How to get https on docker install

PolGZ · December 12, 2021, 1:08am

Hi, guys

I’ve been reading the wiki for certificate authentication and the main docker-compose wiki but I don’t seem to understand how to get access to tt-rss from the outside using https . Can you guys help me understand what I need to do?

pahles · December 12, 2021, 8:20am

Read this part: https://git.tt-rss.org/fox/ttrss-docker-compose/wiki#how-do-i-put-this-container-behind-a-reverse-proxy.

Then learn how to use Nginx and SSL.

PolGZ · December 12, 2021, 10:55am

Thanks for the answer, @pahles. I did read that part, and I tried to follow it, but it seems I don’t have knowledge enough in this area to understand it properly. Maybe I’m missing this part?: Don't forget to pass X-Forwarded-Proto to the container if you're using HTTPS. How am I supposed to pass that? (it is my first time using docker containers, so I don’t know how that is supposed to be done).

I edited the .env file as shown, and then edited the nginx.conf within the web-nginx directory with the content of that article. Is that the correct way?

When you say Then learn how to use Nginx and SSL does it mean it can’t be done with certbot when you have nginx within this container?

I had successfully enabled SSL for my old “manual host install” of tt-rss and I have it enabled right now for my website in the “main” nginx install on my server (using certbot). But I don’t understand how I would do that to “the nginx within the docker container” (if that makes any sense).

Thanks for the help . I really tried to read everything and search, but after hours and hours of trying I can’t get it to work. To me the “old” way was easy to understand, I just run certbot for my nginx and everything was there. But now I don’t even understand how I affect that “nginx in the container”. If I can’t use certbot and I have to manually enable there the SSL, how would I “pass” my certificates to the container?

I’m really sorry, guys. I’m very lost

maffo999 · December 12, 2021, 11:50am

I use another nginx instance with SSL certificate acting as a proxy for the nginx in docker.
X-Forwarded-Proto refers to an option you need to set on the proxy nginx instance (not the docker one)

shabble · December 12, 2021, 11:53am

You shouldn’t need to modify the container version, just the host version.

If it’s any help, here’s my (partial) nginx conf for my site:

server {
        listen [::]:443 ssl http2;
        listen 443 ssl http2;
        server_name ttrss.example.com;
        access_log /var/log/nginx/access.ttrss.example.com.log;
        error_log /var/log/nginx/error.ttrss.example.com.log;
        root /var/www/example.com/html;
        ssl_certificate /etc/letsencrypt/live/ttrss.example.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/ttrss.example.com/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

        location /mobile{
                index index.php index.html index.htm;
                break;
        }
        location / {
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_set_header X-Forwarded-Proto $scheme;

                proxy_pass http://localhost:8280;
                break;
        }

}

The stuff you probably need to look as is in the location / block.

/var/www/example.com/html/ttrss-docker/.env:

TTRSS_SELF_URL_PATH=https://ttrss.example.com/tt-rss/ 
HTTP_PORT=8280

fox · December 12, 2021, 12:49pm

in general there’s no need to do anything with nginx (web) container, just point your normal nginx to the exported port, as specified in .env.

mamil · December 12, 2021, 10:45pm

And what made you switch to Docker?

PolGZ · December 20, 2021, 11:33pm

My raspberry SSD failed… and so I decided it was a good time to change to 64bit OS. Once I went to the TT-RSS documentation, it said it is no longer a maintained method, so I decided to try.

Thanks to the rest of you guys. I couldn’t try and test your answers this days. I’m trying right now.

PolGZ · December 21, 2021, 12:51am

I managed to get it to work, guys! Everything is up and running.

Thank you very much for the help!

haupz · February 8, 2023, 8:23pm

Would you mind sharing how you made it work? I’ve got pretty much the setup described here (I think), and all I get is a “502 Bad Gateway”. I’m probably missing something obvious.

pahles · February 8, 2023, 9:15pm

If you don’t share what you have done nobody will ever know what you did wrong…

haupz · February 10, 2023, 12:08pm

You have a point: reconstructing my setup from the previous information in the thread and my remark that I’ve got something that’s “pretty much” like that is too much to expect.

I was hoping for @PolGZ to share their setup in more detail, but still, here goes.

I’ll use x.y.z as the SSL-enabled host name, and consequently https://x.y.z/tt-rss/ would be where I hope to have tt-rss running.

On the one hand, I have a docker-compose setup just like instructed, with TTRSS_SELF_URL_PATH=https://x.y.z/tt-rss/, and HTTP_PORT=8280.

The “Bad Gateway” error is from my second nginx instance, which I’ve configured as follows in app.conf:

server {
  listen [::]:443 ssl;
  listen 443 ssl;
  server_name x.y.z;
  server_tokens off;
  ssl_certificate /etc/letsencrypt/live/x.y.z/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/x.y.z/privkey.pem;
  location /tt-rss/ {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass http://localhost:8280/tt-rss/;
    break;
  }
}

This second nginx runs in a docker-compose setup that currently just consists of one image (planning to add certbot for automated certificate updates once I have this going with the manually generated certificate):

version: '3'
services:
  nginx:
    image: nginx
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./conf.d:/etc/nginx/conf.d
      - ./letsencrypt:/etc/letsencrypt
    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"

Now, a request for https://x.y.z/tt-rss/ will yield the following error message from the second nginx:

[error] 10#10: *7 connect() failed (111: Connection refused) while connecting to upstream, client: a.b.c.d, server: x.y.z, request: "GET /tt-rss/ HTTP/1.1", upstream: "http://127.0.0.1:8280/tt-rss/", host: "x.y.z"

And again, I must be missing something obvious. Grateful for any advice.

wn_name · February 10, 2023, 12:33pm

Unless you make non-default adjustments, localhost and 127.0.0.1 inside a given container are local to that container, and not your host. You’ll want to read up on Docker networking ( Networking overview | Docker Documentation ).

shabble · February 10, 2023, 12:49pm

That differs from my working setup (shown a few posts before) in that yours has /tt-rss/ on the end of it.

Which indicates that your setup is trying to send you to https://x.y.z/tt-rss/tt-rss - I’m not sure that’s what you’re after…

haupz · March 10, 2023, 12:26pm

Thanks, everyone, for your help. I have this up and running now.

The line that ultimately helped in app.conf was this:

proxy_pass http://ttrss-docker-web-nginx-1:80/tt-rss/;

This, combined with exposing the outward facing nginx container to the network created by the compose setup running tt-rss, does the trick by using Docker name resolution and the fact that inside the Docker network, the port is 80, not 8280.