feat: Allow local certificates to be used by Caddy

This commit is contained in:
Emanuele Panzeri 2021-01-13 12:17:48 +01:00 committed by Maxime Helias
parent a36ce26872
commit e67a28f630
4 changed files with 47 additions and 13 deletions

View File

@ -33,8 +33,9 @@ A [Docker](https://www.docker.com/)-based installer and runtime for the [Symfony
3. [Support for extra services](docs/extra-services.md)
4. [Deploying in production](docs/production.md)
5. [Debugging with Xdebug](docs/xdebug.md)
6. [Using a Makefile](docs/makefile.md)
7. [Troubleshooting](docs/troubleshooting.md)
6. [TLS Certificates](docs/tls.md)
7. [Using a Makefile](docs/makefile.md)
8. [Troubleshooting](docs/troubleshooting.md)
## License

View File

@ -5,6 +5,8 @@
{$SERVER_NAME}
{$CADDY_EXTRA_CONFIG}
log
route {

38
docs/tls.md Normal file
View File

@ -0,0 +1,38 @@
# TLS Certificates
## Trusting the Authority
With a standard installation, the authority used to sign certificates generated in the Caddy container is not trusted by your local machine.
You must add the authority to the trust store of the host :
```
# Mac
$ docker cp $(docker compose ps -q caddy):/data/caddy/pki/authorities/local/root.crt /tmp/root.crt && sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/root.crt
# Linux
$ docker cp $(docker compose ps -q caddy):/data/caddy/pki/authorities/local/root.crt /usr/local/share/ca-certificates/root.crt && sudo update-ca-certificates
# Windows
$ docker compose cp caddy:/data/caddy/pki/authorities/local/root.crt %TEMP%/root.crt && certutil -addstore -f "ROOT" %TEMP%/root.crt
```
## Using Custom TLS Certificates
By default, Caddy will automatically generate TLS certificates using Let's Encrypt or ZeroSSL.
But sometimes you may prefer using custom certificates.
For instance, to use self-signed certificates created with [mkcert](https://github.com/FiloSottile/mkcert) do as follows:
1. Locally install `mkcert`
2. Create the folder storing the certs:
`mkdir docker/caddy/certs -p`
3. Generate the certificates for your local host (example: "server-name.localhost"):
`mkcert -cert-file docker/caddy/certs/tls.pem -key-file docker/caddy/certs/tls.key "server-name.localhost"`
4. Add these lines to the `./docker-compose.override.yml` file about `CADDY_EXTRA_CONFIG` environment and volume for the `caddy` service :
```diff
caddy:
+ environment:
+ CADDY_EXTRA_CONFIG: "tls /etc/caddy/certs/tls.pem /etc/caddy/certs/tls.key"
volumes:
+ - ./docker/caddy/certs:/etc/caddy/certs:ro
- ./public:/srv/app/public:ro
```
5. Restart your `caddy` container

View File

@ -4,18 +4,11 @@
If you work on linux and cannot edit some of the project files right after the first installation, you can run `docker compose run --rm php chown -R $(id -u):$(id -g) .` to set yourself as owner of the project files that were created by the docker container.
## Fix Chrome/Brave SSL
If you have a TLS trust issues, you can copy the self-signed certificate from Caddy and add it to the trusted certificates :
# Mac
$ docker cp $(docker compose ps -q caddy):/data/caddy/pki/authorities/local/root.crt /tmp/root.crt && sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/root.crt
# Linux
$ docker cp $(docker compose ps -q caddy):/data/caddy/pki/authorities/local/root.crt /usr/local/share/ca-certificates/root.crt && sudo update-ca-certificates
# Windows
$ docker compose cp caddy:/data/caddy/pki/authorities/local/root.crt %TEMP%/root.crt && certutil -addstore -f "ROOT" %TEMP%/root.crt
## HTTPs and Redirects
If Symfony is generating an internal redirect for an `https://` url, but the resulting url is `http://`, you have to uncomment the `TRUSTED_PROXIES` setting in your `.env` file.
For more details see the [Symfony internal redirect documentation](https://symfony.com/doc/current/routing.html#redirecting-to-urls-and-routes-directly-from-a-route).
## TLS/HTTPS Issues
See more in the [TLS section](tls.md)