search

caprover / caprover

Scalable PaaS (automated Docker+nginx) - aka Heroku on Steroids
https://CapRover.com
Other
13.29k stars 852 forks source link

Local caprover with external application with SSL #1964

Closed dimbacode closed 10 months ago

dimbacode commented 10 months ago

I'm using caprover with local installation, but I would like some apps to be accessed externally. Now I can add a new domain in the app What I would like to know is if it is possible for this application to use SSL (https)? If it is possible, how should I configure it, Should I generate a specific SSL for the subdomain?

Example: I have an app subddomain.domain.com.br that will point to a specific application in caprover. Is it possible to generate a specific SSL for this application?

Thanks

maietta commented 10 months ago

This is the key disadvantage to having your server tucked away behind a NAT and trying to use the provided certbot bundled with CapRover. For SSL's to be issued, your CapRover instance must be reachable from the outside world.

There's a couple ways to do this, but the way a lot of people are doing this is done is using a CloudFlare Argo Tunnel (part of their Zero Trust suite of services). This has the advantage of issuing an SSL directly on their end with no further need on your end. However, you can also enable SSL's on the CapRover side if you leverage this service. so you can get end-to-end encryption.

The other way would be if you have an IP that can be reached from the outside world, then you can expose and foward ports 80 and 443 to your CapRover instance. This is generally not an option if your internet provider is LTE/5g based, or Satellite based such as Starlink. (like I have). This requires access to the router.

Another option is to setup a cheap VPS for as low as $3.50/mo with a provider like Vultr that gives you a static IP and then running a reverse proxy server back to your machine. You can use WireGuard as a server on the VPS with Haproxy or some other proxy application and then the client on your CapRover instance, but this is tricky to setup. Another option would be to use something like BoringProxy, which can issue an SSL directly on the VPS side, or let your CapRover instance issue it.

The easiest way and doesn't require any static IP or access to a router would simply to use CloudFlare tunnels. This is the setup I recommend to most people because it also ads a thin layer of extra web application production and some usage insights as a bonus.

dimbacode commented 10 months ago

Thank you very much for the tips I use pfsense as a firewall, so I will test with haproxy