New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support HTTPS #46

Closed
evanp opened this Issue Jan 21, 2015 · 21 comments

Comments

Projects
None yet
@evanp

evanp commented Jan 21, 2015

It's not clear how to support HTTPS with this image.

Ideally one could provide something like PORT for the Apache server to listen on, plus a KEY and CERT environment variables with the contents of the key and cert files.

I can try and make this work.

@evanp

This comment has been minimized.

evanp commented Jan 21, 2015

Also: I love this image. Thanks for making it so easy to use. I wrote a blog post about it here:

http://blog.fuzzy.io/2015/01/19/installing-wordpress-with-docker-and-fig/

@md5

This comment has been minimized.

Contributor

md5 commented Jan 21, 2015

@evanp this image doesn't configure its Apache to support HTTPS, so there would have to be a PR or a derived image that adds the appropriate Apache config and EXPOSE setting for 443.

If you're willing to do your HTTPS in another container, jwilder/nginx-proxy is a nice option that supports SSL configuration.

@evanp

This comment has been minimized.

evanp commented Jan 21, 2015

That's what I thought!

Do you think the PR should be for this repo or for docker-library/php?

@md5

This comment has been minimized.

Contributor

md5 commented Jan 21, 2015

I think it makes sense to do this in the php:*apache images myself, but @tianon and @yosifkit may think otherwise.

Looks like those images already have a Listen 443, but they don't a2enmod ssl or configure certificate or key paths.

In terms of implementation, it probably makes sense to follow the example set by the httpd image (cf. https://github.com/docker-library/docs/blob/master/httpd/content.md#sslhttps).

@tianon

This comment has been minimized.

Member

tianon commented Jan 21, 2015

I'm actually personally pretty strongly -1 on SSL by default, and would
rather recommend people use a lightweight container in front of this one to
add that, but I run all my containers behind a single nginx.

SSL support in these one-off containers creates a configuration nightmare
though, IMO.

@md5

This comment has been minimized.

Contributor

md5 commented Jan 22, 2015

@tianon Are you using something like nginx-proxy or your own custom config?

@tianon

This comment has been minimized.

Member

tianon commented Jan 22, 2015

I just use the official "nginx" image with a custom config that hooks to my
other containers via https://github.com/tianon/rawdns

@pierreozoux

This comment has been minimized.

pierreozoux commented Jul 19, 2015

IMHO, we should keep these images as simple as possible.

I see the purpose of these images to create the process as described in 12factor app.

As a consequence, the SSL part should be handled at another level.

You could base your image on this on and add an nginx or apache server in front that would consume this php (I don't recommend as you break the one process per container rule).

Or you could use a reverse proxy in front that would consume this container. this reverse proxy could be nginx or HAproxy (I personnaly use HAproxy). This reverse-proxy would handle the SSL offloading part.

Let me know if you need more details. If not, please consider closing the issue for the sake of keeping this number as low as possible.

Thanks

@tianon tianon closed this Aug 20, 2016

@chriscoyier

This comment has been minimized.

chriscoyier commented Dec 26, 2016

I think it would be nice to have some kind of mention/documentation/resource on how to go about using HTTPS. This seems like a pretty good lead, but I'm not having much luck so far.

@redbullpeter

This comment has been minimized.

redbullpeter commented May 29, 2017

I managed to get HTTPS to work on the most basic of configs for the latest WordPress Docker image (4.5.7). I've documented it here:

https://peter.pudaite.net/2017/05/29/enabling-https-on-the-standard-wordpress-docker-image/

@AlexanderOMara

This comment has been minimized.

AlexanderOMara commented Jun 27, 2017

For future visitors, here's a Dockerfile showing what I did to enable HTTPS support using the ssl-cert package to install the self-signed certificates that Apache is configures to use by default.

FROM wordpress:4.8.0-php7.1-apache

RUN apt-get update && \
	apt-get install -y  --no-install-recommends ssl-cert && \
	rm -r /var/lib/apt/lists/* && \
	a2enmod ssl && \
	a2ensite default-ssl

EXPOSE 80
EXPOSE 443
@ajdruff

This comment has been minimized.

ajdruff commented Oct 19, 2017

@AlexanderOMara Brilliant - thank you!

Since I was already running a container using docker-compose, and didn't want to create a builder file, I did this :

  1. expose port 443 by adding the following to your compose file:

      ports:
        - "443:443"       
    
  2. restart your container (be sure your db and web files are on persistent storage!)

     docker-compose down
     docker-compose up -d
    
  3. attach to the running container

       docker exec -t -i CONTAINER_ID /bin/bash
    
  4. install ssl-cert ( automatically installs self-signed cert)

     apt-get update && \
         apt-get install -y  --no-install-recommends ssl-cert && \
         rm -r /var/lib/apt/lists/* && \
         a2enmod ssl && \
         a2ensite default-ssl
    

You may get a prompt about restarting apache before the new settings take effect.

  service apache2 reload
  1. exit the container (won't kill your container)

     CTRL-P-Q
    
  2. Access your https://example.com , adding an exception to your browser to ignore the prompt about untrusted CA

@Erdou

This comment has been minimized.

