If you’ve been following along with this series of tutorials, you’ll have built a LEMP stack capable of handling multiple vhosts. That’s all very well – but if you expect your users to enter their username and password into the site then you’ll need to provide them with a little security. The only way to do that is with ssl, certificates for which used to be pricey or came with strings attached.<\/p>\n
Let’s Encrypt<\/a>\u00a0is a certificate authority started by the Electronic Frontier Foundation, Mozilla Foundation, University of Michigan, Akamai Technologies and Cisco Systems to provide ssl certificates for free, and to simplify the process of securing your website into the bargain. They take donations though – and this is one project that you really should consider supporting.<\/p>\n I’ve used Let’s Encrypt on other websites and the process has always been very simple – so I naively assumed that securing my Dockerised website would be nice and simple too. It wasn’t. It’s not that the process is particularly difficult or time consuming – it’s just that it took a little while to work out the incantations.<\/p>\n These instructions assume that you’ve followed the steps in the other tutorials of this series.<\/p>\n It may be possible to generate your certificates in your main website container but if it is then I couldn’t work out how to do it easily. I created a new container just for maintenance.<\/p>\n Now copy your existing certificates out of the nginx container. This step may not be necessary, but since the nginx configuration references these dummy certificates it’s do this step or remove the references to the dummies in the nginx.conf. I leave it up to you to decide which you prefer.<\/p>\n Next create your configuration file – docker-compose.yml. \u00a0You might use vi or emacs to edit the file, but I prefer the easy life so I’ll be using nano. \u00a0The important thing is what the yml file contains:<\/p>\n Add the following lines to the docker-compose.yml file<\/p>\n Now your website is going to need a little downtime. Fortunately this doesn’t take long, and the certificates only need to be renewed once every six months – so this outage shouldn’t have too much impact on your site availability. If your site is critical then consider using a load balancer like Amazon’s excellent Elastic Load Balancer so that you can failover to the ‘B’ side during certificate updates.<\/p>\n Now your website is down you’ll want to carry out these next steps as quickly as possible in order to ensure that there’s minimal outage. In fact, it should be fairly simple to refactor these steps and script them so that the outage is limited to a few seconds – but I’ll leave that as an exercise for you.<\/p>\n Log in to the maintenance container as follows:<\/p>\n Now execute the following commands in the container:<\/p>\n Generate the certificate for your website, noting that you can put in as many domain parameters as you have domains to register.<\/p>\n Provided that no errors have been raised your certificates will now have been generated. Copy them out of the container.<\/p>\n Now exit out of your maintenance container and shut it down.<\/p>\n If this is the first time you’ve enabled ssl on your lemp stack you’ll need to make a few minor changes.<\/p>\n First, edit your docker-compose.yml file so that you can access your new certificates. Add this volume line to the nginx section:<\/p>\n Your docker-compose.yml file should now look something like this:<\/p>\n Now you’ll need to make a change to the vhost configuration for your website. The changes we want to make will make nginx load the certificates and also force traffic over ssh (so that our users don’t accidentally connect unencrypted, which might introduce the risk that they enter secret information without having a secured connection).<\/p>\n Now edit your configuration to add your certificates – you do this by adding the ssl_certificate and ssl_certificate_key lines in your server block:<\/p>\n Finally, lets force the connection onto https (i.e. let’s force it to be secure). We can do this by removing the listen directive for port 8080 (i.e. unsecured connections) so that our website only responds to ssl secured connections. We still need to respond to port 8080 though in order to ensure that the website loads on unsecured connections by automatically switching to a secure connection. Do this by adding a new server block:<\/p>\n After all that your configuration should look something like this:<\/p>\n Even though those last few steps won’t be necessary for renewal, the next step definitely is. Right now, nginx won’t be able to load your certificate – it doesn’t have permission. Make good this problem as follows:<\/p>\n If you’ve carried out all of those steps successfully then you can restart your containers and enjoy your newly secured website – thanks to Let’s Encrypt!<\/p>\n This series wouldn’t have been possible without Bitnami<\/a> and Let’s Encrypt<\/a>, let alone nginx<\/a>, MariaDB<\/a> and PHP-FPM<\/a>. I’m haven’t been sponsored by them to write these articles – I’ve just found them to be genuinely the best solution for hosting my websites.<\/p>\n","protected":false},"excerpt":{"rendered":" If you’ve been following along with this series of tutorials, you’ll have built a LEMP stack capable of handling multiple vhosts. That’s all very well – but if you expect your users to enter their username and password into the site then you’ll need to provide them with a little security. The only way to … <\/p>\nConfiguring your Maintenance Container<\/h2>\n
cd ~ \r\nmkdir -p maint-compose\/public \r\nmkdir -p lemp-compose\/certificates<\/pre>\n
cd ~\/lemp-compose\/certificates\r\ndocker cp lempcompose_nginx_1:\/opt\/bitnami\/nginx\/conf\/bitnami\/certs\/server.crt .\r\ndocker cp lempcompose_nginx_1:\/opt\/bitnami\/nginx\/conf\/bitnami\/certs\/server.key .<\/pre>\n
Setting up the Maintenance Container<\/h2>\n
cd ~\/maint-compose \r\nnano docker-compose.yml<\/pre>\n
version: '2'\r\n\r\nservices:\r\n nginx:\r\n image: 'bitnami\/nginx:latest'\r\n ports:\r\n - '8080:8080'\r\n - '80:80'\r\n volumes:\r\n - .\/public:\/app\r\n - ..\/lemp-compose\/certificates:\/bitcerts<\/pre>\n
Starting the Maintenance Container<\/h2>\n
cd ~\/lemp-compose\r\ndocker-compose stop\r\ncd ~\/maint-compose\r\ndocker-compose up -d<\/pre>\n
Generating Certificates<\/h2>\n
docker exec -i -t --user root maintcompose_nginx_1 bash<\/pre>\n
install_packages wget xz-utils\r\ncd \/tmp\r\ncurl -s https:\/\/api.github.com\/repos\/xenolf\/lego\/releases\/latest | grep browser_download_url | grep linux_amd64 | cut -d '\"' -f 4 | wget -i -\r\ntar xf lego_linux_amd64.tar.xz\r\nmv lego_linux_amd64 \/usr\/local\/bin\/lego<\/pre>\n
lego --email=\"<website owner email address>\" --domains=\"website domain name\" --path=\"\/etc\/lego\" run<\/pre>\n
cp \/etc\/lego\/certificates\/*.key \/bitcerts\r\ncp \/etc\/lego\/certificates\/*.crt \/bitcerts<\/pre>\n
exit\r\ndocker-compose stop<\/pre>\n
Configuration Updates<\/h2>\n
- .\/certificates:\/bitnami\/nginx\/conf\/bitnami\/certs<\/pre>\n
version: '2'\r\n\r\nnetworks:\r\n app-tier:\r\n driver: bridge\r\n\r\nservices:\r\n maria-db:\r\n image: 'bitnami\/mariadb:latest'\r\n networks:\r\n - app-tier\r\n environment:\r\n - MARIADB_ROOT_PASSWORD=<Your Root Password Goes Here>\r\n volumes:\r\n - .\/db-data:\/bitnami\r\n nginx:\r\n image: 'bitnami\/nginx:latest'\r\n depends_on:\r\n - phpfpm-<your website name>\r\n networks:\r\n - app-tier\r\n ports:\r\n - '80:8080'\r\n - '8080:8080'\r\n - '443:8443'\r\n - '8443:8443'\r\n volumes:\r\n - .\/nginx\/nginx.conf:\/bitnami\/nginx\/conf\/nginx.conf\r\n - .\/nginx\/fastcgi.conf:\/bitnami\/nginx\/conf\/fastcgi.conf\r\n - .\/logs:\/opt\/bitnami\/nginx\/logs\r\n - .\/nginx\/vhosts:\/bitnami\/nginx\/conf\/vhosts\r\n - .\/public:\/opt\/bitnami\/nginx\/html\r\n - .\/certificates:\/bitnami\/nginx\/conf\/bitnami\/certs\r\n phpfpm-<your website name>:\r\n image: 'bitnami\/php-fpm:latest'\r\n networks:\r\n - app-tier\r\n volumes:\r\n - .\/public\/<your website name>\/htdocs:\/app\r\n - .\/logs\/<your website name>-php:\/opt\/bitnami\/php\/log<\/pre>\n
nano ~\/nginx\/vhosts\/sites-available\/<your website name>.conf<\/pre>\n
ssl_certificate \/bitnami\/nginx\/conf\/bitnami\/certs\/www.<your website name>.com.crt;\r\nssl_certificate_key \/bitnami\/nginx\/conf\/bitnami\/certs\/www.<your website name>.com.key;<\/pre>\n
server {\r\n listen 0.0.0.0:8080;\r\n server_name www.<your website name>.com;\r\n return 301 https:\/\/$server_name$request_uri;\r\n}<\/pre>\nserver {\r\n listen 0.0.0.0:8080;\r\n server_name www.<your website name>.com;\r\n return 301 https:\/\/$server_name$request_uri;\r\n}\r\n\r\nserver {\r\n listen 0.0.0.0:8443;\r\n server_name www.<your website name>.com;\r\n ssl_certificate \/bitnami\/nginx\/conf\/bitnami\/certs\/www.<your website name>.com.crt;\r\n ssl_certificate_key \/bitnami\/nginx\/conf\/bitnami\/certs\/www.<your website name>.com.key;\r\n server_tokens off;\r\n \r\n error_log \"\/opt\/bitnami\/nginx\/logs\/<your website name>-error.log\";\r\n access_log \"\/opt\/bitnami\/nginx\/logs\/<your website name>-access.log\";\r\n\r\nlocation \/ {\r\n try_files $uri $uri\/index.php;\r\n }\r\n\r\nlocation ~ \\.php$ {\r\n # fastcgi_pass [PHP_FPM_LINK_NAME]:9000;\r\n fastcgi_pass phpfpm-<your website name>:9000;\r\n fastcgi_index index.php;\r\n include fastcgi.conf;\r\n root \/app;\r\n fastcgi_intercept_errors on;\r\n }\r\n\r\nlocation ~ \\.htm$ {\r\n root \/opt\/bitnami\/nginx\/html\/<your website name>\/htdocs;\r\n }\r\n \r\n location ~* \\.(js|css|png|jpg|jpeg|gif|ico|dmg|zip)$ {\r\n expires max;\r\n log_not_found off;\r\n root \/opt\/bitnami\/nginx\/html\/<your website name>\/htdocs;\r\n }\r\n}<\/pre>\nFinal touches<\/h2>\n
cd ~\/lemp-compose\/certificates\r\nchmod 664 *<\/pre>\n
Restart your Containers<\/h2>\n
cd ~\/lemp-compose\r\ndocker-compose up -d<\/pre>\n