How to run docker application over a secure server using letsencrypt?

Question

Need to start Horizon server over a secure network. Using this github repo https://github.com/stellar/docker-stellar-core-horizon

Following README doc I tried,

    docker run --rm -it -p "8000:8000" --name stellar stellar/quickstart --testnet

this start my horizon app over port 8000 with http server. I need to run over https server. For this I tried out few things like,

    docker run --rm -it -p "8000:443" --name stellar stellar/quickstart --testnet 

    docker run --rm -it -p "8000:8000" --name stellar stellar/quickstart --testnet docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem 

And few more with these ssl keys. Tried to redirect https calls from server to http call using nginx, however failed to do so.

Please provide a way to start docker container over a secure server.

Answer 1

What i ahd learned so far is that we cant run docker over a secure server. Docker just ask for a port over which it will provide services. Solution is simple application which is using docker needed to be secure. Over here i was not able to understand this docker application so i used nginx for this.

My nginx file loocked like somewhat like this

server {
  listen 9000 ssl;
  server_name 127.0.0.1;

ssl_certificate /etc/letsencrypt/live/staging.globalblockchain.io/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/staging.globalblockchain.io/privkey.pem; # managed by Certbot


  location / {
    proxy_pass http://127.0.0.1:8000;
  }
}

Whai i did is, used nginx to redirect calls over secure 9000 to my local 8000. So all my content over 8000 port was available over secure 9000 and UI was able to use this secure 9000.

Answer 2

You need to do proxy configuration within docker image using nginx.

server {
    listen              443 ssl;
    server_name         www.example.com;
    ssl_certificate     www.example.com.crt;
    ssl_certificate_key www.example.com.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ...
}

As dockerfile is available in dockerhub, you can modify it work with https and expose port 443. Then run docker as

docker run --rm -it -p "8000:443" --name stellar stellar/quickstart --testnet

https://hub.docker.com/r/stellar/quickstart/~/dockerfile/

Answer 3

You want to deploy the https version of the stellar core or in that case any dockerized application i.e. web server, you use the official let's encrypt image.

Here is the docker-compose.yml file in which you could be able to deploy any dockerized web server inside docker compose that automates your certificates process.

nginx: build: nginx-image links: - letsencrypt - app environment: - MY_DOMAIN_NAME=DOMAIN_NAME mem_limit: 2g cpu_shares: 256 # restart: always ports: - "80:80" - "443:443" volumes_from: - letsencrypt letsencrypt: image: quay.io/letsencrypt/letsencrypt:latest command: bash -c "sleep 6 && certbot certonly --standalone -d DOMAIN_NAME --text --agree-tos --email your_email --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --verbose --renew-by-default --standalone-supported-challenges http-01" entrypoint: "" volumes: - /etc/letsencrypt - /var/lib/letsencrypt ports: - "80" - "443" environment: - TERM=xterm app: build: app-image ports: - "80"

Replace the domain name with your server CNAME and the email id in the above file. The app section where you need to assign the name of your image(dockerized web server in your case stellar image). Then, simply run docker-compose build and docker-compose up to run it securely.

There are other techniques as once you get the certificate you can simply mount to the container as shown here. Or you could edit the dockerfile as mentioned in the above answer and run it directly on secure port.