Introduction
Exalate on-premise (such as Azure DevOps, and ServiceNow) is deployed as Docker images. There is no built-in SSL support, as it is much simpler to bring up a reverse proxy that can terminate SSL connections.
Our preference is the jwilder/Nginx-proxy image which is a customization of the Nginx proxy.
There is an excellent tutorial available here, but this page gives a quick start-up.
Setting Ip jwilder/nginx-proxy With the Let's Encrypt SSL Configuration
version: '3'
services:
proxy:
restart: unless-stopped
image: jwilder/nginx-proxy
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/tmp/docker.sock
- ./certs:/etc/nginx/certs:ro
- ./conf.d:/etc/nginx/conf.d
- ./vhost:/etc/nginx/vhost.d
- ./www:/usr/share/nginx/html
labels:
- com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy
environment:
- DEFAULT_HOST=BERSERK_HOST
letsencrypt:
restart: unless-stopped
image: jrcs/letsencrypt-nginx-proxy-companion
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./certs:/etc/nginx/certs:rw
- ./vhost:/etc/nginx/vhost.d
- ./www:/usr/share/nginx/html
networks:
default:
external:
name: proxy |
Using It in The Container
The next step is to configure a DNS name that points to the host which has the jwilder container running - assume exalate.acme.com
In the service definition of the exalate configure the following environment variables:
...
environment:
- LETSENCRYPT_HOST=exalate.acme.com
- VIRTUAL_HOST=exalate.acme.com
... |
And cycle the container.
The jwilder proxy will detect that the container has the VIRTUAL_HOST environment variable. This will automatically add to the nginx configuration.
# exalate.acme.com
upstream exalate.acme.com {
# Cannot connect to network of this container
server 127.0.0.1 down;
## Can be connected with "nginx-proxy" network
# francisexalatenet_bluejira_1
server 172.18.0.8:8080;
}
server {
server_name exalate.acme.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
return 301 https://$host$request_uri;
}
server {
server_name exalate.acme.com;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/exalate.acme.com.crt;
ssl_certificate_key /etc/nginx/certs/exalate.acme.com.key;
ssl_dhparam /etc/nginx/certs/exalate.acme.com.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/exalate.acme.com.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://exalate.acme.com;
}
}
|
The Let's Encrypt integration will automatically generate a Let's Encrypt SSL certificate and add it to the configuration.
Note: The Let's Encrypt service must have a clear path to exalate.acme.com as it will check if that service does exist with the right settings.