It's not clear how to support HTTPS with this image.
Ideally one could provide something like PORT for the Apache server to listen on, plus a KEY and CERT environment variables with the contents of the key and cert files.
I can try and make this work.
Also: I love this image. Thanks for making it so easy to use. I wrote a blog post about it here:
http://blog.fuzzy.io/2015/01/19/installing-wordpress-with-docker-and-fig/
@evanp this image doesn't configure its Apache to support HTTPS, so there would have to be a PR or a derived image that adds the appropriate Apache config and EXPOSE setting for 443.
If you're willing to do your HTTPS in another container, jwilder/nginx-proxy is a nice option that supports SSL configuration.
That's what I thought!
Do you think the PR should be for this repo or for docker-library/php?
I think it makes sense to do this in the php:*apache images myself, but @tianon and @yosifkit may think otherwise.
Looks like those images already have a Listen 443, but they don't a2enmod ssl or configure certificate or key paths.
In terms of implementation, it probably makes sense to follow the example set by the httpd image (cf. https://github.com/docker-library/docs/blob/master/httpd/content.md#sslhttps).
I'm actually personally pretty strongly -1 on SSL by default, and would
rather recommend people use a lightweight container in front of this one to
add that, but I run all my containers behind a single nginx.
SSL support in these one-off containers creates a configuration nightmare
though, IMO.
@tianon Are you using something like nginx-proxy or your own custom config?
I just use the official "nginx" image with a custom config that hooks to my
other containers via https://github.com/tianon/rawdns
IMHO, we should keep these images as simple as possible.
I see the purpose of these images to create the process as described in 12factor app.
As a consequence, the SSL part should be handled at another level.
You could base your image on this on and add an nginx or apache server in front that would consume this php (I don't recommend as you break the one process per container rule).
Or you could use a reverse proxy in front that would consume this container. this reverse proxy could be nginx or HAproxy (I personnaly use HAproxy). This reverse-proxy would handle the SSL offloading part.
Let me know if you need more details. If not, please consider closing the issue for the sake of keeping this number as low as possible.
Thanks
I think it would be nice to have some kind of mention/documentation/resource on how to go about using HTTPS. This seems like a pretty good lead, but I'm not having much luck so far.
I managed to get HTTPS to work on the most basic of configs for the latest WordPress Docker image (4.5.7). I've documented it here:
https://peter.pudaite.net/2017/05/29/enabling-https-on-the-standard-wordpress-docker-image/
For future visitors, here's a Dockerfile showing what I did to enable HTTPS support using the ssl-cert package to install the self-signed certificates that Apache is configures to use by default.
FROM wordpress:4.8.0-php7.1-apache
RUN apt-get update && \
apt-get install -y --no-install-recommends ssl-cert && \
rm -r /var/lib/apt/lists/* && \
a2enmod ssl && \
a2ensite default-ssl
EXPOSE 80
EXPOSE 443
@AlexanderOMara Brilliant - thank you!
Since I was already running a container using docker-compose, and didn't want to create a builder file, I did this :
expose port 443 by adding the following to your compose file:
ports:
- "443:443"
restart your container (be sure your db and web files are on persistent storage!)
docker-compose down
docker-compose up -d
attach to the running container
docker exec -t -i CONTAINER_ID /bin/bash
install ssl-cert ( automatically installs self-signed cert)
apt-get update && \
apt-get install -y --no-install-recommends ssl-cert && \
rm -r /var/lib/apt/lists/* && \
a2enmod ssl && \
a2ensite default-ssl
You may get a prompt about restarting apache before the new settings take effect.
service apache2 reload
exit the container (won't kill your container)
CTRL-P-Q
Access your https://example.com , adding an exception to your browser to ignore the prompt about untrusted CA
Just a (very) small detail: you can use only line for EXPOSE, like:
EXPOSE 80 443
_Note that after Docker 1.10, EXPOSE doesn't create a new layer, so the resulting image will be the same._
@AlexanderOMara - How do you use this with docker compose so that I can continue to use the ":latest" tag?
@poldim
I don't think you can do it without creating a Dockerfile, but you could create a build: section in your docker-compose.yml file that builds your Dockerfile (and adjust the FROM to use wordpress:latest). Something like this:
yourproject/docker-compose.yml :
version: '3'
services:
wordpress:
build:
context: wordpress
ports:
- '80:80'
- '443:443'
networks:
- webnet
mysql:
image: mysql:5.7
ports:
- '3306:3306'
networks:
- webnet
networks:
webnet:
yourproject/wordpress/Dockerfile :
FROM wordpress:latest
RUN apt-get update && \
apt-get install -y --no-install-recommends ssl-cert && \
rm -r /var/lib/apt/lists/* && \
a2enmod ssl && \
a2ensite default-ssl
EXPOSE 80
EXPOSE 443
@AlexanderOMara Thanks for this. It enables SSL, even though I thought I had to do a 'service apache2 restart' after the 'a2enmod ssl' to get SSL enabled.
What else did you do (adding certs, modifying 000-default.conf to force https...)?
I'm not an Apache expert, just trying to get my local WordPress Bedrock running using SSL on Docker for Mac. However I'm sure there are a lot of people looking for a complete off-the shelf WordPress local HTTPS config documentation now that Let's Encrypt is available.
Perhaps it's time to move this thread to the forums?
For me for example, when I run docker-compose up, I get the warning:
AH01909: 172.18.0.3:443:0 server certificate does NOT include an ID which matches the server name
Then when I go to http://localhost:443/, I get the error:
Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
Apache/2.4.10 (Debian) Server at 172.18.0.3 Port 443
Then when I go to http://localhost:443/, I get the error:
@henscu I notice you're visiting http://localhost:443 — what happens if you try with https, i.e. https://localhost:443? (And you should be able to drop the 443 if you're specifying https)
Thanks @supervacuo. Yes, I tried that and many other minor permutations, but I ran into so many finicky problems like 'not being able to access /' and NET::ERR_CERT_AUTHORITY_INVALID etc that I'm going to reset my Docker setup back to the one described above and try again.
The problem for people like me (non hardcore dev) are the minor details in implementation explanations that are missing because they seem obvious to those who are writing them, but are very hard for me to get a clear answer/explanation from StackOverflow on... :)
@poldim
You write a custom bash script and tell docker-compose to run it on startup.
I've done it like this:
docker-compose.yml
version: "2"
services:
my-wpdb:
image: mariadb
volumes:
- ./:/home
ports:
- "8081:3306"
environment:
MYSQL_ROOT_PASSWORD: xxxxxxx
my-wp:
image: wordpress
volumes:
- ./:/var/www/html
- ./wp-init.sh:/usr/local/bin/apache2-custom.sh
- ./apache2-vhosts.conf:/etc/apache2/sites-available/apache2-vhosts.conf
ports:
- "80:80"
- "443:443"
links:
- my-wpdb:mysql
environment:
WORDPRESS_DB_PASSWORD: xxxxxxx
command: "bash -c apache2-custom.sh"
wp-init.sh
#!/usr/bin/env bash
# as you can see I combined the SSL stuff from @AlexanderOMara
# with enabling my own custom vhosts.conf
# so I can edit that outside the container
apt-get update
apt-get install -y --no-install-recommends ssl-cert
rm -r /var/lib/apt/lists/*
a2enmod ssl
a2dissite 000-default.conf
a2ensite apache2-vhosts.conf
# finally execute default command
docker-entrypoint.sh apache2-foreground
Works like a charm.
FYI, service apache2 reload will do nothing since there is no init system running in the container (like systemd or upstart). Apache2 server does not even start until the end of docker-entrypoint.sh and the process is started directly (ie, no init system is involved).
I would also recommend against doing apt-get -y upgrade in a container: https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/#run.
@yosifkit Touché. I wasn't aware of the latter though, thanks for that insight. Not sure though where in the process that was introduced in my snippet (probably the result of a lot of copy and pasting), because you would reckon apt-get update would be enough.
Anyway I updated my snippet.
Are there any updates to this thread since we are in version 3.3?
As is discussed at length in this thread, we cannot reasonably enable SSL in this image by default. Doing so with a simple reverse proxy is simpler, more reliable, and more flexible, but even doing so by adjusting the embedded Apache configuration is not terribly difficult (and one has to provide certificates in either case, so changing some configuration should be done in a similar manner).
Most helpful comment
For future visitors, here's a Dockerfile showing what I did to enable HTTPS support using the
ssl-certpackage to install the self-signed certificates that Apache is configures to use by default.