Better SSL integration

[PabloVallejo]

I've successfully added SSL to the status page, I had to modify Dockerfile so that it copied the ssl files to the container.

Does adding an empty folder (conf/ssl) that is then copied in Dockerfile and also exposing port 443 make sense to you, if yes I can add a PR with those changes so that other users can setup setup connections easily.

Thanks,

[gamkiller77]

I would just submit the PR. I have done this already for other parts. Adding and expose for port 443 would make a ton of sense.

[djdefi]

Hi @PabloVallejo, thanks for bringing this up. I think SSL is super important for us to have great built in support for. Your suggestion got me thinking, and I would like to propose and track a few items to level up 🍄 the use of SSL in the Cachet Docker image.

• I propose that we add a Docker specific option to set up https://letsencrypt.org/ automatically, and default to enabled to make it as easy as possible 🔐 .

• When adding in a custom (third party) SSL cert / config, I recommend mounting them from the host into the container directly using volumes rather than adding them to an image. We can document this procedure.

  This will allow custom certs and key etc without needing to build an image locally that copies the cert + key into the image. If for some reason your custom image (containing the key 🔑 ) gets pushed to the public Docker hub, you would need to revoke that key etc. That is no fun 😢 .

• Option to helps configure custom / third party certs ☝️ in some way. Maybe a CUSTOM_SSL_ENABLED option that helps put the SSL nginx config options in the right spots and warns if no cert and key is mounted?

• The port 443 expose can be set at runtime as well, but if we add letsencrypt by default it makes sense to add it to the Dockerfile and docker-compose.yml file as well.

[jgimenez]

If you'd like to keep a modular design, maybe you would prefer to have an nginx in front of Cachet and keep this image simple.

I use jwilder/nginx-proxy in a docker-compose like this, this image even has the option to use Let's Encrypt to automatically generate the certificates:

  nginx-proxy:
    image: jwilder/nginx-proxy
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - ./certs:/etc/nginx/certs:ro
    environment:
      - DEFAULT_HOST=status.xxxx.com
    restart: always

Also there are other options like Traefik.

[djdefi]

https://github.com/jwilder/nginx-proxy is my preferred solution, however I think #271 may need to be addressed upstream first.

[asyd]

Hi, I'm having almost the same issue.

I use the docker image, exposed with traefik (which handle letencrypts). However while I start the docker with -e APP_URL=https://mydomainname and configure cachethq with https in setup, cachethq still create links with http:// prefix which is very annoying, do you known a way to fix that?

[vantzs]

I posted this on the main CachetHQ project but I'll share my custom solution to this here.

I have OpenLiteSpeed acting as a reverse proxy for all of my docker web apps with LetsEncrypt. In order to make this script function without editing the php file for allowed hosts I used OpenLiteSpeed's mod rewrite functionality which is similar to Apache. I'm posting this here as I don't know git well enough to do a pull/merge or what ever it is. However I'm hoping that in the future this little bit of code will help people. While this isn't probably the preferred method for this, I noticed a few posts about it when I was going through the list of issues. I'm sure someone could take this and modify it to work out of the box with most web servers.

This one is for Cachet-Proxy vhost
rewriteCond %{HTTPS} !on
rewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L] RewriteRule ^/(.*)$ http://Cachet-Proxy/$1 [P,E=Proxy-Host:YourSub/DomainGoesHere]

This one is for the Docker-Proxy (Portainer) vhost
rewriteCond %{HTTPS} !on
rewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L] RewriteRule ^/(.*)$ http://Docker-Proxy/$1 [P,E=Proxy-Host:YourSub/DomainGoesHere]

That being said I actually run OpenLiteSpeed + Certbot on the docker host natively. Since I'm using it as a reverse proxy I only have to open 80:443:8443(OLS Admin) on that VPS. Since OpenLiteSpeed has a web interface for the backend while I'm building my docker images I'm usually proactively thinking about how/where I am going to set OpenLiteSpeed up for that application.

You can test my configuration on my Cachet Page. I by no means am not a linux/docker expert but I can try and answer questions if you need help.

[sadortun]

Why not using Caddy as a sidecar container in front of Cachet ? https://caddyserver.com/

[CumpsD]

Why not using Caddy as a sidecar container in front of Cachet ? https://caddyserver.com/

@sadortun Forgive the stupid question, but how would you go forward with this?

[andelhie]

Sidecar are deployed on the same Pod as the Cachet Pod and it in the path of the network to take up the SSL work from what I understand. In the Deployment yaml you would spell out 2 containers with the sidecar bing the inbound first touch container.

[GrahamCampbell]

Caddy would be a no-go, because it's not free for commercial usage.

[GrahamCampbell]

What if we simply allowed a user to at least drop an SSL cert in the conf folder, or something?

[kornrunner]

Hi, I'm having almost the same issue.

I use the docker image, exposed with traefik (which handle letencrypts). However while I start the docker with -e APP_URL=https://mydomainname and configure cachethq with https in setup, cachethq still create links with http:// prefix which is very annoying, do you known a way to fix that?

Workaround: within conf/nginx-site.conf I've added:

fastcgi_param HTTPS on;

along with the rest fastcgi_param directives within server block.
APP_URL was defined with https:// in docker-compose.yml

[lbennett-stacki]

I'm getting this too. I have cachet behind SSL terminating load balancer.

Mixed Content: The page at 'https://status.my.domain/setup' was loaded over HTTPS, but requested an insecure favicon 'http://status.my.domain/img/favicon.ico'. This request has been blocked; the content must be served over HTTPS.

[Lite5h4dow]

Hi, I'm having almost the same issue.
I use the docker image, exposed with traefik (which handle letencrypts). However while I start the docker with -e APP_URL=https://mydomainname and configure cachethq with https in setup, cachethq still create links with http:// prefix which is very annoying, do you known a way to fix that?

Workaround: within conf/nginx-site.conf I've added:

fastcgi_param HTTPS on;

along with the rest fastcgi_param directives within server block. APP_URL was defined with https:// in docker-compose.yml

this fixed the issue for me