Consenti SSL / HTTPS per la tua configurazione Discourse Docker

Documentazione Self-Hosting
, ,
1

This guide is likely out of date as there are now very few reasons not to use the built-in Let’s Encrypt certificate that Just Works. See also:

2023-04-10 @pfaffman says: This is left here mostly for historical purposes.

So you’d like to enable SSL for your Docker-based Discourse setup? Let’s do it!

This guide assumes you used all the standard install defaults – a container configuration file at/var/discourse/containers/app.yml and Discourse docker is installed at: /var/discourse

Buy a SSL Certificate

Go to namecheap or some other SSL cert provider and purchase a SSL cert for your domain. Follow all the step documented by them to generate private key and CSR and finally get your cert. I used the apache defaults, they will work fine.

Keep your private key and cert somewhere safe.

Place the Certificate and Key

Get a signed cert and key and place them in the /var/discourse/shared/standalone/ssl/ folder

Private key is:

/var/discourse/shared/standalone/ssl/ssl.key

Cert is

/var/discourse/shared/standalone/ssl/ssl.crt

File names are critical do not stray from them or your nginx template will not know where to find the cert.

Have a look at your app.yml configuration file to see where the shared folder is mounted.

volumes:
  - volume:
      host: /var/discourse/shared/standalone
      guest: /shared

In essence the files must be located at /shared/ssl/ssl.key /shared/ssl/ssl.crt inside the container.

For all clients to find a path from your cert to a trusted root cert (i.e., not give your users any warnings), you may need to concatenate the cert files from your provider like so:

cat "Your PositiveSSL Certificate" "Intermediate CA Certificate" "Intermediate CA Certificate" >> ssl.crt

Configure NGINX

Add a reference to the nginx ssl template from your app.yml configuration file:

templates:
  - "templates/postgres.template.yml"
  - "templates/redis.template.yml"
  - "templates/web.template.yml"
  - "templates/web.ssl.template.yml"

Configure your Docker Container

Tell your container to listen on SSL

expose:
  - "80:80"
  - "2222:22"
  - "443:443"

Bootstrap your Docker Container

Rebuild your app

./launcher rebuild app

Profit, you are done!

Troubleshooting

Be sure to read through the logs using

./launcher logs app

If anything goes wrong.

How this works

The template used is vaguely based on @igrigorik’s recommended template with two missing bits:

  • I skipped OSCP stapling cause it involves a slightly more complex setup
  • I had to skip session tickets setting which is not available until we use mainline

The image has rewrite rules that will redirect any requests on either port 80 or 443 to https://DISCOURSE_HOST_NAME , meaning that if you have a cert that covers multiple domains they can all go to a single one.

Customising this setup is very easy, see:

You can make a copy of that file and amend the template as needed.

The advantage of using templates and replace here is that we get to keep all the rest of the Discourse recommended NGINX setup, it changes over time.

Testing your config

See https://www.ssllabs.com/ssltest/ to make sure all is working correctly. It is possible for some browsers and OS combinations to be happy with partially configured https, so check it here first.

75 Mi Piace
I need help with SSL
Broken image since https
NGINX Proxy Mixed Content Error
Troubles installing SSL
SSL on Discourse / DO sub-domain of Heroku hosted domain
Force Discourse to use SSL/HTTPS through CloudFlare
SSL Let's Encrypt Error After Installation
Cannot connect to IP address and no errors in log
Can i change Lets Encrypt to EssentialSSL / Wildcard SLL
I have a very difficult problem installing ssl - please help
Go Daddy SSL certificate installation error in D.O. server
How Do I Uninstall SSL Certificate?
How to Set Up SSL in Discourse
Site down after enabling SSL
SSL installation
How to force redirect from https to http on Docker installation
Global setting to hide origin IP from everywhere - is it possible?
Run other websites on the same machine as Discourse
SSL certificate expired and after that - Error 404 Not Found
Skipping built-in SSL certificate?
Unable to renew Let's encrypt certificate
Adding SSL certificate
Getting Cloudflare 521 Error After Upgrade to 3.5.0.beta8-dev
Let's encrypt failing for IP behind firewall
Latest update requires cache purge in CloudFlare
Unable To Connect/Connection Refused due to https certificates
Rebuild goes into a loop
Configure direct-delivery incoming email for self-hosted sites with Mail-Receiver
Run other websites on the same machine as Discourse
Transfer from bitnami to normal discourse
My site is down with a weird SSL notification
Set up HTTPS support with Let's Encrypt
Https with let's encrypt behind a vpn?
Cannot install custom SSL new_file: no such file
Favicon is failing to load for logged-in users
How to install SSL certificate in Discourse
Disabe letsencrypt failed and Run discourse-setup had some not normal alert
How to modify Dockerfile?
DNS validation for Let's Encrypt?
How might we better structure #howto?
Hit Let's encrypt renewal limit
Unable To Connect/Connection Refused due to https certificates
Setting up Discourse with SSL on Docker with AWS ELB breaks and returns 503 Service Unavailable (Back-end server is at capacity)
Disabe letsencrypt failed and Run discourse-setup had some not normal alert