Configuring SSL
SSL is disabled by default but can be turned on by setting SSL_MODE
:
off
(default): HTTP only.mixed
: HTTP and HTTPS.on
: HTTPS only. HTTP requests will be redirected to HTTPS.
Self-signed Certificate Example
If you set SSL_MODE
to mixed
or full
, a self-signed certificate will be generated by default.
Set SSL mode to "mixed" (HTTP + HTTPS)
version: '3'
services:
php:
image: serversideup/php:8.3-fpm-nginx
ports:
- 80:8080
- 443:8443
environment:
SSL_MODE: "mixed"
volumes:
- .:/var/www/html
The above will generate a self-signed certificate and configure NGINX to listen on both HTTP (Port 80) and HTTPS (Port 443).
Providing Your Own Certificate
In order to add your own certificate, you will need to mount the certificate files to the container. The following files are required:
Providing your own certificate pair
version: '3'
services:
php:
image: serversideup/php:8.3-fpm-nginx
ports:
- 80:8080
- 443:8443
environment:
SSL_MODE: "mixed"
SSL_PRIVATE_KEY_FILE: "/etc/ssl/private/test-key.pem"
SSL_CERTIFICATE_FILE: "/etc/ssl/private/test.pem"
volumes:
- ./app:/var/www/html
- ./certs/:/etc/ssl/private/
Ensure your private key file is set to the permissions 600
(read/write for owner only). If you don't set the permissions correctly, you will run into errors with loading an insecure private key file.
The above example provides the private and public key pair with SSL_PRIVATE_KEY_FILE
and SSL_CERTIFICATE_FILE
environment variables. The files are mounted to the container with the volumes
directive.
To give you a clearer picture of the project structure, this is what my folder looks like:
Providing your own certificate pair
.
├── app
│ └── public
│ └── index.php
├── certs
│ ├── test-key.pem
│ └── test.pem
└── docker-compose.yml
You can see the docker-compose.yml
file is in the parent directory. The app
directory is dedicated for all application files, where the certs
directory is dedicated for all SSL certificates.
The separation of these two directories is important. It would not be a good practice to mount your certificate files in the /var/www/html
directory on a production machine.
For a signed certificate, you must acquire one from a trusted certificate authority (like ssls.com).
Additional options for NGINX Unit
If you're using NGINX Unit, you also have the option of setting UNIT_CERTIFICATE_NAME
(default: self-signed-web-bundle
). This is the name of the certificate bundle that will be used by NGINX Unit. You can read more about this in the NGINX Unit documentation.
Using Let's Encrypt
If you'd like to use Let's Encrypt (what we use), it's best to use a reverse proxy like Traefik or Caddy.
Providing examples for those are out of the scope of this project, but we may consider adding examples in other projects in the future.