SSL and proxy container


I’m currently trying to build my own rancher-server container. I want to access the rancher web interface over HTTPS. Nodes and registries are in the same private network and so will communicate over HTTP.

This works when I install an Apache proxy directly on the host server, in which rancher/server is running. I just keep the rancher/server running over http on port 8080, I simply redirect the proxy to this port. In this configuration, the rancher-server web interface is reachable throw HTTPS from everywhere, and throw HTTP on port 8080 but only on the local network.

What I would really prefer is installing the Apache SSL proxy directly in the rancher-server container (instead having this proxy directly installed on the host server). For that I build an new image from the official rancher/server image. Here is my Dockerfile:

FROM rancher/server MAINTAINER JayBee RUN apt-get update RUN apt-get upgrade -y RUN apt-get install -y apache2 RUN a2enmod headers && a2enmod filter && a2enmod proxy && a2enmod rewrite && a2enmod ssl && a2enmod socache_shmcb ADD 000-default.conf /etc/apache2/sites-available/ ADD default-ssl.conf /etc/apache2/sites-available/ RUN mkdir /etc/apache2/cert && a2ensite default-ssl ADD rancher.domain.crt /etc/apache2/cert/ ADD rancher.domain.key /etc/apache2/cert/ EXPOSE 443 8080 80 CMD /usr/sbin/apache2ctl -D FOREGROUND

Here is my Apache default-ssl.conf file:

<VirtualHost *:443>; ServerName SSLEngine On SSLCertificateFile /etc/apache2/cert/rancher.domain.crt SSLCertificateKeyFile /etc/apache2/cert/rancher.domain.key SSLProxyEngine On SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off RequestHeader set X-Forwarded-Proto "https" RequestHeader set X-Forwarded-Port "443" ProxyPreserveHost On ProxyRequests Off ProxyPass / http://localhost:8080/ ProxyPassReverse / http://localhost:8080/ CustomLog /var/log/apache2/discourse_apache_proxy_https_access.log combined ErrorLog /var/log/apache2/discourse_apache_proxy_https_error.log </VirtualHost>

The 000-default.conf file is just a redirection to the HTTPS.
Otherwise, the website interface is accessible in the local network only, over HTTP on the classical port 8080.

Then, when the container is successfully built, tagged, and pushed, I run it with this command:
docker run -d --restart=always -p 8080:8080 -p 443:443 -p 80:80 -e CATTLE_DB_CATTLE_MYSQL_HOST= -e CATTLE_DB_CATTLE_MYSQL_PORT=3306 -e CATTLE_DB_CATTLE_MYSQL_NAME=cattle -e CATTLE_DB_CATTLE_USERNAME=cattle -e CATTLE_DB_CATTLE_PASSWORD=cattle

Yes, I like complicated stuffs : that’s why I use an external database!

So in this case, only the Apache server is working but the rancher web interface not. When I remove the last line in the Dockerfile (CMD /usr/sbin/apache2ctl -D FOREGROUND), I only get the rancher/server working!

I have also posted it on the docker forum, because I don’t know whether the problem comes from docker or rancher.

So it seems that the problem comes from docker. In a Dockerfile, it is not possible to use the CMD several times. In that case the last CMD will override all the previous ones! And this is exactly what happened when I have written CMD /usr/sbin/apache2ctl -D FOREGROUND: this command has overwritten the one from the based rancher/server container image!

So in my case, I can choose between having the Apache server on the host server OR on another server container.

Instead of creating too many topics, I have another question related to SSL.

For all the other containers (managed by rancher), how can I administrate and easily deploy containers accessible throw https?

Can I use the rancher interface for that (I’ve seen that it is possible to manage certificate but only when a DNS service is used)?
Or should I use a dedicated Apache container per node with all the SSL configuration for each container?

Have you seen the documentation on how to run Rancher server with SSL? It basically recommends what was in your Docker topic where you can run a separate container container running Apache.

@denise @jaybee Are there any existing Rancher SSL proxy images out there with apache/nginx already?

Hello, you can use this website

Yes, so it confirms what I said: you can run the SSL proxy for the Rancher web interface directly on the host server (what I have tested) or on another container (your link)

If you search the keywords “ssl” and “rancher” on the docker hub, results seem to be images with only SSL on it.
But if someone have found some images with rancher and SSL proxy on it, I will be really interested to have some details about the Dockerfile!

Merci Edouard, but your tutorial (which is great) also confirms dedicating a proxy container for that. My question was to know if it is possible to have one container running Rancher and SSL proxy.

So thanks you for all your answers and sorry if I was a little bit absent for a while :slight_smile:
Having two containers instead one for the Rancher over SSL is not so crucial, because I will only have one Rancher web interface.
Let’s focus on the second question, which can be interesting if we have lot of containers to manage…

Hello, you can use this website Maybe, it can help you.