Skip to main content

Docker automatic HTTPS configuration

danger

If you are changing your domain from HTTP to HTTPS, you will unlink the browser extension of all the users. Before changing the domain, you must ensure that all the users have a copy of their private key to recover their account.

Pro tips: In order to download their recovery kit, users can follow this dedicated guide

important

This tutorial assumes your machine has a valid domain name assigned in order to work with Let’s Encrypt.

Requirements

Add traefik service to handle https

If you have followed our installation documentation, you should have defined db and passbolt services for your passbolt stack.

To handle HTTPS setup with Let’s Encrypt, add a traefik service as follow:

version: '3.7'
services:
db:
...
passbolt:
...
traefik:
image: traefik:2.6
restart: always
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.yaml:/traefik.yaml:ro
- ./conf/:/etc/traefik/conf
- ./shared/:/shared

Traefik will:

  • act as a proxy in front of passbolt service, that’s why we defined ports 80 and 443.
  • handle Let’s Encrypt certificates renew.

Configuration files

Create a traefik.yaml configuration file with this content (replace [email protected] with your email for Let’s Encrypt):

global:
sendAnonymousUsage: false
log:
level: INFO
format: common
providers:
docker:
endpoint: 'unix:///var/run/docker.sock'
watch: true
exposedByDefault: true
swarmMode: false
file:
directory: /etc/traefik/conf/
watch: true
api:
dashboard: false
debug: false
insecure: false
entryPoints:
web:
address: ':80'
http:
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
websecure:
address: ':443'
certificatesResolvers:
letsencrypt:
acme:
email: [email protected]
storage: /shared/acme.json
caServer: 'https://acme-v02.api.letsencrypt.org/directory'
keyType: EC256
httpChallenge:
entryPoint: web
tlsChallenge: {}

Create a conf folder:

mkdir conf

In the conf folder, create 2 files:

conf/headers.yaml:

http:
middlewares:
SslHeader:
headers:
FrameDeny: true
AccessControlAllowMethods: 'GET,OPTIONS,PUT'
AccessControlAllowOriginList:
- origin-list-or-null
AccessControlMaxAge: 100
AddVaryHeader: true
BrowserXssFilter: true
ContentTypeNosniff: true
ForceSTSHeader: true
STSIncludeSubdomains: true
STSPreload: true
ContentSecurityPolicy: default-src 'self' 'unsafe-inline'
CustomFrameOptionsValue: SAMEORIGIN
ReferrerPolicy: same-origin
PermissionsPolicy: vibrate 'self'
STSSeconds: 315360000

conf/tls.yaml:

tls:
options:
default:
minVersion: VersionTLS12
sniStrict: true
curvePreferences:
- CurveP521
- CurveP384
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

traefik.yaml, conf/headers.yaml and conf/tls.yaml will be mounted inside traefik container.

Handle passbolt with Traefik

To make Traefik redirect incoming requests to passbolt, edit the passbolt service as follow:

Step 1. As traefik will handle the HTTPS connection, remove the ports definition for the passbolt service

Step 2. Add docker labels to make Traefik aware of the passbolt service

version: '3.7'
services:
db:
...
passbolt:
...
labels:
traefik.enable: "true"
traefik.http.routers.passbolt-http.entrypoints: "web"
traefik.http.routers.passbolt-http.rule: "Host(`passbolt.domain.tld`)"
traefik.http.routers.passbolt-http.middlewares: "SslHeader@file"
traefik.http.routers.passbolt-https.middlewares: "SslHeader@file"
traefik.http.routers.passbolt-https.entrypoints: "websecure"
traefik.http.routers.passbolt-https.rule: "Host(`passbolt.domain.tld`)"
traefik.http.routers.passbolt-https.tls: "true"
traefik.http.routers.passbolt-https.tls.certresolver: "letsencrypt"
traefik:
...
important

Ensure you have correctly set your domain name (replace passbolt.domain.tld with your own in the example above).

Non-root images

If you are using non-root images, add loadbalancer.server.port label to make traefik aware of the to be used port for passbolt service:

version: '3.7'
services:
db:
...
passbolt:
...
labels:
...
traefik.http.services.passbolt-https.loadbalancer.server.port: 8080

That’s it

Launch docker-compose up -d and you should be able to reach passbolt with HTTPS and a Let’s Encrypt certificate. The renewal of the certificate will be handled automatically by Traefik daemon.