-
-
Notifications
You must be signed in to change notification settings - Fork 173
Docker ‐ http & https
Since PLA's docker container switched to using FrankenPHP, it is possible to access with both http (unsecure) and https (secure) protocols directly by the container. The main advantage that FrankenPHP provided (over running nginx+fpm) was that it can handle ACME SSL certificates and their renewal without needing any other tooling. You'll need to refer to documentation at frankenphp.dev for details and adjust the /etc/caddy/Caddyfile as appropriate. (These instructions do not cover that scenario.)
This page is a reference on how to run PLA with various web deployment configurations, namely:
- terminating http inside the container
- terminating http/https outside the container
These example all use the same docker container that it is available on docker hub:
By default, PLA's docker container has FrankenPHP running on port 8080. So you can start PLA with
docker run -it -p 8080:8080 leenooks/phpldapadmin
And point your browser at http://localhost:8080, and you should see the familiar PLA home or login page. If you want to use a different port, eg: port 80 instead of 8080, then should change the -p option appropriately, eg: -p 80:8080.
(You may need to start the container with some -e arguments, to tell it how to connect to your LDAP server. See Configuration-Variables.)
This setup, is probably a common set up for organisations, where an upstream http(s) server (eg: nginx) is terminating the HTTP(S) connection and proxying a connection to be container to deliver the content.
What's important here, is the backend container (pla) can be running on an unsecure port (eg: 8080) while the frontend container handles both unsecure http (port 80) and https (port 443) connections. It is OK for the backend to be using unsecure ports given that the connection from the frontend container (nginx) may be on the same host, or via a docker vxlan (used by docker swarm/kubernetes).
The demo site uses this configuration, where the frontend container (nginx) and the backend container (pla) are both running in a docker swarm. Thus nginx answers the http (port 80) and https (port 443) traffic and forwards that connection to pla on port 8080.
# NGINX direct to HTTP server
server {
listen 80;
listen 443 ssl;
ssl_certificate path/to/org.phpldapadmin.demo.crt;
ssl_certificate_key path/to/org.phpldapadmin.demo.key;
set $container pla_web;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://$container:8080;
}
}
or if you want to use caddy instead
# CADDY direct to HTTP server
(docker-proxy) {
encode zstd gzip
reverse_proxy {args[0]}
}
demo.phpldapadmin.org {
tls path/to/org.phpldapadmin.demo.crt path/to/org.phpldapadmin.demo.key
import docker-proxy pla_web:8080
}