extern/netbox-docker
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox-docker.git synced 2025-08-08 07:44:46 +02:00
Code Issues Packages Projects Releases Wiki Activity

How to setup TLS for Netbox Docker in Prod using Hitch

Christian Mäder
2021-01-22 11:35:52 +01:00
parent f922d94782
commit 9b326e8991
1 changed files with 22 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
TLS.md

@ -1,12 +1,6 @@
This page explains how to add TLS support for Netbox.
There are many ways to do this.
## TLS for the world
In order to setup TLS to serve public traffic to your Netbox it is recommended to set up a reverse proxy that is independent from Netbox.
You can do this by installing a webserver like _nginx_ on your host machine directly or by running it in a container.
But we advise against changing the nginx configuration that ships with Netbox Docker.
## TLS for localhost
This guide is intended for people developing with or on Netbox or Netbox-Docker on their computer.
@ -27,7 +21,25 @@ This should create a file called `localhost+2.pem` and another file called `loca
The TLS proxy [`hitch`](https://hitch-tls.org/) needs these files in a combined form:
```bash
cat localhost+2.pem localhost+2-key.pem > localhost+2-full.pem
cat localhost+2.pem localhost+2-key.pem > cert_and_key.pem
```
Continue with [TLS Using Hitch](#tls-using-hitch).
## TLS for the world
In order to setup TLS to serve public traffic to your Netbox it is recommended to set up a reverse proxy that is independent from Netbox.
You can do this by installing a webserver like _nginx_ on your host machine directly or by running it in a container.
But we advise against changing the nginx configuration that ships with Netbox Docker.
### TLS Using Hitch
[Hitch](https://hitch-tls.org/) is a high performance TLS proxy by the people behind the famous Varnish.
First you need to combine your TLS key and TLS certificate into one file:
```bash
cat key.pem certificate.pem > cert_and_key.pem
```
To run the TLS proxy [a Docker image of hitch](https://hub.docker.com/r/zazukoians/hitch) can be used.
@ -42,13 +54,14 @@ services:
tls:
image: zazukoians/hitch
environment:
HITCH_PEM: /app/localhost.pem # path within the container to the TLS certificate
HITCH_PEM: /app/cert_and_key.pem # path within the container to the TLS certificate
HITCH_PARAMS: --backend=[nginx]:8080 --frontend=[*]:443 # listen on *:443 and forward traffic to nginx:8080
depends_on:
- nginx
volumes:
- ./localhost+2-full.pem:/app/localhost.pem # mount the TLS certificate
- ./cert_and_key.pem:/app/cert_and_key.pem # mount the TLS certificate
ports:
- 8443:443 # bind the container's port 443 to the host's port 8443 -> https://[::1]:8443
```
> NOTE: From **version 0.28.0** and above the `nginx` service is no longer in use. The traffic must be forwarded to the netbox service directly.