issue126:c_c
Différences
Ci-dessous, les différences entre deux révisions de la page.
| Prochaine révision | Révision précédente | ||
| issue126:c_c [2017/10/29 18:18] – créée auntiee | issue126:c_c [2017/11/09 15:31] (Version actuelle) – auntiee | ||
|---|---|---|---|
| Ligne 1: | Ligne 1: | ||
| - | As the web moves towards a “secure by default” approach, enabling HTTPS on your website is becoming more and more important. I’ve spent the last few weeks updating the websites I manage to run HTTPS, including some that run in docker. As some readers may have noticed, I have also switched the fullcirclemagazine.org website over to HTTPS. The reason for this is simple - Google (and others) are encouraging the use of HTTPS by clearly denoting (with a green padlock) encryption on websites. This month’s article will therefore be dedicated to what HTTPS is, how to get set up with Let’s Encrypt, and how to combine it with docker. | + | **As the web moves towards a “secure by default” approach, enabling HTTPS on your website is becoming more and more important. I’ve spent the last few weeks updating the websites I manage to run HTTPS, including some that run in docker. As some readers may have noticed, I have also switched the fullcirclemagazine.org website over to HTTPS. The reason for this is simple - Google (and others) are encouraging the use of HTTPS by clearly denoting (with a green padlock) encryption on websites. This month’s article will therefore be dedicated to what HTTPS is, how to get set up with Let’s Encrypt, and how to combine it with docker.** |
| - | What is HTTPS and Let’s Encrypt? | + | Comme le Web évolue vers une approche « sécurisée par défaut », l' |
| + | |||
| + | **What is HTTPS and Let’s Encrypt? | ||
| HTTPS helps to protect private data when logging in, when using HTML forms, or otherwise when sharing information with a website. The information is secured via encryption, and can also prevent man-in-the-middle attacks (where another device intercepts your packets). Depending on your host, it may be automatically configured, or an option you can pay for. Previously, SSL certificates were issued only by certain companies (at cost), and self-signed certificates were not considered secure. | HTTPS helps to protect private data when logging in, when using HTML forms, or otherwise when sharing information with a website. The information is secured via encryption, and can also prevent man-in-the-middle attacks (where another device intercepts your packets). Depending on your host, it may be automatically configured, or an option you can pay for. Previously, SSL certificates were issued only by certain companies (at cost), and self-signed certificates were not considered secure. | ||
| - | That changed recently with Let’s Encrypt, which will create secure, trusted certificates for free. The main difference between paid certificates and free ones through Let’s Encrypt are the duration. Certificates from Let’s Encrypt expire after 90 days - meaning you need to actively renew them more often than paid certificates. However, this can be done with a helper tool (I use ‘certbot’), | + | That changed recently with Let’s Encrypt, which will create secure, trusted certificates for free. The main difference between paid certificates and free ones through Let’s Encrypt are the duration. Certificates from Let’s Encrypt expire after 90 days - meaning you need to actively renew them more often than paid certificates. However, this can be done with a helper tool (I use ‘certbot’), |
| - | What is Docker? | + | Qu' |
| - | Docker is a system for running services | + | HTTPS aide à protéger les données privées quand on s' |
| - | Prerequisites | + | Ça a changé récemment avec Let's Encrypt, qui crée des certificats sûrs et fiables gratuitement. La principale différence entre les certificats payants et ceux gratuits par l' |
| + | |||
| + | **What is Docker? | ||
| + | |||
| + | Docker is a system for running services in virtual containers - and is built upon the existing Linux kernel. This means that it is faster, and requires less disk and RAM space than full virtualized environments (such as Vagrant). You can use it to run any number of systems, and multiple containers can communicate with each other via a private network.** | ||
| + | |||
| + | qu' | ||
| + | |||
| + | Docker est un système pour faire tourner des services dans des conteneurs virtuels, et il est construit sur le noyau Linux existant, ce qui signifie qu'il est plus rapide et qu'il demande moins d' | ||
| + | |||
| + | **Prerequisites | ||
