Skip to content

External Port

Jump to bottom
Iva edited this page Aug 23, 2024 · 3 revisions

  • Configuration Refinement (External Port)

    • Change the docker-compose.yml file so that the NGINX container only accepts external connections on port 443, as shown below:

      version: "3.8"

services:
  nginx:
    build: requirements/nginx/.
    container_name: nginx
    ports:
      - "443:443"
    volumes:
      - .web:/var/www/html
  wordpress:
    build: requirements/wordpress/.
    container_name: wordpress
    volumes:
      - .web:/var/www/html
  mariadb:
    build: requirements/mariadb/.
    container_name: mariadb

      👉🏼 Port 443 is used for https:// connections, which, unlike the standard http:// connections on port 80, require a valid SSL/TLS certificate to establish server/port connections.

    • Add the command to create a directory for storing the certificates at the path /etc/nginx/certs, another command to generate self-signed SSL/TLS certificates via openssl, which are sufficient for testing environments, and another command to install openssl, which will be used to generate the certificates, in the Dockerfile for the NGINX container, as shown below:

      FROM debian:bullseye 
RUN apt update && apt upgrade -y && apt install -y nginx openssl
RUN mkdir -p /etc/nginx/certs #Added line
RUN openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/certs/nginx-selfsigned.key -out /etc/nginx/certs/nginx-selfsigned.crt -subj "/C=BR/ST=Pernambuco/L=Recife/O=42Porto/OU=Cadet/CN=ivbatist.42.fr" #Added line
COPY conf/nginx.conf /etc/nginx/sites-available/default
ENTRYPOINT ["nginx", "-g", "daemon off;"]

      👉🏼 If it is necessary to change the permission modes of the self-signed certificate files generated so that NGINX can read these files and connect with port 443, add the command below:

      RUN chmod 600 /etc/nginx/certs/nginx-selfsigned.key && chmod 644 /etc/nginx/certs/nginx-selfsigned.crt

      👉🏼 The directory where the certificates will be stored does not have a standard, but it is good practice to use the path /etc/nginx/certs or /etc/nginx/ssl.

      👉🏼 The parameters passed for filling out the certificate, such as country, state, etc., should later be replaced with environment variables.

    • Change where NGINX listens for requests from port 80 to port 443, add the path to the generated certificate files so that NGINX has authorization to connect on port 443, and restrict the TLS protocols that can be used for the connection in the nginx.conf configuration file for the NGINX server:

      server {
    #listen 80 default_server; #Commented line
    #listen [::]:80 default_server; #Commented line
  
    #Added lines below
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
  
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_certificate /etc/nginx/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/nginx/certs/nginx-selfsigned.key;
    [...]
}

      👉🏼 At this stage, you can test the connection on port 443 by rebuilding the images and starting all the containers. Finally, entering the URL https://localhost in the browser and confirming that the page continues to appear.

      👉🏼 At this stage, you can also test the SSL/TLS secure connection on port 443 with the commands below:

      • docker exec -it nginx nginx -s reload or docker-compose restart nginx: Restarts the NGINX service to apply the configuration file modification changes directly or via Docker compose.
      • openssl s_client -connect [localhost:443](http://localhost:443) or openssl s_client -connect <your_domain>[:443](http://localhost:443): Exposes certificate details and supported protocols for the connection made. > - The command will display a lot of information. Look for the lines below to see connection details:
        Protocol : TLSv1.3
        Cipher : TLS_AES_256_GCM_SHA384

    ⏮️ Previous
    Next ⏭️

Clone this wiki locally