add https config

[pantaoran]

Hey, long time no comment :-)

Have you ever thought about an https config? I just tried for a few hours, but so far no luck. I'm coming to you because in the beginning I had also based my containers on yours.

I'm having all kinds of problems, from infinite redirection loops to mixed content warnings because scripts and css are still served unencrypted.

[markshust]

Where are you deploying your app to? (Bare metal, AWS, GCP, Swarm, K8S, etc). I know it doesn't matter too much, just would like to know. I've used Kubernetes in the past for SSL termination with an Nginx proxy, and it worked well, but ideally we'd want something like Let's Encrypt that self auto-renews and is docker-specific.

[pantaoran]

I'm hosting it on our company VPS server from a popular Chinese cloud hosting provider (running Ubuntu 14.04).

I actually started this experiment due to letsencrypt coming out of beta and giving me a convenient way to obtain certificates. But certbot doesn't support nginx yet so I have to figure the right config out myself.

Also, I have more than one docker project running on the server, and use a non-docker nginx on the host as a proxy for all the docker container nginx instances, so I figured I can try to terminate SSL on the proxy and then send http into the containers. Maybe I should try doing it inside the container, but I'm not sure that would change anything, since also when using Varnish (which doesn't support https from what I read) it should be the same as what I'm trying now. I have never looked at Varnish yet since our store is still in development, but it's also on the roadmap...

[markshust]

This example is probably overly-verbose because it's for kubernetes (and config quite not applicable because it's for meteor), but perhaps this will help you out. I have this config running with k8s + meteor, runs https termination through docker container and works great.
https://github.com/markoshust/nginx-ssl-proxy

I'll try to work out https docker container with auto-renewing lets encrypt, where everything is done automatically. I've seen it someplace and it works great.

[markshust]

@pantaoran Wondered if you ever wound up running or creating something for this? If so, let me know if we could perhaps have some hints at setup. If not, I'll take another look at this.

What this should really be is a separate docker container based on nginx that just acts as a proxy to forward requests (very simple).

[pantaoran]

Never found the time so far, we are under big delivery pressure and I wasn't able to convince anyone that this is as important as other features...

[pantaoran]

Could you elaborate on your last sentence?
Why a separate container? I already have one nginx container, it just needs another server block for listening to 443 ssl I think.

[pantaoran]

This issue has suddenly been discovered by the client and now I had to move on it. I found a solution that satisfies my needs for now.

On the backend for the secure_url setting so far I had just used {{unsecure_base_url}} as well, but now I switched that to https://mydomain.com/.

Then I installed certbot on the host (NOT inside the docker container) and changed the host's nginx config to the following:

server
{
  listen 80;

  server_name mydomain.com;

  location /
  {
    proxy_pass http://127.0.0.1:8063;
    access_log off;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }

  error_log syslog:server=unix:/dev/log,facility=local7,tag=commydomain,severity=error warn;
  access_log syslog:server=unix:/dev/log,facility=local7,tag=commydomain,severity=info main;
}

server
{
  listen 443 ssl;

  server_name mydomain.com;

  location /
  {
    proxy_pass http://127.0.0.1:8063;
    access_log off;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header X-Forwarded-Port 443;
  }

  ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;

  ssl_session_timeout 1h;
  ssl_session_cache shared:SSL:10m;

  ssl_protocols TLSv1.1 TLSv1.2;
  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128$
  ssl_prefer_server_ciphers on;

  add_header Strict-Transport-Security max-age=15768000;

  ssl_stapling on;
  ssl_stapling_verify on;

  error_log syslog:server=unix:/dev/log,facility=local7,tag=commydomainLive,severity=error warn;
  access_log syslog:server=unix:/dev/log,facility=local7,tag=commydomainLive,severity=info main;
}

I previously tried to have both these two blocks in one but that is what caused the infinite redirect loop due to the proxy_set_header X-Forwarded-Proto https; and proxy_set_header X-Forwarded-Port 443; directives which should ONLY be there for the https block.

Of course inside my nginx docker container there is another nginx running to do the Magento2 specific stuff.

[markshust]

@pantaoran Thanks, I'll reference this config when creating the docker img for this