| In my case, the services I worked with covered 3 containers. One running jwilder’s nginx-proxy image, one running a basic nginx image, and one running a basic apache image. The basic nginx and apache images were linked together as a LEAMP server (an Apache server behind an Nginx server, where Nginx covers static files, and PHP files are handled by Apache). | In my case, the services I worked with covered 3 containers. One running jwilder’s nginx-proxy image, one running a basic nginx image, and one running a basic apache image. The basic nginx and apache images were linked together as a LEAMP server (an Apache server behind an Nginx server, where Nginx covers static files, and PHP files are handled by Apache). | ||
| - | Nginx-proxy is an image that automatically directs and manages the traffic to various other containers (so the URLs lead to the correct container). | + | Nginx-proxy is an image that automatically directs and manages the traffic to various other containers (so the URLs lead to the correct container).** |
| + | |||
| + | Prérequis | ||
| + | |||
| + | Dans mon cas, les services avec lesquels je travaillais couvraient 3 conteneurs. L'un faisait tourner une image de nginx-proxy de jwilder, un autre, une image d'un nginx de base et un autre, une image d'un apache de base. Les images de base de nginx et apache étaient liées entre elles sous forme de serveur LEAMP (un serveur Apache derrière un serveur Nginx, où Nginx s' | ||
| + | |||
| + | Nginx-proxy est une image qui dirige et gère automatiquement le trafic vers divers autres conteneurs (de sorte que les URL conduisent vers le bon conteneur). | ||
| - | Where to start? | + | **Where to start? |
| My original research didn’t indicate too many posts on this particular topic. There were plenty on setting up nginx or apache to serve HTTPS sites. However, the complication comes from using nginx-proxy. As the traffic is technically forwarded between 3 containers, I originally assumed that I would need to configure SSH on both the Nginx-proxy and the Nginx containers. | My original research didn’t indicate too many posts on this particular topic. There were plenty on setting up nginx or apache to serve HTTPS sites. However, the complication comes from using nginx-proxy. As the traffic is technically forwarded between 3 containers, I originally assumed that I would need to configure SSH on both the Nginx-proxy and the Nginx containers. | ||
| - | Fortunately, | + | Fortunately, |
| - | Create Certificate | + | Par où commencer ? |
| + | |||
| + | Ma première recherche ne m'a pas donné trop de messages sur ce sujet précis. Il y en avait plein sur le paramétrage de nginx et apache pour desservir des sites HTTPS. Cependant, la complication vient de l' | ||
| + | |||
| + | Heureusement, | ||
| + | |||
| + | **Create Certificate | ||
| To do this, you’ll need to install certbot, which depends on your server’s OS and version. For most Ubuntu versions, you’ll need to add the certbot/ | To do this, you’ll need to install certbot, which depends on your server’s OS and version. For most Ubuntu versions, you’ll need to add the certbot/ | ||
| Ligne 32: | Ligne 56: | ||
| certbot certonly | certbot certonly | ||
| - | Then answer the questions (you will need to point it to the actual webroot of your website that is publically accessible, otherwise Let’s Encrypt cannot confirm you own the domain and the certificate is not created). Once the certificate is created, it will be stored in / | + | Then answer the questions (you will need to point it to the actual webroot of your website that is publically accessible, otherwise Let’s Encrypt cannot confirm you own the domain and the certificate is not created). Once the certificate is created, it will be stored in / |
| - | Create folder for docker volume | + | Créer un certificat |
| + | |||
| + | Pour ce faire, vous devez installer certbot, ce qui dépend de l'OS de votre serveur et de sa version. Pour la plupart des versions d' | ||
| + | |||
| + | Une fois certbot installé, vous pourrez créer votre certificat. Je l'ai fait en utilisant la commande certonly, car je ne veux pas que certbot tente d' | ||
| + | |||
| + | certbot certonly | ||
| + | |||
| + | Puis répondez aux questions (vous aurez besoin de le faire pointer sur la vraie racine de votre site Web qui est accessible publiquement, | ||
| + | |||
| + | **Create folder for docker volume | ||
| While you can link the folder from letsencrypt up with docker, I would recommend creating a new folder that you can more easily access (in your user’s home folder, for example). | While you can link the folder from letsencrypt up with docker, I would recommend creating a new folder that you can more easily access (in your user’s home folder, for example). | ||
