erddap icon indicating copy to clipboard operation
erddap copied to clipboard
verified publisher icon ERDDAP

docker compose: add nginx-proxy profile with auto-ssl

Open srstsavage opened this issue 8 months ago • 2 comments

Description

Adds an nginx-proxy profile to the example docker-compose.yml which manages automatic creation and renewal of letsencrypt SSL certificates using HTTP-01 ACME challenges.

At least partially addresses #249

Type of change

Please delete options that are not relevant.

  • [ ] Bug fix (non-breaking change which fixes an issue)
  • [x] New feature (non-breaking change which adds functionality)
  • [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • [ ] This change requires a documentation update

Checklist before requesting a review

  • [x] I have performed a self-review of my code
  • [x] My code follows the style guidelines of this project
  • [x] I have commented my code, particularly in hard-to-understand areas
  • [x] I have made corresponding changes to the documentation
  • [x] My changes generate no new warnings
  • [ ] I have added tests that prove my fix is effective or that my feature works
  • [x] New and existing unit tests pass locally with my changes

srstsavage avatar Apr 24 '25 17:04 srstsavage

I dunno why the build is failing when only docker-compose.yml was touched ¯\(ツ)

Maybe third time's the charm?

srstsavage avatar Apr 25 '25 05:04 srstsavage

Sounds good! Let me know if you run into any issues.

srstsavage avatar Apr 25 '25 19:04 srstsavage

Sounds good! Let me know if you run into any issues.

So I know getting certificates for localhost is extremely complicated. This doesn't do anything to support that, correct? But it should just work if they actually own a domain and set the .env properly?

ChrisJohnNOAA avatar Apr 28 '25 15:04 ChrisJohnNOAA

So I know getting certificates for localhost is extremely complicated. This doesn't do anything to support that, correct? But it should just work if they actually own a domain and set the .env properly?

Correct, this does not cover self-signed certificates. An admin would need to generate a self-signed cert themselves, set up a nginx or other webserver configuration using that cert, and also install and trust that cert on any devices they wanted to use to connect to their ERDDAP (i.e. they'd need to know their way around PKI already). The approach in this PR supports any public hostname, including dynamic DNS hostnames like Duck DNS.

srstsavage avatar Apr 28 '25 15:04 srstsavage