Skip to main content

How to setup SSL for Apache2 in a Docker container

TLDR

You can't, unless you run the container as root, which you should not do. That's why you're having so much trouble finding a working example with a non-root user (even the official docs example doesn't set a user...which means the container is running as root).

Why?

SSL certificates are owned by root. For security reasons, Docker containers should be run as a non-root (unprivileged) user. This means that your Apache container cannot access SSL certificates. At least, not unless you run the container as root, or change ownership of the files to grant your webserver access, both of which are bad ideas.

The solution

Install NGINX as a reverse proxy on the host machine, and terminate your SSL connections there. So NGINX sits in front of your containers, handling the SSL connections to clients and forwarding requests to your Apache container on the back end.

I know, I know, you didn't want more complexity. But setting up NGINX to reverse proxy SSL is relatively simple, and using this approach has the following advantages:

  • SSL certificate ownership is safely retained by root.
  • Docker containers can be safely run as non-root users.
  • The NGINX reverse proxy also adds a lot of flexibility to your setup, since it allows you to pass requests back to anything, so you can run containerised Golang apps or anything else.

But a coupler of configuration changes are required in Tuskfish2

If you are using NGINX as a reverse proxy to terminate SSL in front of Tuskfish, there are a couple of code configurations to make:

1. Lock the protocol to https: in index.php (otherwise the routing won't work):

Uncomment this line:

$url = "https://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];

Comment out the next two lines:

//$url = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http")
// . "://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];

2. Lock the secure cookie flag to true in: trust_path/libraries/tuskfish/class/Tfish/Session.php

Comment out this line:

// $secure = isset($_SERVER['HTTPS']);
Uncomment the next line:

$secure = true

Copyright, all rights reserved.