Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update tls.md #738

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update tls.md #738

wants to merge 1 commit into from

Conversation

abdounikarim
Copy link
Contributor

When using a custom TLS certificate, we also need to update the SERVER_NAME env variable.

@7-zete-7
Copy link
Contributor

Hi @abdounikarim!

Thanks for suggesting this change!

This environment variable is already set in compose.yaml. No need to set it in compose.override.yaml.

It makes more sense to describe that the Docker Compose project should be launched with this environment variable explicitly set:

  • Launch the Docker Compose project with a command like this:

    SERVER_NAME=server-name.localhost \
docker compose ...

  • Or set the value of this environment variable in the .env file:

    +SERVER_NAME=server-name.localhost

  • Or replace the default value for all forwardings of the SERVER_NAME environment variable in compose.yaml files with the required one:

    -SERVER_NAME: ${SERVER_NAME:-localhost}, php:80
+SERVER_NAME: ${SERVER_NAME:-server-name.localhost}, php:80

@abdounikarim
Copy link
Contributor Author

Hi @7-zete-7 and thanks for your answer.

Your partially right actually 😉
We can use the env variable defined in compose.yaml, but we need to:

  • remove the php:80 at the end or
  • change it to php:443

If you don't, you'll have this error:

Error: adapting config using caddyfile: server listening on [:80] is HTTP, but attempts to configure TLS connection policies

@7-zete-7
Copy link
Contributor

Thanks for the feedback, @abdounikarim!

Yes, indeed, if you leave php:80, you will get the error you described. Forgot about that 😅

Perhaps the best option would be to completely abandon the php hostname. The custom TLS certificate, I assume, will not support the php hostname. Because of this, calls to FrankenPHP via the php hostname will result in a TLS error.

In the default configuration, the php hostname is used only for Symfony to call Mercure locally. You can simply configure access to Mercure via an external hostname:

 services:
   php:
     # ...
     environment:
       # ...
-      SERVER_NAME: ${SERVER_NAME:-localhost}, php:80
+      SERVER_NAME: ${SERVER_NAME:-server-name.localhost}
       # ...
-      MERCURE_URL: ${CADDY_MERCURE_URL:-http://php/.well-known/mercure}
+      MERCURE_URL: ${CADDY_MERCURE_URL:-https://${SERVER_NAME:-server-name.localhost}/.well-known/mercure}

In this case, there will be no need for the hostname php at all.

In addition, for optimization (excluding access via more network nodes than necessary), you can also set an additional hostname for service php (see https://docs.docker.com/reference/compose-file/services/#aliases):

 services:
   php:
     # ...
+    networks:
+      app:
+        aliases:
+          - ${SERVER_NAME:-server-name.localhost}
 # ...
+networks:
+  app:

After such optimization, requests will pass through the same number of network nodes as in the standard configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@abdounikarim @7-zete-7