Nginx (Web Server) - HTTPS / SSL on Docker

A certificate can be used to encrypt the resources being transmitted to clients. In this example, a dedicated certificate will be placed on the Nginx web server so that HTTPS can be used.

 

A certificate from a trusted CA (certificate authority), such as www.verisign.com, or using a self signed certificate can be used. The main difference between a certificate from a trusted CA and a self signed certificate is that web browsers will display a warning message when a self signed certificate is used. OpenSSL can be used to create the self signed public certificate and private key. 

In this example, a self signed public certificate was created for freekb.net, and Chrome compalins that the root certificate is not trusted, because the certificate is not in the trusted root certificate authorities store. This is the expected behavior of a self signed certificate.

 

AVOID TROUBLE

The certificate Common Name (CN) will almost always need to match the DNS hostname of the web server the certificate is being used for. For example, if the certificate will be used for SSL / HTTPS on the web server producing www.freekb.net, then the certificates common name (CN) will need to be www.freekb.net or *.freekb.net.

SSL configurations will be made in the /etc/nginx/conf.d/default.conf file in the container. By default, the server block in default.conf is setup to only listen on port 80.

server {
    listen       80;
    listen  [::]:80;

 

Here is one possible way to setup SSL in default.conf. Notice in this example that the /usr/local/share/ca-certificates/www.example.com.crt and /usr/local/share/ca-certificates/www.example.com.key files are being used.

server {
    listen              80;
    listen              [::]:80;
    listen              443 ssl;
    ssl_certificate     /etc/nginx/conf.d/www.example.com.crt;
    ssl_certificate_key /etc/nginx/conf.d/www.example.com.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
}

 

The following command can then be used to create and start the ngninx container. Let's break down this command.

  • The docker run command is used to create and start the nginx container.
  • The --detach flag is used to run the container in the background.
  • The --publish option is used both the Docker server and nginx container to listen on HTTP port 80 and HTTPS port 443, which adds a rule to iptables to allow connections between the Docker system and container on ports 80 and 443.
  • The --name option is used to name the container nginx.
  • The --restart unless-stopped option is used so that the container is started if the Docker server is restarted.
  • The --volume option is used to mount the default.conf file on the Docker system to /etc/nginx/conf.d/default.conf in the container so that the container is using your own default.conf file.
  • The --volume option is used to mount the directory on your Docker system that contains the public certificate and private key to /usr/local/share/ca-certificates in the container.
  • The nginx image is used.
docker run --detach --publish 80:80 --publish 443:443 --volume /path/to/default.conf:/etc/nginx/conf.d/default.conf --volume /path/to/certs:/usr/local/share/ca-certificates --name nginx --restart unless-stopped nginx

 

The docker container ls command can be used to ensure the container is running.

~]# docker container ls -a
CONTAINER ID   IMAGE  COMMAND                 CREATED        STATUS        PORTS
8321dc3c0c25   nginx  "/docker-entrypoint.…"  7 minutes ago  Up 7 minutes  0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp

 

The docker logs command should return something like this

~]# docker logs nginx
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up

 

You should then be able to access the default Nginx welcome page at http://<hostname or IP address of your Docker system> (port 80). Something like this should be displayed.

 

And you should also be able to access the default Nginx welcome page at https://<hostname or IP address of your Docker system> (port 443).

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee

Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.





Please enter 8b7f9 in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |