Support HTTPS about wordpress HOT 23 CLOSED

For future visitors, here's a Dockerfile showing what I did to enable HTTPS support using the ssl-cert package to install the self-signed certificates that Apache is configures to use by default.

FROM wordpress:4.8.0-php7.1-apache

RUN apt-get update && \
	apt-get install -y  --no-install-recommends ssl-cert && \
	rm -r /var/lib/apt/lists/* && \
	a2enmod ssl && \
	a2ensite default-ssl

EXPOSE 80
EXPOSE 443

from wordpress.

Also: I love this image. Thanks for making it so easy to use. I wrote a blog post about it here:

http://blog.fuzzy.io/2015/01/19/installing-wordpress-with-docker-and-fig/

from wordpress.

@poldim
You write a custom bash script and tell docker-compose to run it on startup.

I've done it like this:
docker-compose.yml

version: "2"
services:
  my-wpdb:
    image: mariadb
    volumes:
          - ./:/home
    ports:
      - "8081:3306"
    environment:
      MYSQL_ROOT_PASSWORD: xxxxxxx
  my-wp:
    image: wordpress
    volumes:
      - ./:/var/www/html
      - ./wp-init.sh:/usr/local/bin/apache2-custom.sh
      - ./apache2-vhosts.conf:/etc/apache2/sites-available/apache2-vhosts.conf
    ports:
      - "80:80"
      - "443:443"
    links:
      - my-wpdb:mysql
    environment:
      WORDPRESS_DB_PASSWORD: xxxxxxx
    command: "bash -c apache2-custom.sh"

wp-init.sh

#!/usr/bin/env bash

# as you can see I combined the SSL stuff from @AlexanderOMara 
# with enabling my own custom vhosts.conf 
# so I can edit that outside the container
apt-get update
apt-get install -y  --no-install-recommends ssl-cert
rm -r /var/lib/apt/lists/*

a2enmod ssl
a2dissite 000-default.conf
a2ensite apache2-vhosts.conf

# finally execute default command
docker-entrypoint.sh apache2-foreground

Works like a charm.

from wordpress.

@poldim

I don't think you can do it without creating a Dockerfile, but you could create a build: section in your docker-compose.yml file that builds your Dockerfile (and adjust the FROM to use wordpress:latest). Something like this:

yourproject/docker-compose.yml :

version: '3'

services:

  wordpress:
    build:
      context: wordpress
    ports:
      - '80:80'
      - '443:443'
    networks:
      - webnet

  mysql:
    image: mysql:5.7
    ports:
      - '3306:3306'
    networks:
      - webnet

networks:
  webnet:

yourproject/wordpress/Dockerfile :

FROM wordpress:latest

RUN apt-get update && \
	apt-get install -y  --no-install-recommends ssl-cert && \
	rm -r /var/lib/apt/lists/* && \
	a2enmod ssl && \
	a2ensite default-ssl

EXPOSE 80
EXPOSE 443

from wordpress.

I think it would be nice to have some kind of mention/documentation/resource on how to go about using HTTPS. This seems like a pretty good lead, but I'm not having much luck so far.

from wordpress.

@AlexanderOMara Brilliant - thank you!

Since I was already running a container using docker-compose, and didn't want to create a builder file, I did this :

1. expose port 443 by adding the following to your compose file:

     ports:
       - "443:443"       
   

2. restart your container (be sure your db and web files are on persistent storage!)

    docker-compose down
    docker-compose up -d
   

3. attach to the running container

      docker exec -t -i CONTAINER_ID /bin/bash
   

4. install ssl-cert ( automatically installs self-signed cert)

    apt-get update && \
        apt-get install -y  --no-install-recommends ssl-cert && \
        rm -r /var/lib/apt/lists/* && \
        a2enmod ssl && \
        a2ensite default-ssl
   

You may get a prompt about restarting apache before the new settings take effect.

  service apache2 reload

1. exit the container (won't kill your container)

    CTRL-P-Q
   

2. Access your https://example.com , adding an exception to your browser to ignore the prompt about untrusted CA

from wordpress.

FYI, service apache2 reload will do nothing since there is no init system running in the container (like systemd or upstart). Apache2 server does not even start until the end of docker-entrypoint.sh and the process is started directly (ie, no init system is involved).

I would also recommend against doing apt-get -y upgrade in a container: https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/#run.

from wordpress.

