search

cogentapps / chat-with-gpt

An open-source ChatGPT app with a voice
https://www.chatwithgpt.ai
MIT License
2.31k stars 493 forks source link

feat: Add HTTPS support with fallback to HTTP #49

Closed Fakhruu closed 12 months ago

cogentapps commented 1 year ago

Thanks for the PR, good idea to add this!

Instead of baking certs into the Dockerfile, I think it would be better to expect the user to mount the cert folder as a Docker volume at runtime (using -v, like with the data folder currently).

The modified Dockerfile here would break the GitHub Action that deploys pre-built Docker images since no cert is included there.

It would also be good to let the user specify the path to the cert folder with an environmental variable. People who are running the server outside Docker may want to use the folder generated by letsencrypt directly.

catgirl69 commented 1 year ago

Agree

ttimasdf commented 1 year ago

Is it a good idea to bake HTTPS handling into application server? I think it's unnecessary in many cases.

For a production deployment, people (almost) always use external load balancer for TLS termination, or similar things like API gateway, serverless computing providers. If not, certification management, especially renewal, will be a pain.

On the other hand if you only want to quickly setup a dev environment in your homelab, there are better way to do that using traefik.

Here's a minimal working example, also production ready.

  1. create a traefik instance (a one time job on each machine)
docker network create --attachable gateway
docker run -d \
  --name traefik \
  --network gateway \
  -p 80:80 \
  -p 443:443 \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v $PWD/traefik.toml:/traefik.toml \
  -v $PWD/acme.json:/acme.json \
  traefik:v2.4 \
  --api.insecure=true \
  --providers.docker=true \
  --providers.docker.exposedbydefault=false \
  --entrypoints.web.address=:80 \
  --entrypoints.websecure.address=:443 \
  --certificatesresolvers.letsencrypt.acme.email=<your-email> \
  --certificatesresolvers.letsencrypt.acme.storage=/acme.json \
  --certificatesresolvers.letsencrypt.acme.tlschallenge=true \
  --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web \
  --certificatesresolvers.letsencrypt.acme.caserver=https://acme-v02.api.letsencrypt.org/directory

We can also use docker compose but that's beyond the topic.

  1. create web service through docker compose.
# compose.yml
services:
  web:
    image: ghcr.io/cogentapps/chat-with-gpt:release
    volumes:
      - {type: bind, source: "./data", target: "/app/data"}
    networks: [gateway]
    expose: [3000]
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=gateway"
      - "traefik.http.routers.chatgpt.rule=Host(`chatgpt.com`)"
      - "traefik.http.routers.chatgpt.tls.certresolver=letsencrypt"

networks:
  gateway: {external: true, name: gateway}
  1. copy-paste the YAML config above to create any number of SSL enabled services.