo.

Did you execute the following commands to configure phabricator to use https?

# Set base uri
docker exec phabricator /opt/bitnami/phabricator/bin/config set phabricator.base-uri https://$SITE_URL

# Allows access to repositories only via https
docker exec phabricator /opt/bitnami/phabricator/bin/config set security.require-https 'true'

Also, for newer versions of phabricator (since 2018.3.0-r1), the preamble.php step is not needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment