I just rolled out a template that "enables SSL" for your Docker based setup.
I would like to cover configuration here:
This guide assumes your container configuration file is /var/docker/containers/standalone.yml
and that discourse docker is installed at: /var/docker
Step 1
Go to namecheap or some other SSL cert provider and purchase a SSL cert for your domain. Follow all the step documented by them to generate private key and CSR and finally get your cert. I used the apache defaults, they will work fine.
Keep your private key and cert somewhere safe.
Step 2
Get a signed cert and key and place them in the /var/docker/shared/ssl/
folder
Private key is:
/var/docker/shared/ssl/ssl.key
Cert is
/var/docker/shared/ssl/ssl.crt
File names are critical do not stray from them or your nginx template will not know where to find the cert.
Step 3
Add a reference to the nginx ssl template from your application yml configuration file:
templates:
- "templates/cron.template.yml"
- "templates/postgres.template.yml"
- "templates/redis.template.yml"
- "templates/sshd.template.yml"
- "templates/web.template.yml"
- "templates/web.ssl.template.yml"
Step 4
Tell your container to listen on SSL
expose:
- "80:80"
- "2222:22"
- "443:443"
Step 5
Rebootstrap your image
./launcher destroy standalone
./launcher bootstrap standalone
./launcher start standalone
Step 6
Profit, you are done.
Troubleshooting
Be sure to read through the logs using
./launcher logs standalone
If anything goes wrong.
How this works
The template used is vaguely based on @igrigorik's recommended template with two missing bits:
- I disabled SPDY now until we upgrade the base image to NGINX 1.4.7 due to a buffer overflow in 1.4.6 (I am considering changing our base image to use mainline NGINX - at least optionally)
- I skipped OSCP stapling cause it involves a slightly more complex setup
- I had to skip session tickets setting which is not available until we use mainline
The image has rewrite rules that will redirect any requests on either port 80 or 443 to https://DISCOURSE_HOST_NAME , meaning that if you have a cert that covers multiple domains they can all go to a single one.
Customising this setup is very easy, see:
You can make a copy of that file and amend the template as needed.
The advantage of using templates and replace here is that we get to keep all the rest of the Discourse recommended NGINX setup, it changes over time.
Enjoy!