btp,
@btp@fosstodon.org avatar

Who runs their website server in a container?

If you do: How do you provide your website's certificates to the server safely?

alastair,

@btp I use caddy as a reverse proxy though it can also host sites itself. It automatically obtains and renews certificates from LetsEncrypt.

btp,
@btp@fosstodon.org avatar

@alastair yup, I'm gunna go with Caddy as a reverse proxy, too.So far, it's a neat tool.

btp,
@btp@fosstodon.org avatar

Thanks for all the replies (even @joel 's), I think I've got a good idea of where to go from here.

joel,
@joel@fosstodon.org avatar

@btp I am glad I provided you with the best solution

steffo,

@btp Me! The website container does not have access to the certificates, a reverse proxy handles them instead.

btp,
@btp@fosstodon.org avatar

@steffo Is your reverse proxy also running in a container?

steffo,

@btp Yup, with the https://hub.docker.com/_/caddy image!

btp,
@btp@fosstodon.org avatar

@steffo :thinkhappy:

herzenschein,

@btp

I let Caddy automanage and autorenew certificates for my podman containers, and Caddy itself is in a container. There's no reason to let those exposed in my host, and it's one less thing to manage.

But if I had my own separate certificates, the first thing that would come to mind is simply mounting it as a volume inside the needed containers with :ro,Z.

btp,
@btp@fosstodon.org avatar

@herzenschein yeah, I'm leaning towards the volume solution. I'll check out Caddy, though.

mvu,
@mvu@peoplemaking.games avatar

@btp agree with other poster, ingress server does the certs for all the webservers.

At work we currently use Caddy for ingress, and it just automatically handles certs via letsencrypt. If all you're doing is a reverse proxy to the web service it's like 4 lines total in your Caddy config file.

If you don't need a separate ingress server you can also throw a caddy service into your docker-compose, expose ports 80 and 443, then reverse proxy to the app service.

btp,
@btp@fosstodon.org avatar

@mvu Well right now I'm not running any other service that terminates the TSL, but I'm seeing a lot of solutions for using a reverse proxy or ingress solution.

However, this just brings up my same question of getting the certs to the container that terminates the TLS.

mvu,
@mvu@peoplemaking.games avatar

@btp As mentioned, caddy self manages the certs if none are provided -- if you need to provide your own certs couldn't you just mount them as a volume?

btp,
@btp@fosstodon.org avatar

@mvu Yup, I can. I'm just exploring if there's other options. I don't have a ton of experience in deploying containers to production environments, and I'd like to make sure I'm going the secure route.

vsaw,
@vsaw@mastodon.social avatar

@btp I don’t. I run a reverse proxy that acts as an ingress point and terminate the TLS there. Traffic will then be forwarded internally unencrypted. See https://nginxproxymanager.com/ as a simple way to set it up.

btp,
@btp@fosstodon.org avatar

@vsaw oh, this is the same principle. I'm moreso interested in how to safely provide SSL certificates to a container, regardless if it's the server itself, or a reverse proxy running inside of it. Looks like this uses the volumes solution to provide the let's encrypt certs to the proxy.

https://nginxproxymanager.com/guide/#quick-setup

vsaw,
@vsaw@mastodon.social avatar

@btp Ah I see. Yes as far as I understand it stores the certificates on a volume that usually points to a folder in the host machine.

fedops,
@fedops@fosstodon.org avatar

@btp can't you run certbot inside your container?

btp,
@btp@fosstodon.org avatar

@fedops I could. This would make the container more complex than I'd like it to be, though. It's running a single process. I guess I could just compile the Containerfiles from both the Certbot and the server images, and build my own image with just the server and certbot.

This also gives me less control over the container functionality from compose.

SirCandinavian,

@btp might be acting, just saying

btp,
@btp@fosstodon.org avatar

@SirCandinavian i don't know what this means.

mitch,
@mitch@posts.dumb.stuff.donaberger.xyz avatar

@btp i do! admittedly, i use middleware, Cloudron. it has a certbot server running on top that awards the cert to the container.

btp,
@btp@fosstodon.org avatar

@mitch ah I see, so it's all built into your container, right?

joel,
@joel@fosstodon.org avatar

@btp yes.

btp, (edited )
@btp@fosstodon.org avatar

@joel how do you give the server container the certificates.

joel,
@joel@fosstodon.org avatar

@btp with love and care

btp,
@btp@fosstodon.org avatar

@joel :blobfoxangrylaugh:

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • DreamBathrooms
  • ngwrru68w68
  • modclub
  • magazineikmin
  • thenastyranch
  • rosin
  • khanakhh
  • InstantRegret
  • Youngstown
  • slotface
  • Durango
  • kavyap
  • mdbf
  • GTA5RPClips
  • JUstTest
  • tacticalgear
  • normalnudes
  • tester
  • osvaldo12
  • everett
  • cubers
  • ethstaker
  • anitta
  • provamag3
  • Leos
  • cisconetworking
  • megavids
  • lostlight
  • All magazines
    •