Dockerized Apache + SSL behind NGINX as reverse proxy

Morpheu5 asked:

I have two containers, one of which is running NGINX as a reverse proxy for serveral other containers. One of the other containers is running Apache with SSL enabled and configured. I have seen several configuration examples in which, to the best of my understanding, NGINX handles the certificates instead of Apache, and merely pipes through everything else to some non-SSL Apache.

Now, I’d rather have Apache handle its own certificates, particularly because it makes my life easier when managing them them (using a dockerized letsencrypt, which mounts the volumes from the relevant Apache container and drops the certificates in all the right places).

The issue is that I can’t find any example configuration for NGINX to just transparently proxy everything through to the Apache container.

My answer:

That’s because nginx can’t do that.

It can terminate an SSL connection, but it cannot pass one through.

You have at least two options:

  1. Stick the SSL certificates in a tiny Docker volume that’s shared between your letsencrypt container and your nginx container. While you’re at it, you may as well let nginx intercept Let’s Encrypt challenges as well, which might simplify your architecture a bit.
  2. Use haproxy instead of nginx. Unlike nginx, haproxy is capable of passing through SSL connections (and doing a variety of other things that are useful in a containerized setup). Note that this requires SNI support, and so such sites won’t be accessible to ancient web clients which can’t support SNI.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.