search

phpmyadmin / docker

Docker container for phpMyAdmin
https://hub.docker.com/_/phpmyadmin
GNU General Public License v3.0
665 stars 455 forks source link

phpmyadmin with https only #220

Open erwinvanlun opened 5 years ago

erwinvanlun commented 5 years ago

I'm using the phpmyadmin/phpmyadmin package in a docker-compose file for a separate phpmyadmin container.

Goal: As a user, I'd like to access phpmyadmin like this: https://www.mysite.com:8000 Sidenotes on the goal: Only with SSL to avoid password are being entered on http pages.. On localhost with a self signed certificate, on production with a certbot certificate (stored in a volume).

As far as I understood, I have to modify the default nginx file. So my docker-compose file contains this section

        image: phpmyadmin/phpmyadmin
        links: 
            - mysql:db
        volumes:
            - ./config/phpmyadmin/nginx/mysite.conf:/etc/nginx/conf.d/default.conf
        ports:
            - 8080:80

unfortunately, this 'mysite.conf' doesn't overwrite the default.conf file (that seems to be a Docker feature I can't avoid).

I also tried to create a separate dockerfile, using phpmyadmin/phpmyadmin as a basis, but my statements aren't reached because the phpmyadmin/phpmyadmin dockerfile ends with: 

ENTRYPOINT [ "/docker-entrypoint.sh" ]
CMD ["%%CMD%%"]

Key question: how to make sure I only have SSL traffic between browser and this container?

(Sidenote: It is also difficult to enter the container with docker exec -t /bin/bash, only separate commands can be issued. Also because of the entrypoint. )

dadigi commented 5 years ago

Maybe you just want to expose HTTPS-port only?

ports:
- 8000:443

edit: the relevant config file is /etc/nginx.conf. you can change it it by e.g.:

volumes:
      - /sessions
      - /somewhere/config.user.inc.php:/etc/phpmyadmin/config.user.inc.php
      - /somewhere/ssl.conf:/etc/nginx.conf
williamdes commented 4 years ago

:ping_pong: what needs to be done on this issue ?

daniela-waranie commented 4 years ago

I guess this is a request for improving the documentation.

I prefer to have docker images/container that follow the 12-factor-app priciples: https://12factor.net/ For that reason is suggest to drop the docker image variant "apache". In my opinion providing 1 image that has everything which is required for PMA (minimalistic approach) should be enough for this project to maintain, to build and to document. So "fpm-alpine" should be the only one that needs to be release.

If someone need more tools then one should install these tools themselfs - but maybe these tools should be installed on other docker images (e.g. on a mysql image if this tool is for e.g. backup/restore of DB dumps). If the "fpm" is meant for development of PMA then you should rename it to: "fpm-dev-env" or similar.

In addition to that you could provide documentation and maybe some docker-compose files to launch "fpm" with a reverse proxy in front of it (for the static content). Please provide examples for apache and nginx (using official apache/nginx docker images as separat container). These projects do have good dokumentation on how to configure these containers incl. self-signed certs (private domains .local, .internal, etc.), if someone wants to get beyond basic setup. We could also recommend to use https://hub.docker.com/r/jrcs/letsencrypt-nginx-proxy-companion/ for lets encrypt enabled setups incl. supply a basic docker-compose file for registered domains (pma.mydomain.com).

As the reverse proxy need the static content (CSS, JS, Images, Fonts) it can use --volume-from in the apache/nginx container to stay in sync with the PMA container sources.

Recommended setup (for private domains) should be: Nginx as proxy that redirects all HTTP (port 80) requests to HTTPS (same proxy, port 443, self-singed certs, HSTS) which accesses port 9000 of fpm.

Recommended setup (for registered domains) should be: letsencrypt-nginx-proxy-companion as proxy that redirects all HTTP (port 80) requests to HTTPS (same proxy, port 443, auto-renew lets encrypt certs, HSTS) which accesses port 9000 of fpm.

For more advanced users: Certs and key could be mounted into the nginx-container if someone owns a private CA or if someone wants to use certs of other public CAs or wants to use lets encrypt certs via DNS-challenge e.g. via adferrand/letsencrypt-dns (e.g. for registered domains with private IPs in public nameservers => DNS split-horizon; requires to disable DNS-rebind-protection in some local routers/nameservers).

daniela-waranie commented 4 years ago

If someone needs HTTP-only proxy for e.g. Load Balancing with SSL-offloading then this person should be pro enough to implement it himself. We should not support HTTP-only. And apply secure by default design principle incl. "hide php version" by default.