Part-DB-server icon indicating copy to clipboard operation
Part-DB-server copied to clipboard

Published 20 hours ago verified publisher icon Part-DB

Enable SSL in Docker

Open ewa opened this issue 1 year ago • 2 comments

So, I started looking at this because I was having problems with DigiKey (See issue #326, https://github.com/Part-DB/Part-DB-server/issues/326#issuecomment-1707264446). It tuns out I still have DigiKey problems, but at least now I have SSL, too.

If this is of interest, I can submit a proper merge request, but the relevant changes are: https://github.com/Part-DB/Part-DB-server/compare/master...ewa:Part-DB-server:master . Primarily, there is an ssl version of symfony.conf and there is a directory mapping ./.docker/confs/ssl:/etc/apache2/ssl which provides the container with (user-generated) ssl keys. Naturally, such keys are unsigned or self-signed and will not be trusted by a browser until/unless the user configures their system or browser to do so, but that's a separate problem.

This makes https://localhost/en/ a valid URL for the container, and means that you can have an https url for (e.g.) a DigiKey app OAuth redirect URL (i.e. https://localhost/en/oauth/client/ip_digikey_oauth/check), though that doesn't necessarily make everything work with DigiKey.

ewa avatar Sep 05 '23 20:09 ewa

I wonder if it might be more comfortable, to provide a docker-compose with a reverse proxy frontend with traefik that can automatically configure letsencrypt certificates: https://doc.traefik.io/traefik/user-guides/docker-compose/acme-tls/

Also this would have the advantage that it makes the TLS encryption independent from apache. I want to release an (experimental) docker image which uses RoadrunnerPHP in the future. Roadrunner has the potential to make Part-DB much faster than on a classic web server with PHP-fpm, as it can eliminate the overhead of initializing the whole framework on each request. But as roadrunner spawns it own webserver, there is no need to use apache and therefore You cannot use apaches ssl config (unless you want to use it as reverse proxy, but then you can use traefik too).

jbtronics avatar Sep 05 '23 21:09 jbtronics

Hmm, I don't have any knowledge about roadrunner or traefik, so I can't say much there. For me, I would prefer for it not to depending on having a reverse-proxied, or otherwise globally-reachable, configuration. In my use case, where I'm basically a one-person operation, being able to run in a local-only mode is a good thing. And I believe OAuth should be fine with that, though I haven't looked at it in quite a while.

That said, anything's fine with me!

ewa avatar Sep 08 '23 20:09 ewa