| Ligne 44: | Ligne 78: | ||
| cp / | cp / | ||
| - | If you want nginx-proxy to automatically apply the certificates, | + | If you want nginx-proxy to automatically apply the certificates, |
| - | Link Certificate to Nginx-Proxy | + | Créer un dossier pour le volume docker |
| + | |||
| + | Alors que vous pouvez relier le dossier de letsencrypt à docker, je vous recommanderais de créer un nouveau dossier auquel vous pourrez facilement accéder (dans votre répertoire home, par exemple). | ||
| + | |||
| + | Une commande qui fonctionne pour cela serait : | ||
| + | |||
| + | mkdir -p ~/ | ||
| + | |||
| + | cp / | ||
| + | |||
| + | Si vous voulez que nginx-proxy utilise automatiquement les certificats, | ||
| + | |||
| + | **Link Certificate to Nginx-Proxy | ||
| To supply the certificates to the image, you can use the following command (taken from the official nginx-proxy): | To supply the certificates to the image, you can use the following command (taken from the official nginx-proxy): | ||
| Ligne 56: | Ligne 102: | ||
| If you prefer more control (or have one certificate for multiple domains), you can instead set the CERT_NAME variable in the container’s environment. If your files are called example.crt and example.key, | If you prefer more control (or have one certificate for multiple domains), you can instead set the CERT_NAME variable in the container’s environment. If your files are called example.crt and example.key, | ||
| - | For ease of use and managing the variables, I’d recommend using docker-compose, | + | For ease of use and managing the variables, I’d recommend using docker-compose, |
| - | Possible issues | + | Relier le certificat à Nginx-proxy |
| - | I ran into an issue where I had mistakenly linked the cert file in place of the private key, which resulted in nginx -s reload failing on nginx-proxy. There were no obvious errors, but it resulted in the port 443 being closed, and the connection being refused. So if nginx-proxy isn’t working properly for you, make sure you are linking the correct folder, and have read/write permissions; | + | Pour fournir les certificats à une image, vous pouvez utiliser la commande suivante (prise sur le site officiel de nginx-proxy) : |
| - | Where can I find more information on Docker? | + | docker run -d -p 80:80 -p 443:443 -v / |
| + | |||
| + | Remplacez / | ||
| + | |||
| + | Si vous préférez avoir plus de contrôle (ou si vous avez un seul certificat pour plusieurs domaines), vous pouvez, à la place, paramétrer la variable CERT_NAME dans l' | ||
| + | |||
| + | Pour une utilisation et une gestion facilitée des variables, je recommanderais l' | ||
| + | |||
| + | **Possible issues | ||
| + | |||
| + | I ran into an issue where I had mistakenly linked the cert file in place of the private key, which resulted in nginx -s reload failing on nginx-proxy. There were no obvious errors, but it resulted in the port 443 being closed, and the connection being refused. So if nginx-proxy isn’t working properly for you, make sure you are linking the correct folder, and have read/write permissions; | ||
| + | |||
| + | Problèmes possibles | ||
| + | |||
| + | J'ai rencontré un problème quand j'ai relié par erreur le fichier cert au lieu de la clé privée, ce qui a entraîné le non-fonctionnement de nginx -s reload sur nginx-proxy. Il n'y avait pas d' | ||
| + | |||
| + | **Where can I find more information on Docker? | ||
| The docker hub pages for the various images typically tell you how to configure them. If you read the documentation page on docker-compose, | The docker hub pages for the various images typically tell you how to configure them. If you read the documentation page on docker-compose, | ||
| - | I hope this article proves useful for anyone who, like me, was making the process much more complicated than necessary, or was running into a similar issue as I did. If you have any questions, comments, or article suggestions, | + | I hope this article proves useful for anyone who, like me, was making the process much more complicated than necessary, or was running into a similar issue as I did. If you have any questions, comments, or article suggestions, |
| + | |||
| + | Où puis-je trouver plus d' | ||
| + | |||
| + | Les pages hub de Docker pour les différentes images vous disent typiquement comment les configurer. Si vous lisez la page de documentation de docker-compose, | ||
| + | |||
| + | J' | ||
issue126/c_c.1509297482.txt.gz · Dernière modification : 2017/10/29 18:18 de auntiee