Docker php-apache SSL support with self-signed certificate (my memo)
I made php-apache + mysql in previous article, but this time I will make a self-certificate and write up to SSL support. The goal is to be accessible from chrome without warning.
environment
Machine macOS Catalina 10.15.7
Constitution
At the end of the last time, it ends like this
Arbitrary directory
│
├── docker-compose.yml
│
├── html/
│ └── index.html
│
├── mysql/
│ ├── Dockerfile
│ ├── data/
│ ├── init/
│ │ └── init.sql
│ └── my.cnf
│
├── php-apahce/
├── Dockerfile
└── php.ini
↓
This time it looks like this.
Arbitrary directory
│
├── docker-compose.yml update
│
├── html/
│ └── index.html
│
├── mysql/
│ ├── Dockerfile
│ ├── data/
│ ├── init/
│ │ └── init.sql
│ └── my.cnf
│
├── php-apahce/
├── Dockerfile update
├── ssl.conf added
└── ssl/
├──ssl.key added
└──ssl.crt added
Build
Let's get started
Creating a self-signed certificate
First, let's make a self-signed certificate For the time being, create a directory and move
ksk@ksknoMacBook-Pro work % mkdir php-apache/ssl
ksk@ksknoMacBook-Pro work % cd php-apache/ssl
Private key creation
ksk@ksknoMacBook-Pro ssl % openssl genrsa -out ssl.key 2048
Generating RSA private key, 2048 bit long modulus
............+++
.+++
e is 65537 (0x10001)
CSR creation
Enter "localhost" for the Common Name and then Enter
ksk@ksknoMacBook-Pro ssl % openssl req -new -sha256 -key ssl.key -out ssl.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:
State or Province Name (full name) []:
Locality Name (eg, city) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:localhost
Email Address []:
error, no objects specified in config file
problems making Certificate Request
san.txt creation
To avoid the chrome warning with recent self-signed certificates, you need to have this
ksk@ksknoMacBook-Pro ssl % echo "subjectAltName = DNS:localhost" > san.txt
Creating a certificate
I feel like I got a warning after 10 years, so I made it 1 year.
ksk@ksknoMacBook-Pro ssl % openssl x509 -req -sha256 -days 365 -signkey ssl.key -in ssl.csr -out ssl.crt -extfile san.txt
Certificate ready
ssl.conf Since I want to create ssl.conf based on ssl.conf of the existing container created last time, check the state of the container for the time being
ksk@ksknoMacBook-Pro ssl % cd ../
ksk@ksknoMacBook-Pro php-apache % docker container ls -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4c43e97e5c37 work_mysql "docker-entrypoint.s…" 20 minutes ago Up 20 minutes 0.0.0.0:3306->3306/tcp, 33060/tcp db
35889b716286 work_php-apache "docker-php-entrypoi…" 20 minutes ago Up 20 minutes 0.0.0.0:8080->80/tcp web
Copy ssl.conf locally using the container ID of the web container
ksk@ksknoMacBook-Pro php-apache % docker cp 35889b716286:/etc/apache2/sites-available/ssl.conf ./
Edit ssl.conf It shall be located in/etc/httpd/ssl /.
ssl.conf
〜〜〜
SSLCertificateFile /etc/httpd/ssl/ssl.crt
SSLCertificateKeyFile /etc/httpd/ssl/ssl.key
〜〜〜
Edit Dockerfile
From the previous article, RUN mkdir -p /etc/httpd/ssl I will add the following.
FROM php:7.4-apache
COPY ./php.ini /usr/local/etc/php/
RUN apt-get update
RUN apt-get install -y zip unzip vim libpng-dev libpq-dev
RUN docker-php-ext-install pdo_mysql
RUN mkdir -p /etc/httpd/ssl
RUN a2enmod ssl
COPY ./ssl.conf /etc/apache2/sites-available/ssl.conf
COPY ./ssl/ssl.key /etc/httpd/ssl/ssl.key
COPY ./ssl/ssl.crt /etc/httpd/ssl/ssl.crt
RUN a2ensite ssl
CMD ["/usr/sbin/apache2ctl", "-D", "FOREGROUND"]
Edit docker-compose.yml
Allows you to connect to ports 8443 to 443
docker-compose.yml
version: '3'
services:
php-apache:
build: ./php-apache/
volumes:
- ./html:/var/www/html
ports:
- 8080:80
- 8443:443
container_name: web
mysql:
build: ./mysql/
volumes:
- "./mysql/data:/var/lib/mysql"
- "./mysql/init:/docker-entrypoint-initdb.d"
environment:
- MYSQL_ROOT_PASSWORD=docker
- MYSQL_DATABASE=mydb
- MYSQL_USER=appuser
- MYSQL_PASSWORD=appuser1
container_name: db
ports:
- 3306:3306
This is ready for the time being
Build & start again
First of all, if the previous one remains, erase it.
ksk@ksknoMacBook-Pro cd ../
ksk@ksknoMacBook-Pro work docker container stop web
ksk@ksknoMacBook-Pro work docker container rm web
ksk@ksknoMacBook-Pro work docker container stop db
ksk@ksknoMacBook-Pro work docker container rm db
build and start
ksk@ksknoMacBook-Pro work docker-compose build
ksk@ksknoMacBook-Pro work docker-compose up -d
Start confirmation
ksk@ksknoMacBook-Pro work % dodker container ls -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4c43e97e5c37 work_mysql "docker-entrypoint.s…" 20 minutes ago Up 20 minutes 0.0.0.0:3306->3306/tcp, 33060/tcp db
35889b716286 work_php-apache "docker-php-entrypoi…" 20 minutes ago Up 20 minutes 0.0.0.0:8080->80/tcp, 0.0.0.0:8443->443/tcp web
Certificate registration
Access the folder containing ssl.crt
Double click on this
Press Add Keychain in the system.
When you open the keychain, the certificate you registered earlier will appear with the domain name, so double-click it.
If you set "When using this certificate" to "Always trusted", everything will be "Always trusted", so close this window.
Finally, access the screen and check
Without warning, the key mark next to the address was also accessible without disturbing air.
that's all.
Recommended Posts