Giter VIP home page Giter VIP logo

Comments (2)

mriedmann avatar mriedmann commented on September 16, 2024

Hello Michael!

When it comes to containers I see them a bit like UNIX tools. They should do one thing and one thing only but be easy to combine and integrate with other containers. In this project, I violated this principle quite a bit by using a nginx+fpm stack rather than a apache+mod_php or even php-only (like appserver-io) approach. From a current point of view, I would not build this container like it was built a second time. Nevertheless, simply to void problems, I will stick to the current solution holding the complexity at a minimal level.

Back to your request: I think that handling "edge" SSL should not be part of any application container. Following this philosophy, I will not integrate LetsEncrypt support directly into this project. If you want to use SSL (which you totally should) I would suggest you use a reverse proxy like Traefik (got built-in LE compatibility), Nginx (certbot nginx plugin available) or HAProxy (special config). If you do not mind using a 3rd party service for your SSL offloading you could use Cloudflare's free SSL service. Keep in mind that this enables these companies to inspect all your user-traffic, so please think twice before using their services.

Another thing would be an "SSL everywhere" approach so you would have to use encryption even between the edge-proxy and your service. In this case, I totally understand the need to set an SSL certificate inside the container. This should be handled via mounts and a special switch to create the needed nginx config directives. It would not include a full ACME client integration (like certbot for LE) but only the bare minimum to use own certs to avoid unencrypted HTTP traffic. If you are facing this kind of use case I would be happy to help to integrate this.

I hope that this was the kind of answer are looking for. If not please elaborate your scenario a bit more. Maybe there is a reason to integrate LE after all.

Cheers Michael

from humhub-docker.

michaelrall avatar michaelrall commented on September 16, 2024

Hi Michael,

thanks for your in-depth and true answer. After thinking again (I'm still a starter concerning docker), I think the best would be to just create another nginx container that does the SSL-Stuff and proxies to the humhub container and use this container as "frontdoor".

I'll close the issue.

cheeers Michael

from humhub-docker.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.