Docker Web SSL / HTTPS

Is their any (easy) way of enabling SSL (HTTPS) on the docker web container ?

2 Likes

This is possible by using Proxy/load balancers to route traffic to multiple docker sites and also maintain SSL certificates.

The two main solutions are Traefik or Nginx Proxy:

We will be making more user friendly integration of both in Wappler.

6 Likes

Thank you very much !. Looking forward to see this integrated in wappler

Traefik is far to complex for me, so I wanted to use Nginx. But switching to Nginx in Wappler gave this notice:

image

So I think I must select apache webserver, and then enable SSL for Nginx? I don’t understand fully how this works.

Are you using DigitalOcean?

Yes

With DigitalOcean you should choose to use their Load Balancer - that will take care of all your SSL for the droplets automatically, see:

1 Like

Thanks for the suggestion. A issues with this though:

  1. It costs $10 per month for the load balancer (while lets encrypt is free)
  2. In order to automatically let Digital Ocean manage let’s encrypt for us, I need to have my domains DNS managed by them. Which I personally don’t prefer, but I will have to look into it.
  3. If I don’t host my domain DNS with them, I’m then not entirely sure what I need to do to generate a SSL certificate myself, and how to maintain this.

I might be able to deal with the $10 a month, but it seems a bit high. Would be great if there was a built-in SSL switch in Wappler which installs lets encrypt, are you thinking about implementing something like that?

you can use docker scale option

Hi, @nevil,
Did you finally find a solution?
I’m also looking cloud agnostic solution for HTTPS.

Depending on where it’s critical for you to have SSL enabled, you could use cloudflare SSL in flexible mode. Trafic from client to cloudflare would be encrypted. From cloudflare to your server, that would still be simple http though.

We will be adding also support for installing traefik directly on your docker server within Wappler and there you can also be able to manage and setup your SSL with lets encrypt.

For now you can do it manually by following the traefik guide above

3 Likes

Thanks, @George!
By the way. If I modify docker-compose.yml in “.wappler/targets” and will add some other components, will it still be able to launch it from Wappler GUI? Deploy, start/stop etc?

Well it should be ok to modify. Wappler modifies it with own stuff only and leaves the rest alone. Do test first of course

2 Likes

Someone from Upwork helped me with implementing Traefik to the .wappler\targets\target-name\docker-compose.yml file.

Old compose file:

version: '3'
services:
  db:
    environment:
      MYSQL_ROOT_PASSWORD: ---
      MYSQL_DATABASE: intranet
      MYSQL_USER: db_user
      MYSQL_PASSWORD: ---
    volumes:
      - 'db-volume:/var/lib/mysql'
    ports:
      - '9906:3306'
    restart: always
    command:
      - '--character-set-server=utf8mb4'
      - '--collation-server=utf8mb4_unicode_ci'
      - '--default-authentication-plugin=mysql_native_password'
    build:
      context: .
      dockerfile: db/Dockerfile
  web:
    depends_on:
      - db
    ports:
      - '80:80'
    restart: always
    stdin_open: true
    tty: true
    build:
      context: ../../../
      dockerfile: .wappler/targets/Docker Remote/web/Dockerfile
volumes:
  db-volume: ~

New file:

version: '3.5'
services:
  portainer:
    image: portainer/portainer
    container_name: portainer
    command: '-H unix:///var/run/docker.sock'
    restart: always
    ports:
      - '9000:9000'
      - '8000:8000'
    volumes:
      - '/var/run/docker.sock:/var/run/docker.sock'
      - 'portainer_data:/data'
  db:
    environment:
      MYSQL_ROOT_PASSWORD: ---
      MYSQL_DATABASE: intranet
      MYSQL_USER: db_user
      MYSQL_PASSWORD: ---
    volumes:
      - 'db-volume:/var/lib/mysql'
    ports:
      - '9906:3306'
    restart: always
    container_name: db
    command:
      - '--character-set-server=utf8mb4'
      - '--collation-server=utf8mb4_unicode_ci'
      - '--default-authentication-plugin=mysql_native_password'
    build:
      context: .
      dockerfile: db/Dockerfile
  web:
    depends_on:
      - db
    labels:
      - traefik.enable=true
      - traefik.http.routers.myweb.tls.certresolver=myresolver
      - traefik.http.routers.myweb.rule=Host(`your.domain.com`)
    restart: always
    container_name: web
    stdin_open: true
    tty: true
    build:
      context: ../../../
      dockerfile: .wappler/targets/Docker Remote/web/Dockerfile
  traefik2:
    image: traefik:v2.2
    container_name: traefik2
    restart: always
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.myresolver.acme.email=your@email.com"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - letsencrypt:/letsencrypt

volumes:
  db-volume: ~
  portainer_data: ~
  letsencrypt:
    driver: local

You just need to replace the email and domain name. By then deploying the remote docker connection from within Wappler, it automatically installs SSL and portainer.

Hope someone has use for this, until Wappler implements their own SSL support.

5 Likes

Good work - yes this is how we also plan to implement it in Wappler :slight_smile:

Thanks for sharing Nevil! I will look into this for sure.

Apparently Nevil and I were solving this problem at the same time this week. I am installing on EC2/Ubuntu 18.04

Here is my version of the docker-compose.yml file:


A couple notes on my docker file:

  • I have a drive mounted so I can upload files to the local server (not sure if this is best practice but it’s working.)
  • I also installed Portainer (covered in JonL’s video)

And here were some resources that I found helpful to set up docker/traefik:

Installing Docker: https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-18-04

Connecting Wappler to Docker for Deployment:
https://success.docker.com/article/how-do-i-enable-the-remote-api-for-dockerd
(Note: this opens up security on your wappler instance, so you need to secure by port. In EC2 I have the port secured to my IP)

Installing Traefik:

Hope this helps someone. It was a huge PITA to figure this out.

4 Likes

Hi George / @Teodor, it seems that Wappler keeps changing the docker-compose.yml we have made to something a bit different.

Left is our own version, right is the version Wappler makes of it. Any idea how to prevent Wappler from changing it in this way?

1 Like

Hi, @nevil! Did you solve it finally?
After some pause with Wappler still see that it’s a great tool for developing an app, but very non-transparent to make it production.

If you achieved to make an https production app (especially with node) it would be great if you share your deployment way.