I managed to get HTTPS to work on the most basic of configs for the latest WordPress Docker image (4.5.7). I've documented it here:

https://peter.pudaite.net/2017/05/29/enabling-https-on-the-standard-wordpress-docker-image/

from wordpress.

@AlexanderOMara Thanks for this. It enables SSL, even though I thought I had to do a 'service apache2 restart' after the 'a2enmod ssl' to get SSL enabled.

What else did you do (adding certs, modifying 000-default.conf to force https...)?

I'm not an Apache expert, just trying to get my local WordPress Bedrock running using SSL on Docker for Mac. However I'm sure there are a lot of people looking for a complete off-the shelf WordPress local HTTPS config documentation now that Let's Encrypt is available.

Perhaps it's time to move this thread to the forums?

For me for example, when I run docker-compose up, I get the warning:

    AH01909: 172.18.0.3:443:0 server certificate does NOT include an ID which matches the server name

Then when I go to http://localhost:443/, I get the error:

Bad Request

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
Apache/2.4.10 (Debian) Server at 172.18.0.3 Port 443

from wordpress.

@evanp this image doesn't configure its Apache to support HTTPS, so there would have to be a PR or a derived image that adds the appropriate Apache config and EXPOSE setting for 443.

If you're willing to do your HTTPS in another container, jwilder/nginx-proxy is a nice option that supports SSL configuration.

from wordpress.

That's what I thought!

Do you think the PR should be for this repo or for docker-library/php?

from wordpress.

I think it makes sense to do this in the php:*apache images myself, but @tianon and @yosifkit may think otherwise.

Looks like those images already have a Listen 443, but they don't a2enmod ssl or configure certificate or key paths.

In terms of implementation, it probably makes sense to follow the example set by the httpd image (cf. https://github.com/docker-library/docs/blob/master/httpd/content.md#sslhttps).

from wordpress.

I'm actually personally pretty strongly -1 on SSL by default, and would
rather recommend people use a lightweight container in front of this one to
add that, but I run all my containers behind a single nginx.

SSL support in these one-off containers creates a configuration nightmare
though, IMO.

from wordpress.

@tianon Are you using something like nginx-proxy or your own custom config?

from wordpress.

I just use the official "nginx" image with a custom config that hooks to my
other containers via https://github.com/tianon/rawdns

from wordpress.

IMHO, we should keep these images as simple as possible.

I see the purpose of these images to create the process as described in 12factor app.

As a consequence, the SSL part should be handled at another level.

You could base your image on this on and add an nginx or apache server in front that would consume this php (I don't recommend as you break the one process per container rule).

Or you could use a reverse proxy in front that would consume this container. this reverse proxy could be nginx or HAproxy (I personnaly use HAproxy). This reverse-proxy would handle the SSL offloading part.

Let me know if you need more details. If not, please consider closing the issue for the sake of keeping this number as low as possible.

Thanks

from wordpress.

Just a (very) small detail: you can use only line for EXPOSE, like:
EXPOSE 80 443

Note that after Docker 1.10, EXPOSE doesn't create a new layer, so the resulting image will be the same.

from wordpress.

@AlexanderOMara - How do you use this with docker compose so that I can continue to use the ":latest" tag?

from wordpress.

Then when I go to http://localhost:443/, I get the error:

@henscu I notice you're visiting http://localhost:443 — what happens if you try with https, i.e. https://localhost:443? (And you should be able to drop the 443 if you're specifying https)

from wordpress.

Thanks @supervacuo. Yes, I tried that and many other minor permutations, but I ran into so many finicky problems like 'not being able to access /' and NET::ERR_CERT_AUTHORITY_INVALID etc that I'm going to reset my Docker setup back to the one described above and try again.

The problem for people like me (non hardcore dev) are the minor details in implementation explanations that are missing because they seem obvious to those who are writing them, but are very hard for me to get a clear answer/explanation from StackOverflow on... :)

from wordpress.

@yosifkit Touché. I wasn't aware of the latter though, thanks for that insight. Not sure though where in the process that was introduced in my snippet (probably the result of a lot of copy and pasting), because you would reckon apt-get update would be enough.

Anyway I updated my snippet.

from wordpress.

Are there any updates to this thread since we are in version 3.3?

from wordpress.

As is discussed at length in this thread, we cannot reasonably enable SSL in this image by default. Doing so with a simple reverse proxy is simpler, more reliable, and more flexible, but even doing so by adjusting the embedded Apache configuration is not terribly difficult (and one has to provide certificates in either case, so changing some configuration should be done in a similar manner).

from wordpress.