Support production SSL via letsencrypt

[patcon]

Re-ticketed from https://github.com/pol-is/polisServer/issues/287#issuecomment-638330260

mailcow-dockerized tackles SSL using letsencrypt, and uses docker-compose for standing up a production instance. We could eventually learn from that for our prod setup -- was hoping to discuss using that approach when we're further along. But self-signed is still worth getting in, imho

What config looks like for administrators: https://mailcow.github.io/mailcow-dockerized-docs/firststeps-ssl/ Code that allows setup: https://github.com/mailcow/mailcow-dockerized/tree/master/data/Dockerfiles/acme

Self-signed [insecure] SSL cert support is added in pending PR https://github.com/pol-is/polisServer/pull/253, but that's only for dev

[patcon]

An underlying assumption of the above docker approach is that we're open to supporting the use-case of someone eventually running a production deploy with docker-compose. (Seems to have worked well for the complex install of the mailcow email setup.)

Of course, this could be deemed out of scope, in which case this functionality can live in a fork. What do others think? From a maintenance perspective, is there reluctance to support this? From the third-party host perspective, is this a feature they'd expect/desire in this repo?

cc: @joshsmith2

[ballPointPenguin]

I wonder how this is handled currently on https://pol.is.

The approach to this could be variable for community, self-hosted, or whatever-hosted, installations. Not sure if the better solution would be to provide some good documentation, since this would be dependent somewhat on the infrastructure being used (e.g. heroku).

In my case, I make use of this docker letsencrypt & nginx proxy solution: https://github.com/nginx-proxy/docker-letsencrypt-nginx-proxy-companion

And I have that automated such that it works with any new service that I deploy on my infrastructure. I am under the impression that this is something that people tend to solve for themselves in a manner that fits their usage.

Maybe we can document a "happy path" or two, e.g. How to get a Polis instance up and running on Digital Ocean

[metasoarous]

Right now we use heroku tooling for encryption.

I think we'd love to have turnkey (or as close to as possible) SSL support, and if that's possible via docker-compose, then great. The officially supported self-deployment path will be via docker-compose, and so we'll need to split dev from production concerns into a separate compose file.

[Simon-Dirks]

I recently deployed to a VPS and used Caddy as a simple reverse proxy. Perhaps not a sustainable solution but made my life a whole lot easier as a quick fix!

[metasoarous]

Hi @Simon-Dirks. Thanks for sharing. Do you have any OSS code that you'd be able to point to for this?

[Simon-Dirks]

Hi @Simon-Dirks. Thanks for sharing. Do you have any OSS code that you'd be able to point to for this?

See https://github.com/compdemocracy/polis/issues/1495#issuecomment-1219256374!

[tyliec]

I recently deployed to a VPS and used Caddy as a simple reverse proxy. Perhaps not a sustainable solution but made my life a whole lot easier as a quick fix!

Thanks for this - was able to do the same, but with nginx!

Example server.conf

server {
    listen 80;
    server_name example.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        proxy_pass http://127.0.0.1:5000;  # Forward traffic to port 5000 on localhost
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}