How to setup SSL for Tryton with docker image

@josesalvador thanks a lot! That’s excellent. Here’s what I came up with for my docker-compose.yml in the meantime, after creating a “tryton” PostgreSQL database in AWS RDS and running “trytond-admin -d tryton --all”:

version: '3.7'
services:
  trytond:
    container_name: trytond # Server
    image: tryton/tryton:latest # Uses Debian 10 (buster)
    restart: always
    # for the database URI to connect to AWS RDS "ijack" database
    # TRYTOND_DATABASE__URI=postgresql://USERNAME:PASSWORD@tryton-postgres:5432/
    env_file: .env 
    environment: # https://docs.tryton.org/projects/server/en/latest/topics/start_server.html
      - TRYTOND_WEB__LISTEN=0.0.0.0:8000
    ports: 
      - 0.0.0.0:8000:8000 # This is for the internet-exposed server (trytond)
      # 5432:5432 # There is no local PostgreSQL database, only AWS RDS
    expose: 
      - 8000
    volumes:
      - ./config.ini:/config.ini
    command: ['trytond', '-c', './config.ini'] # Start the web server listening for requests on 0.0.0.0:8000

Now to figure out HTTPS to make it internet-secure…

Thanks again!
Sean

You can configure SSL certificate but this only works with the embedded (werkzeug) web server. It is not used with the docker image, instead it is µwsgi. You can also setup SSL to µwsgi but I would not recommend to do that with docker image. Instead it is more common to start reverse proxy image like nginx or apache which are configured to do the encryption. Here is a tutorial to setup nginx with let’s encrypt in docker.

1 Like

@ced coincidentally, that’s exactly the setup I built for TLS/HTTPS. I’ve read that tutorial before. :slight_smile:

You guys are very fast with your responses. It’s greatly appreciated.

Here’s my Docker-Compose / Nginx / Let’s Encrypt / Tryton setup if anyone else is searching for exactly how to do it. If I’ve omitted any details, see the Medium article @ced mentioned here.

First the Nginx and Certbot containers in my docker-compose.yml file:


  trytond:
    container_name: trytond # Server
    image: tryton/tryton:latest # Uses Debian 10 (buster)
    restart: unless-stopped
    # for the database URI to connect to AWS RDS "ijack" database
    # TRYTOND_DATABASE__URI=postgresql://USERNAME:PASSWORD@tryton-postgres:5432/
    env_file: .env 
    environment: # https://docs.tryton.org/projects/server/en/latest/topics/start_server.html
      - TRYTOND_WEB__LISTEN=0.0.0.0:8000
    ports: 
      - 8000:8000 # This is for the internet-exposed server (trytond) behind nginx
      # 5432:5432 # There is no local PostgreSQL database, only AWS RDS
    expose: 
      - 8000
    # expose: 5432
    networks:
      - myijack-network
    volumes:
      - ./config.ini:/config.ini
    command: ['trytond', '-c', './config.ini'] # Start the web server listening for requests on 0.0.0.0:8000

  nginx:
    restart: unless-stopped
    image: "nginx:latest"
    ports:
      - "0.0.0.0:80:80"
      - "0.0.0.0:443:443"
    volumes:
      # http://medium.com/@pentacent/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71
      - ./data/nginx:/etc/nginx/conf.d
      - ./data/certbot/conf:/etc/letsencrypt
      - ./data/certbot/www:/var/www/certbot
    networks:
      - myijack-network
    depends_on: 
      - myijack
    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"

  certbot:
    restart: unless-stopped
    image: certbot/certbot
    volumes:
      # http://medium.com/@pentacent/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71
      - ./data/certbot/conf:/etc/letsencrypt
      - ./data/certbot/www:/var/www/certbot
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"

networks:
  myijack-network:
    # driver: bridge
    external:
      name: myijack-network

And here’s my actual Nginx “prod.conf” setup in “/etc/nginx/conf.d/prod.conf”:

# HTTP port 80 will redirect to HTTPS port 443
server {
    listen 80; # ipv4
    listen [::]:80; # ipv6
    server_name myijack.com; # host

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    # redirect from HTTP port 80 to HTTPS port 443
    location / {
        return 301 https://$host$request_uri; 
    }
}

# Redirected here to HTTPS on port 443
server {
    listen 443 ssl; # port
    server_name myijack.com; # host

    ssl_certificate /etc/letsencrypt/live/myijack.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/myijack.com/privkey.pem;

    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        proxy_pass http://trytond:8000/; # "trytond" is the service name of another Docker container on port 8000
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $server_name;
    }

}

And the result:

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.