Closed Fakhruu closed 12 months ago
Agree
Is it a good idea to bake HTTPS handling into application server? I think it's unnecessary in many cases.
For a production deployment, people (almost) always use external load balancer for TLS termination, or similar things like API gateway, serverless computing providers. If not, certification management, especially renewal, will be a pain.
On the other hand if you only want to quickly setup a dev environment in your homelab, there are better way to do that using traefik.
Here's a minimal working example, also production ready.
docker network create --attachable gateway
docker run -d \
--name traefik \
--network gateway \
-p 80:80 \
-p 443:443 \
-v /var/run/docker.sock:/var/run/docker.sock \
-v $PWD/traefik.toml:/traefik.toml \
-v $PWD/acme.json:/acme.json \
traefik:v2.4 \
--api.insecure=true \
--providers.docker=true \
--providers.docker.exposedbydefault=false \
--entrypoints.web.address=:80 \
--entrypoints.websecure.address=:443 \
--certificatesresolvers.letsencrypt.acme.email=<your-email> \
--certificatesresolvers.letsencrypt.acme.storage=/acme.json \
--certificatesresolvers.letsencrypt.acme.tlschallenge=true \
--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web \
--certificatesresolvers.letsencrypt.acme.caserver=https://acme-v02.api.letsencrypt.org/directory
We can also use docker compose but that's beyond the topic.
# compose.yml
services:
web:
image: ghcr.io/cogentapps/chat-with-gpt:release
volumes:
- {type: bind, source: "./data", target: "/app/data"}
networks: [gateway]
expose: [3000]
labels:
- "traefik.enable=true"
- "traefik.docker.network=gateway"
- "traefik.http.routers.chatgpt.rule=Host(`chatgpt.com`)"
- "traefik.http.routers.chatgpt.tls.certresolver=letsencrypt"
networks:
gateway: {external: true, name: gateway}
Thanks for the PR, good idea to add this!
Instead of baking certs into the Dockerfile, I think it would be better to expect the user to mount the cert folder as a Docker volume at runtime (using -v, like with the data folder currently).
The modified Dockerfile here would break the GitHub Action that deploys pre-built Docker images since no cert is included there.
It would also be good to let the user specify the path to the cert folder with an environmental variable. People who are running the server outside Docker may want to use the folder generated by letsencrypt directly.