C
C#4w ago
Senti

Webapi with SSL in production, using docker

Hi there, I'm able to run my webapi on HTTP through docker (and docker-compose) on my production server (classic VPS). I found a lot of different things about certificates on the web, to enable HTTPS, but nothing is clear to me. Could you give me some hint about what needs to be done ? At this stage, I already have a fullchain.pem and privkey.pem files (generated with LetsEncrypt, and used by my nginx container, serving my Angular app on HTTPS). Can I use these 2 files to enable HTTPS on the API container ? I see we can use "openssl" to map these files into one pfx certificate. Is it the way to go ? I also saw some info about "dotnet dev-certs", but I guess it's only for development purpose ? In my docker-compose, I have my backend block done this way (but not working) : 
backend:
    container_name: myWebApi
    image: mydockerhub/myWebApi:1.0
    expose:
      - "5001"
    depends_on:
      - database
    restart: always
    environment:
      - ASPNETCORE_ENVIRONMENT=Production
      - ASPNETCORE_URLS=https://+5001
      #- ASPNETCORE_Kestrel__Certificate__Default__Path=/app/cert/some_certificate.pfx
      #- ASPNETCORE_Kestrel__Certificate__Default__Password=some_password
      - DB_CONNECTION_STRING=server=database;port=3306;user id=root;password=root;database=some_db
    volumes:
      - ./cert:/app/cert:ro
backend:
    container_name: myWebApi
    image: mydockerhub/myWebApi:1.0
    expose:
      - "5001"
    depends_on:
      - database
    restart: always
    environment:
      - ASPNETCORE_ENVIRONMENT=Production
      - ASPNETCORE_URLS=https://+5001
      #- ASPNETCORE_Kestrel__Certificate__Default__Path=/app/cert/some_certificate.pfx
      #- ASPNETCORE_Kestrel__Certificate__Default__Password=some_password
      - DB_CONNECTION_STRING=server=database;port=3306;user id=root;password=root;database=some_db
    volumes:
      - ./cert:/app/cert:ro
Is it the good way to do (if I remove both comments) ? Do I have to handle something particular on code side ? Is the solution to use some reverse_proxy in front of the API ? (if I understand, the idea could be to use some nginx receiving HTTPS calls, and passing it to the API only in HTTP) Sorry I'm a bit lost, my brain has burnt all day long on this. Thanks for any help !
4 Replies
cathei
cathei4w ago
Did you set up domain and all? The regular practice is to set up SSL for your load balancer and do internal networking with plain HTTP
Senti
Senti4w ago
I'm not sure I got your question : yes my VPS is running, and available through IP or domain name. What you call "load balancer" is probably what I called "reverse_proxy"
cathei
cathei4w ago
I'm asking since I'm wondering if there is reason you want to set it up in your app container So I'd say yes for this
Is the solution to use some reverse_proxy in front of the API ?
Senti
Senti4w ago
so these are the corresponding docker-compose services I guess : 
backend-proxy:
    container_name: backend-proxy
    image: nginx:1.24-alpine-slim
    ports:
      - "81:80"
      - "5000:443"
    restart: always
    volumes:
      - ./backend-proxy-conf/reverse_proxy.conf:/etc/nginx/conf.d/default.conf:ro # set-up reverse proxy conf
      - ./backend-proxy-logs:/var/log/nginx
      - /etc/ssl:/etc/ssl:ro # volume on certificates
      
backend:
    container_name: myWebApi
    image: mydockerhub/myWebApi:1.0
    expose:
      - "5001"
    depends_on:
      - database
    restart: always
    environment:
      - ASPNETCORE_ENVIRONMENT=Production
      - ASPNETCORE_URLS=http://+5001
      - DB_CONNECTION_STRING=server=database;port=3306;user id=root;password=root;database=some_db
backend-proxy:
    container_name: backend-proxy
    image: nginx:1.24-alpine-slim
    ports:
      - "81:80"
      - "5000:443"
    restart: always
    volumes:
      - ./backend-proxy-conf/reverse_proxy.conf:/etc/nginx/conf.d/default.conf:ro # set-up reverse proxy conf
      - ./backend-proxy-logs:/var/log/nginx
      - /etc/ssl:/etc/ssl:ro # volume on certificates
      
backend:
    container_name: myWebApi
    image: mydockerhub/myWebApi:1.0
    expose:
      - "5001"
    depends_on:
      - database
    restart: always
    environment:
      - ASPNETCORE_ENVIRONMENT=Production
      - ASPNETCORE_URLS=http://+5001
      - DB_CONNECTION_STRING=server=database;port=3306;user id=root;password=root;database=some_db
And the reverse_proxy conf, maybe : 
server {
    listen 80;
    listen 443;
    location / {
        proxy_pass       http://myWebApi:5001/;  # I don't know if I can use container name here directly
    }
}
server {
    listen 80;
    listen 443;
    location / {
        proxy_pass       http://myWebApi:5001/;  # I don't know if I can use container name here directly
    }
}
`
Want results from more Discord servers?
Add your server
More Posts
Prefered approached when needing to customize Data Grid valueHi all ! In a blazor project, what is the preferred approach when displaying a data grid, with iteApplication looking in wrong runtimes/{arch}/native directoryI have an application, that uses native code saved copied by its nuget into runtimes/ubuntu-x64/natiC# pnputil not recognizedpublic void InstallPrinter(PrinterInfo printer) { string script = $@"script to install printer. inreplace variable with random numberso lets say I have `int a = something` what do I put instead of `something` to make `a` change valueCould not load file or assembly…Could not load file or assembly 'System.Diagnostics.DiagnosticSource, Version=4.0.2.0, Culture=neutrCSV Reader Issue`public class FlashcardService { // Using a library called CsvHelper to store and read flashcardWhy can't I install this NuGet packageI don't unserstand why can't I install nuget package `Microsoft.CodeAnalysis.CSharp.SourceGeneratorsHow does EF know what database to use?Hello there. I am building an entity related management system, and I'm wondering how EF know what ✅ Casting to enum when only having a Type objectDoes anyone know how it's possible to cast while only having a `Type` object, and not the actual typHow to fix a simple (hopefully) error?I am doing a leetcode solution, and I have this so far: ``` public class Solution { public int H