I use Jason Wilder’s nginx reverse proxy container as the gateway to my various Docker dev environments. Among its other services, it provides SSL termination, so I don’t need to worry about configuring SSL in every container I run.
The set up is pretty simple. Make a directory of certificates and mount it into the container at /etc/nginx/certs
. In docker-compose.yml
, it would look something like:
version: "2" services: proxy: image: jwilder/nginx-proxy ports: - "80:80" - "443:443" volumes: - ./nginx/certs:/etc/nginx/certs - /var/run/docker.sock:/tmp/docker.sock
You’ll need to create a new certificate for each domain you want to serve. Add them to the certs dir, and the proxy will find them and serve those domains with SSL.
I’ve created a script that will create the certificate and, on OS X at least, add it to your login keychain as a trusted certificate so you can avoid SSL warnings from your browser. Create the file create-cert.sh
in your certs directory and run it from there. E.g., certs/create-cert.sh mysite.dev
.
#!/bin/bash CERTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) DOMAIN=$1 if [ $# -lt 1 ]; then echo 1>&2 "Usage: $0 domain.name" exit 2 fi cd ${CERTDIR} cat > ${DOMAIN}.cnf < <-EOF [req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] CN = *.${DOMAIN} [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = *.${DOMAIN} DNS.2 = ${DOMAIN} EOF openssl req \ -new \ -newkey rsa:2048 \ -sha1 \ -days 3650 \ -nodes \ -x509 \ -keyout ${DOMAIN}.key \ -out ${DOMAIN}.crt \ -config ${DOMAIN}.cnf rm ${DOMAIN}.cnf if [[ $OSTYPE == darwin* ]]; then sudo security add-trusted-cert -d -r trustRoot -k $HOME/Library/Keychains/login.keychain ${DOMAIN}.crt fi
Reload your proxy, and you can now visit https://mysite.dev/
.