Comments (4)
Per default there is a self-signed certificate generated and used in the container. Self-signed certificates are usually not accepted automatically by other components (e.g. Traefik, Apache or even browsers (you have to explicitly accept them). I use Apache as reverse proxy and have to set explicitly SSLProxyVerify none
in the configuration.
From my point of view you have 3 options to solve your problem:
-
Modify configuration of reverse proxy (e.g. traefik) to accept the self-signed certificate
For traefik I can not tell you how to modify the configuration. Using Apache as reverse proxy you could addSSLProxyVerify none
to the configuration to accept self-signed certificates. -
Use your own certificate (non-self-signed, valid) with the webtrees container
As described in the README there is the ability to use your own certificates. Therfore you have to map the internal folder /crt to an external location. This folder should contain the two files webtrees.key (Key without password protection) und webtrees.crt (certificate). Example (see-v /<path_to _your_cert>:/crt
):docker run -d -p 8088:8079 --name webtrees -v /<path_to _your_cert>:/crt -v /webtrees/data:/var/www/html/data -v /webtrees/media:/var/www/html/media -e PORT=8079 --restart always dtjs48jkt/webtrees
-
Disable SSL in the container to use plain http communication between traefik and the webtrees container
It is possible to disable SSL communication of the container. So traefik would communicate with the webtrees container using plain http. Example (sets port to 80 and disables SSL):docker run -d -p 80:8079 --name webtrees -v /webtrees/data:/var/www/html/data -v /webtrees/media:/var/www/html/media -e DISABLE_SSL=TRUE -e PORT=8079 --restart always dtjs48jkt/webtrees
from webtrees.
Yes, I've got it running on port 80. I was hoping it would be possible to make the certificate configuration section more modular, so that certificate paths are not hard-coded you could still activate ssl for people using other proxy solutions. I'm guessing if apache just had mod_ssl but everything else could remain open, maybe that would work?
from webtrees.
Sorry but I am unsure if I got your proposal right.
I did investigate a bit about possible Traefik settings. Currently traefik is not possible to handle self-signed certificates of backends. Currently there is an open issue concerning this topic TLS client auth to backends #3038. There might be an option to use insecureSkipVerify
. But that will affect all backends.
So currently there is no solution to realize my first proposal together with traefik.
The 3rd proposal works with traefik as you stated. Fine.
Now about making certificate section more configurable:
From my point of view there is currently nothing really hard coded, since you can map with the command -v nearly everything into the container as you like. It is not only possible to map an external directory to /crt, which should contains the certificate and private key with predefined
names. You can even map the single files to any location. E.g. -v /<any_where>/<any_name>.crt:/crt/webtrees.crt -v /<any_where>/<any_name>.key:/crt/webtrees.key
That is why I do not exactly understand what you mean with a more modular configuration section.
-
Do you think http and https should be usable at the same time on different ports?
-
Should the https configuration section more configurable (define ciphers, encryption protocols)?
-
Or any other option to handle certificate and private key files differently?
Please be so kind to be more precise what should be changed.
from webtrees.
Since there have to be no further discussions and no actions could be derived the issue will be closed.
from webtrees.
Related Issues (20)
- Tagging semantics for latest HOT 2
- Internal webtrees directories are exposed HOT 2
- 3rd party modules HOT 2
- Documentation HOT 4
- missing files HOT 2
- ErrorException: file(/var/www/html/app/../resources/lang/de/messages.po): failed to open stream: No such file or directory in /var/www/html/vendor/fisharebest/localization/src/Translation.php:56 HOT 5
- Unable to start HOT 3
- Upgrade PHP version? HOT 2
- Admin User Creation HOT 6
- Pretty URLs HOT 2
- Custom authentication header HOT 4
- Empty user HOT 9
- Modules not loading. HOT 1
- Add option to configure max uploaded file size via env variables HOT 3
- Missing sendmail HOT 1
- Upgrade PHP Version? HOT 2
- The Environment Variables introduced in #55 no longer seem to work HOT 1
- WT_ADMINPW not hashed properly on creation HOT 1
- Problem connecting to MySQL database HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webtrees.