search

thecodingmachine / docker-images-php

A set of PHP Docker images
MIT License
768 stars 137 forks source link

How do I get SSL working? #388

Open joelataylor opened 2 months ago

joelataylor commented 2 months ago

Hi ya. I'm trying to set up SSL but it's not linking the default-ssl.conf Apache config into the sites-enabled directory. If I symlink it there manually, I then get a missing cert error: /etc/ssl/certs/ssl-cert-snakeoil.pem isn't on the system. So I thought ok, should I go manually create the self-signed cert? Nope, that didn't work either.

So, I think I'm going down a rabbit hole that I shouldn't be. I'm sure you've built the platform for SSL capabilities.

Note: I actually don't think what I'm trying to do (call the AWS API) will work with a self-signed cert. 🤔

Here's my Docker files:

Dockerfile

FROM thecodingmachine/php:8.3-v4-apache

USER root

RUN apt-get update && \
    apt-get install -y \
        git \
        libpq-dev \
        libzip-dev \
        unzip \
        zip \
        wget \
        gnupg

ENV ACCEPT_EULA=Y

# Register the Microsoft repository GPG keys and add the repository
RUN curl https://packages.microsoft.com/keys/microsoft.asc | apt-key add - \
    && curl https://packages.microsoft.com/config/ubuntu/20.04/prod.list > /etc/apt/sources.list.d/mssql-release.list \
    && apt-get update

# Install MS ODBC Driver for SQL Server and other dependencies
RUN apt-get install -y msodbcsql18 unixodbc-dev

RUN PECL_EXTENSION=sqlsrv /usr/local/lib/thecodingmachine-php/extensions/core/docker-install.sh
RUN PECL_EXTENSION=pdo_sqlsrv /usr/local/lib/thecodingmachine-php/extensions/core/docker-install.sh
ENV PHP_EXTENSIONS="sqlsrv pdo_sqlsrv"

USER docker

docker-compose.yml

version: "3.9"
services:
    gxca-middleware:
        build: .
        restart: always
        ports:
            - "80:80"
            - "443:443"
        volumes:
            - ".:/var/www/html"
        environment:
            PHP_EXTENSION_XDEBUG: 1
            PHP_EXTENSION_MONGODB: 1
            PHP_EXTENSION_MYSQLI: 0
            PHP_EXTENSION_PDO_MYSQL: 0
            PHP_EXTENSION_MYSQLND: 0
            APACHE_DOCUMENT_ROOT: "public/"
            APACHE_EXTENSION_SOCACHE_SHMCB: 1
            APACHE_EXTENSION_SSL: 1
            PHP_INI_MEMORY_LIMIT: -1
            PHP_INI_UPLOAD_MAX_FILESIZE: 100M
            PHP_INI_POST_MAX_SIZE: 100M
            PHP_INI_XDEBUG__MODE: debug
            PHP_INI_XDEBUG__IDEKEY: VSCODE
            PHP_INI_XDEBUG__START_WITH_REQUEST: 1
            PHP_INI_XDEBUG__DISCOVER_CLIENT_HOST: 1
            PHP_INI_XDEBUG__REMOTE_START: 1
            PHP_INI_XDEBUG__CLIENT_PORT: 9003
            PHP_INI_XDEBUG__CLIENT_HOST: host.docker.internal
            PHP_INI_SESSION__SAVE_HANDLER: redis
            PHP_INI_SESSION__SAVE_PATH: "tcp://redis:6379"
mistraloz commented 2 months ago

To be honnest, i never tried to activate apache ssl. Its should work but as you seen, some vhost are not properly configured (because we do not generate the self-signed for our default vhost). I trust i will never. Instead of that you can add a reverse proxy to manage your certificate : 

version: "3.9"
services:
  gxca-middleware:
    networks:
      - back
   volumes:
      - ".:/var/www/html"
   labels:
      - traefik.enable=true
      - traefik.docker.network=traefik
      - traefik.http.routers.gxca-middleware_router.rule=Host(`gxca.localhost`)
      - traefik.http.routers.gxca-middleware_router.service=gxca-middleware_service
      - traefik.http.services.gxca-middleware_service.loadbalancer.server.port=80
  traefik:
    image: traefik:2.9
    command:
      - --providers.docker
      - --providers.docker.exposedByDefault=false
      - --api.dashboard=false
    networks:
      - back
    ports:
      - "80:80"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

...then to configure ssl, you can use traefik features (for self signed, letsencrypt or anyothers). For example with LE : 

services:
  traefik:
    command:
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --certificatesresolvers.le.acme.email=your@email.com
      - --certificatesresolvers.le.acme.storage=/secrets/acme.json
      - --certificatesresolvers.le.acme.tlschallenge=true
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - traefik_data:/secrets/
volumes:
  traefik_data:
    driver: local