C
C#6mo ago
Senti

Webapi with SSL in production, using docker

Hi there, I'm able to run my webapi on HTTP through docker (and docker-compose) on my production server (classic VPS). I found a lot of different things about certificates on the web, to enable HTTPS, but nothing is clear to me. Could you give me some hint about what needs to be done ? At this stage, I already have a fullchain.pem and privkey.pem files (generated with LetsEncrypt, and used by my nginx container, serving my Angular app on HTTPS). Can I use these 2 files to enable HTTPS on the API container ? I see we can use "openssl" to map these files into one pfx certificate. Is it the way to go ? I also saw some info about "dotnet dev-certs", but I guess it's only for development purpose ? In my docker-compose, I have my backend block done this way (but not working) : 
backend:
    container_name: myWebApi
    image: mydockerhub/myWebApi:1.0
    expose:
      - "5001"
    depends_on:
      - database
    restart: always
    environment:
      - ASPNETCORE_ENVIRONMENT=Production
      - ASPNETCORE_URLS=https://+5001
      #- ASPNETCORE_Kestrel__Certificate__Default__Path=/app/cert/some_certificate.pfx
      #- ASPNETCORE_Kestrel__Certificate__Default__Password=some_password
      - DB_CONNECTION_STRING=server=database;port=3306;user id=root;password=root;database=some_db
    volumes:
      - ./cert:/app/cert:ro
backend:
    container_name: myWebApi
    image: mydockerhub/myWebApi:1.0
    expose:
      - "5001"
    depends_on:
      - database
    restart: always
    environment:
      - ASPNETCORE_ENVIRONMENT=Production
      - ASPNETCORE_URLS=https://+5001
      #- ASPNETCORE_Kestrel__Certificate__Default__Path=/app/cert/some_certificate.pfx
      #- ASPNETCORE_Kestrel__Certificate__Default__Password=some_password
      - DB_CONNECTION_STRING=server=database;port=3306;user id=root;password=root;database=some_db
    volumes:
      - ./cert:/app/cert:ro
Is it the good way to do (if I remove both comments) ? Do I have to handle something particular on code side ? Is the solution to use some reverse_proxy in front of the API ? (if I understand, the idea could be to use some nginx receiving HTTPS calls, and passing it to the API only in HTTP) Sorry I'm a bit lost, my brain has burnt all day long on this. Thanks for any help !
4 Replies
cathei
cathei6mo ago
Did you set up domain and all? The regular practice is to set up SSL for your load balancer and do internal networking with plain HTTP
Senti
SentiOP6mo ago
I'm not sure I got your question : yes my VPS is running, and available through IP or domain name. What you call "load balancer" is probably what I called "reverse_proxy"
cathei
cathei6mo ago
I'm asking since I'm wondering if there is reason you want to set it up in your app container So I'd say yes for this
Is the solution to use some reverse_proxy in front of the API ?
Senti
SentiOP6mo ago
so these are the corresponding docker-compose services I guess : 
backend-proxy:
    container_name: backend-proxy
    image: nginx:1.24-alpine-slim
    ports:
      - "81:80"
      - "5000:443"
    restart: always
    volumes:
      - ./backend-proxy-conf/reverse_proxy.conf:/etc/nginx/conf.d/default.conf:ro # set-up reverse proxy conf
      - ./backend-proxy-logs:/var/log/nginx
      - /etc/ssl:/etc/ssl:ro # volume on certificates
      
backend:
    container_name: myWebApi
    image: mydockerhub/myWebApi:1.0
    expose:
      - "5001"
    depends_on:
      - database
    restart: always
    environment:
      - ASPNETCORE_ENVIRONMENT=Production
      - ASPNETCORE_URLS=http://+5001
      - DB_CONNECTION_STRING=server=database;port=3306;user id=root;password=root;database=some_db
backend-proxy:
    container_name: backend-proxy
    image: nginx:1.24-alpine-slim
    ports:
      - "81:80"
      - "5000:443"
    restart: always
    volumes:
      - ./backend-proxy-conf/reverse_proxy.conf:/etc/nginx/conf.d/default.conf:ro # set-up reverse proxy conf
      - ./backend-proxy-logs:/var/log/nginx
      - /etc/ssl:/etc/ssl:ro # volume on certificates
      
backend:
    container_name: myWebApi
    image: mydockerhub/myWebApi:1.0
    expose:
      - "5001"
    depends_on:
      - database
    restart: always
    environment:
      - ASPNETCORE_ENVIRONMENT=Production
      - ASPNETCORE_URLS=http://+5001
      - DB_CONNECTION_STRING=server=database;port=3306;user id=root;password=root;database=some_db
And the reverse_proxy conf, maybe : 
server {
    listen 80;
    listen 443;
    location / {
        proxy_pass       http://myWebApi:5001/;  # I don't know if I can use container name here directly
    }
}
server {
    listen 80;
    listen 443;
    location / {
        proxy_pass       http://myWebApi:5001/;  # I don't know if I can use container name here directly
    }
}
`
Want results from more Discord servers?
Add your server