Erdou commented Nov 15, 2017

Just a (very) small detail: you can use only line for EXPOSE, like:
EXPOSE 80 443

Note that after Docker 1.10, EXPOSE doesn't create a new layer, so the resulting image will be the same.

@poldim

This comment has been minimized.

poldim commented Nov 28, 2017

@AlexanderOMara - How do you use this with docker compose so that I can continue to use the ":latest" tag?

@AlexanderOMara

This comment has been minimized.

AlexanderOMara commented Nov 28, 2017

@poldim

I don't think you can do it without creating a Dockerfile, but you could create a build: section in your docker-compose.yml file that builds your Dockerfile (and adjust the FROM to use wordpress:latest). Something like this:

yourproject/docker-compose.yml :

version: '3'

services:

  wordpress:
    build:
      context: wordpress
    ports:
      - '80:80'
      - '443:443'
    networks:
      - webnet

  mysql:
    image: mysql:5.7
    ports:
      - '3306:3306'
    networks:
      - webnet

networks:
  webnet:

yourproject/wordpress/Dockerfile :

FROM wordpress:latest

RUN apt-get update && \
	apt-get install -y  --no-install-recommends ssl-cert && \
	rm -r /var/lib/apt/lists/* && \
	a2enmod ssl && \
	a2ensite default-ssl

EXPOSE 80
EXPOSE 443
@henscu

This comment has been minimized.

henscu commented Dec 8, 2017

@AlexanderOMara Thanks for this. It enables SSL, even though I thought I had to do a 'service apache2 restart' after the 'a2enmod ssl' to get SSL enabled.

What else did you do (adding certs, modifying 000-default.conf to force https...)?

I'm not an Apache expert, just trying to get my local WordPress Bedrock running using SSL on Docker for Mac. However I'm sure there are a lot of people looking for a complete off-the shelf WordPress local HTTPS config documentation now that Let's Encrypt is available.

Perhaps it's time to move this thread to the forums?

For me for example, when I run docker-compose up, I get the warning:

    AH01909: 172.18.0.3:443:0 server certificate does NOT include an ID which matches the server name

Then when I go to http://localhost:443/, I get the error:

Bad Request

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
Apache/2.4.10 (Debian) Server at 172.18.0.3 Port 443
@supervacuo

This comment has been minimized.

supervacuo commented Jan 3, 2018

Then when I go to http://localhost:443/, I get the error:

@henscu I notice you're visiting http://localhost:443 — what happens if you try with https, i.e. https://localhost:443? (And you should be able to drop the 443 if you're specifying https)

@henscu

This comment has been minimized.

henscu commented Jan 4, 2018

Thanks @supervacuo. Yes, I tried that and many other minor permutations, but I ran into so many finicky problems like 'not being able to access /' and NET::ERR_CERT_AUTHORITY_INVALID etc that I'm going to reset my Docker setup back to the one described above and try again.

The problem for people like me (non hardcore dev) are the minor details in implementation explanations that are missing because they seem obvious to those who are writing them, but are very hard for me to get a clear answer/explanation from StackOverflow on... :)

@ogierschelvis

This comment has been minimized.

ogierschelvis commented Jan 17, 2018

@poldim
You write a custom bash script and tell docker-compose to run it on startup.

I've done it like this:
docker-compose.yml

version: "2"
services:
  my-wpdb:
    image: mariadb
    volumes:
          - ./:/home
    ports:
      - "8081:3306"
    environment:
      MYSQL_ROOT_PASSWORD: xxxxxxx
  my-wp:
    image: wordpress
    volumes:
      - ./:/var/www/html
      - ./wp-init.sh:/usr/local/bin/apache2-custom.sh
      - ./apache2-vhosts.conf:/etc/apache2/sites-available/apache2-vhosts.conf
    ports:
      - "80:80"
      - "443:443"
    links:
      - my-wpdb:mysql
    environment:
      WORDPRESS_DB_PASSWORD: xxxxxxx
    command: "bash -c apache2-custom.sh"

wp-init.sh

#!/usr/bin/env bash

# as you can see I combined the SSL stuff from @AlexanderOMara 
# with enabling my own custom vhosts.conf 
# so I can edit that outside the container
apt-get update
apt-get install -y  --no-install-recommends ssl-cert
rm -r /var/lib/apt/lists/*

a2enmod ssl
a2dissite 000-default.conf
a2ensite apache2-vhosts.conf

# finally execute default command
docker-entrypoint.sh apache2-foreground

Works like a charm.

@yosifkit

This comment has been minimized.

Member

yosifkit commented Jan 17, 2018

FYI, service apache2 reload will do nothing since there is no init system running in the container (like systemd or upstart). Apache2 server does not even start until the end of docker-entrypoint.sh and the process is started directly (ie, no init system is involved).

I would also recommend against doing apt-get -y upgrade in a container: https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/#run.

@ogierschelvis

This comment has been minimized.

ogierschelvis commented Jan 18, 2018

@yosifkit Touché. I wasn't aware of the latter though, thanks for that insight. Not sure though where in the process that was introduced in my snippet (probably the result of a lot of copy and pasting), because you would reckon apt-get update would be enough.

Anyway I updated my snippet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment