This project was to prove the TLS communication path between two ASP .net Core docker containers using docker-compose. In addition to TLS communication NGINX load balancers sit in front of each service which fowards all headers through to each service. Each service in turn, accepts the forwarded headers and recognize requests as TLS encrypted and attach HSTS headers to the response payload.

1. Install Certificate
   • Open Postman and navigate to Gear Icon -> Settings -> Certificates tab -> CA Certificates Click on the browse button
   • Navigate to Certificates -> ca -> intermediate -> certs -> Select ca-chain.crt

Otherwise postman will get: SSL Error: Unable to verify first certificate.. Postman doesnt respect the certificates installed on your machine, it needs to be trusted directly.

• /api/test
• /api/httpapicall
• /api/httpsapicall

• Service1 Load balancer
  • http: 8101
  • https: 8102
• Service1 Direct
  • http: 8103
  • https: 8104
• Service2 Load balancer
  • http: 8201
  • https: 8202
• Service2 Direct
  • http: 8203
  • https: 8204

GET /api/test HTTP/1.1
Host: localhost:8102

Response:
{
    "ServiceMessage": "Hello from service1!",
    "HostName": "fd9a4d6f939f \t fd9a4d6f939f\t 10.1.0.2",
    "RequestMethod": "GET",
    "RequestScheme": "https",
    "RequestUrl": "https://nginx/api/test",
    "RequestPath": "/api/test",
    "RequestHeaders": [
        "Cache-Control: no-cache",
        "Connection: keep-alive",
        "Accept: */*",
        "Accept-Encoding: gzip, deflate, br",
        "Host: nginx",
        "User-Agent: PostmanRuntime/7.26.5",
        "X-Real-IP: 10.1.0.1",
        "X-Original-Proto: http",
        "X-Original-Host: localhost:8102",
        "X-Forwarded-Port: 8102",
        "Postman-Token: e711d2d2-db7f-4370-b5ef-c28bcbe28696",
        "X-Original-For: [::ffff:10.1.0.3]:37430"
    ],
    "RemoteIp": "10.1.0.1"
}

• Docker compose tutorial

• Useful openssl commands

  • 1
  • 2

• How to setup the dev certificate when using Docker in development

• Stack overflow question. The third answer down was a useful extension method to replace the CertificateValidationCallBack. This proved very useful when debugging the reason behind certificate validation failures.

• Rob Rich presentation and github repo on this topic

• Openssl requiring certificate signing

• Dotnet dev certs on linux

• NGINX proxy cant get real remote ip

  • might be the fix for above bug

• Docker compose network_mode: host is only available for linux hosts