@josesalvador thanks a lot! That’s excellent. Here’s what I came up with for my docker-compose.yml in the meantime, after creating a “tryton” PostgreSQL database in AWS RDS and running “trytond-admin -d tryton --all”:
version: '3.7'
services:
trytond:
container_name: trytond # Server
image: tryton/tryton:latest # Uses Debian 10 (buster)
restart: always
# for the database URI to connect to AWS RDS "ijack" database
# TRYTOND_DATABASE__URI=postgresql://USERNAME:PASSWORD@tryton-postgres:5432/
env_file: .env
environment: # https://docs.tryton.org/projects/server/en/latest/topics/start_server.html
- TRYTOND_WEB__LISTEN=0.0.0.0:8000
ports:
- 0.0.0.0:8000:8000 # This is for the internet-exposed server (trytond)
# 5432:5432 # There is no local PostgreSQL database, only AWS RDS
expose:
- 8000
volumes:
- ./config.ini:/config.ini
command: ['trytond', '-c', './config.ini'] # Start the web server listening for requests on 0.0.0.0:8000
Now to figure out HTTPS to make it internet-secure…
You can configure SSL certificate but this only works with the embedded (werkzeug) web server. It is not used with the docker image, instead it is µwsgi. You can also setup SSL to µwsgi but I would not recommend to do that with docker image. Instead it is more common to start reverse proxy image like nginx or apache which are configured to do the encryption. Here is a tutorial to setup nginx with let’s encrypt in docker.
@ced coincidentally, that’s exactly the setup I built for TLS/HTTPS. I’ve read that tutorial before.
You guys are very fast with your responses. It’s greatly appreciated.
Here’s my Docker-Compose / Nginx / Let’s Encrypt / Tryton setup if anyone else is searching for exactly how to do it. If I’ve omitted any details, see the Medium article @ced mentioned here.
First the Nginx and Certbot containers in my docker-compose.yml file:
trytond:
container_name: trytond # Server
image: tryton/tryton:latest # Uses Debian 10 (buster)
restart: unless-stopped
# for the database URI to connect to AWS RDS "ijack" database
# TRYTOND_DATABASE__URI=postgresql://USERNAME:PASSWORD@tryton-postgres:5432/
env_file: .env
environment: # https://docs.tryton.org/projects/server/en/latest/topics/start_server.html
- TRYTOND_WEB__LISTEN=0.0.0.0:8000
ports:
- 8000:8000 # This is for the internet-exposed server (trytond) behind nginx
# 5432:5432 # There is no local PostgreSQL database, only AWS RDS
expose:
- 8000
# expose: 5432
networks:
- myijack-network
volumes:
- ./config.ini:/config.ini
command: ['trytond', '-c', './config.ini'] # Start the web server listening for requests on 0.0.0.0:8000
nginx:
restart: unless-stopped
image: "nginx:latest"
ports:
- "0.0.0.0:80:80"
- "0.0.0.0:443:443"
volumes:
# http://medium.com/@pentacent/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71
- ./data/nginx:/etc/nginx/conf.d
- ./data/certbot/conf:/etc/letsencrypt
- ./data/certbot/www:/var/www/certbot
networks:
- myijack-network
depends_on:
- myijack
command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
certbot:
restart: unless-stopped
image: certbot/certbot
volumes:
# http://medium.com/@pentacent/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71
- ./data/certbot/conf:/etc/letsencrypt
- ./data/certbot/www:/var/www/certbot
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
networks:
myijack-network:
# driver: bridge
external:
name: myijack-network
And here’s my actual Nginx “prod.conf” setup in “/etc/nginx/conf.d/prod.conf”:
# HTTP port 80 will redirect to HTTPS port 443
server {
listen 80; # ipv4
listen [::]:80; # ipv6
server_name myijack.com; # host
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# redirect from HTTP port 80 to HTTPS port 443
location / {
return 301 https://$host$request_uri;
}
}
# Redirected here to HTTPS on port 443
server {
listen 443 ssl; # port
server_name myijack.com; # host
ssl_certificate /etc/letsencrypt/live/myijack.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myijack.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass http://trytond:8000/; # "trytond" is the service name of another Docker container on port 8000
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
}
