extern/netbox-docker
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox-docker.git synced 2025-08-08 15:54:44 +02:00
Code Issues Packages Projects Releases Wiki Activity

How to setup TLS for Netbox Docker in Prod using Hitch

Christian Mäder
2021-01-22 11:35:52 +01:00
parent f922d94782
commit 9b326e8991
1 changed files with 22 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
TLS.md

@ -1,12 +1,6 @@
This page explains how to add TLS support for Netbox. This page explains how to add TLS support for Netbox.
There are many ways to do this. There are many ways to do this.
## TLS for the world
In order to setup TLS to serve public traffic to your Netbox it is recommended to set up a reverse proxy that is independent from Netbox.
You can do this by installing a webserver like _nginx_ on your host machine directly or by running it in a container.
But we advise against changing the nginx configuration that ships with Netbox Docker.
## TLS for localhost ## TLS for localhost
This guide is intended for people developing with or on Netbox or Netbox-Docker on their computer. This guide is intended for people developing with or on Netbox or Netbox-Docker on their computer.
@ -27,7 +21,25 @@ This should create a file called `localhost+2.pem` and another file called `loca
The TLS proxy [`hitch`](https://hitch-tls.org/) needs these files in a combined form: The TLS proxy [`hitch`](https://hitch-tls.org/) needs these files in a combined form:
```bash ```bash
cat localhost+2.pem localhost+2-key.pem > localhost+2-full.pem cat localhost+2.pem localhost+2-key.pem > cert_and_key.pem
```
Continue with [TLS Using Hitch](#tls-using-hitch).
## TLS for the world
In order to setup TLS to serve public traffic to your Netbox it is recommended to set up a reverse proxy that is independent from Netbox.
You can do this by installing a webserver like _nginx_ on your host machine directly or by running it in a container.
But we advise against changing the nginx configuration that ships with Netbox Docker.
### TLS Using Hitch
[Hitch](https://hitch-tls.org/) is a high performance TLS proxy by the people behind the famous Varnish.
First you need to combine your TLS key and TLS certificate into one file:
```bash
cat key.pem certificate.pem > cert_and_key.pem
``` ```
To run the TLS proxy [a Docker image of hitch](https://hub.docker.com/r/zazukoians/hitch) can be used. To run the TLS proxy [a Docker image of hitch](https://hub.docker.com/r/zazukoians/hitch) can be used.
@ -42,13 +54,14 @@ services:
tls: tls:
image: zazukoians/hitch image: zazukoians/hitch
environment: environment:
HITCH_PEM: /app/localhost.pem # path within the container to the TLS certificate HITCH_PEM: /app/cert_and_key.pem # path within the container to the TLS certificate
HITCH_PARAMS: --backend=[nginx]:8080 --frontend=[*]:443 # listen on *:443 and forward traffic to nginx:8080 HITCH_PARAMS: --backend=[nginx]:8080 --frontend=[*]:443 # listen on *:443 and forward traffic to nginx:8080
depends_on: depends_on:
- nginx - nginx
volumes: volumes:
- ./localhost+2-full.pem:/app/localhost.pem # mount the TLS certificate - ./cert_and_key.pem:/app/cert_and_key.pem # mount the TLS certificate
ports: ports:
- 8443:443 # bind the container's port 443 to the host's port 8443 -> https://[::1]:8443 - 8443:443 # bind the container's port 443 to the host's port 8443 -> https://[::1]:8443
``` ```
> NOTE: From **version 0.28.0** and above the `nginx` service is no longer in use. The traffic must be forwarded to the netbox service directly. > NOTE: From **version 0.28.0** and above the `nginx` service is no longer in use. The traffic must be forwarded to the netbox service directly.