❓ How to setup with HTTPS?

[snapshotleisure]

⚠️ Please verify that this bug has NOT been raised before.

• I checked and didn't find similar issue

🛡️ Security Policy

• I agree to have read this project Security Policy

📝 Describe your problem

Hi, I was wondering how to do I setup Dockge to have HTTPS? is there any instructions on it? I haven't been able to find any

📝 Error Message(s) or Log

No response

🐻 Dockge Version

1.2

💻 Operating System and Arch

PhotonOS

🌐 Browser

Google Chrom

🐋 Docker Version

24.0.5

🟩 NodeJS Version

No response

[Jayllyz]

The wiki is currently in WIP, so if you need infos, you can use uptime-kuma's wiki.
https://github.com/louislam/uptime-kuma/wiki/Reverse-Proxy

[hermannx5]

I also have problem with HTTPS. I am using nginx rproxy manager and activated the "Websockets Support" option as is described in the kuma wiki. Unfortunately it just does not work. Using the exact same setup with Kuma, it works..
Does anybody have some additional tips ?
Other than that, btw.: really great, great work - just like Kuma !

[Jayllyz]

I also use nginx proxy manager for Dockge, I don't have any problems.
Could you share your configuration and what exactly is your problem?

[hermannx5]

I am actually doing nothing special. I use duckdns for dyndns and a letsencrypt wildcard certificate. When setting up the proxy host in nginx I do just the standard stuff and activate the option "Websockets Support". When I try to reach dockge via the reverse proxy I see shortly a black page with the dockge logo up top which is then overlayed by a big red banner telling me that the socket server cannot be reached and how to potentially fix this ("Keine Verbindung zum Socket Server. [Error: websocket error] Erneuter Verbindungsaufbau…
Wird ein Reverse Proxy genutzt? Lerne wie dieser für WebSockets zu konfigurieren ist.").
The only unusual (?) thing in my setup is that actually in my router I opened not the standard https port but some other port which then routes internally to port 443. For uptime kuma, I used the exact same setup and interestingly it worked for kuma but not dockge....

[hermannx5]

Update: I have now updated to 1.4.1 and without any changes in NGinx Proxy Manager everything seems to work fine now...

[snapshotleisure]

I would still like to see if there is HTTPS Support for Dockge as if I put a proxy in front of it, it generates a lot of logs and noise in the proxy logs due to the websocket connection, which makes it hard for trouble shooting.

Example, I have a machine with Docker on it, I run the proxy as a docker container and also dockge on it. I am setting up a new service in the proxy to route and there are issues. I try to look at the proxy logs by logging into dockge to view the docker logs of the proxy. By doing this I am now seeing all the websocket messages in the proxy logs and I can't easily see the request that is causing the issue of the new service.

It also makes securing a dockge instance a bit cumbersome, If I want to a secure Dockge environment, I need to first fire up dockge, then setup the reverse proxy, then modify the compose file to no longer expose the 5001 port.

As a central tool for managing core infrastructure like docker, I would expect security to be first priority as someone can easily sniff your password via plain text http. I think dockge should be secure from the very first moment you create your admin user with password.

[jgardner-qha]

I use Traefik, which makes this incredibly simple. With a Traefik docker container handling SSL and the Dockge environment behind it, it took only a minute to add the Dockge stack behind my existing proxy without ever exposing any public ports. You can also easily use forward-auth with Traefik to add a layer of security in front of Dockge from the start without much effort.

[samerfarida]

I tried doing the same but no luck! Could you please share the labels used or the entire docker compose example? I have Traefik and works perfectly with others with no issues.

[jgardner-qha]

Sorry for the delay, @samerfarida. Here's an example of how I use docker, traefik, and dockge together to easily handle SSL reverse proxy.
dockge traefik examples.txt

[coreyaboy]

@snapshotleisure @samerfarida I ran into this problem, described exactly as both of you have. Just a few minutes ago I lucked out with a random desperation-edit and got it working, thought I would circle back around here and give an update in case it turns out to be the fix you need.

Long story short, dockge will not respond to a reverse proxy via hostname. Your reverse proxy must connect to dockge by IP address. The docker hosts external IP address, not the container's internal address.

I tried three different reverse proxy platforms. NPM. Caddy. Traefik. With each, I could get Uptime-Kuma working just fine but no luck with dockge. Each time, everything was a fresh install, compose files lifted straight from developer pages, reverse proxy to dockge always results in a bad gateway while uptime-kuma just works. In each case, once I switched from hostname to the docker host's external IP address, it just magically started working.

Don't know if I am overlooking something here. I'd prefer to use hostname. Best practices and such. But I'm fatigued with fiddling with this irrational issue, so I'm just going to leave it as is and grab a beer.

I'm attaching my docker compose yml files and screen shots of the NPM proxy host setup that worked for me.

For the security minded, yes, I later later enabled all the SSL features on the SSL tab and setup a local-access-only rule in NPM to keep dockge access restricted to the local network. Didn't break anything.

dockge_compose_yml.txt
npm_compose_yml.txt

[jgardner-qha]

I'm surprised this is proving difficult, as I haven't had any problems. I've used both NGINX and Traefik reverse proxies. Here's my dockge compose, traefik compose, and traefik.yml files. Some details have been removed, so these may not work directly - you'll need to modify/add to them as appropriate for your environment.

This is the basic configuration I use for all of my services, and I've got dockge running behind an SSL reverse proxy on a dozen or so servers and several dozens of websites and web applications using this method.
 
dockge traefik examples.txt

[coreyaboy]

Hey! Thanks for the reply. I tagged you above thinking you were one of the folk struggling with this. Sorry for that.

Google brought me to a handful of technical forums where I saw several other people struggling with similar, so I know there's gotta be something to it. After stumbling into the solution that worked for me, I'm convinced that the common thread is something to do with the docker network environment or local DNS or something along those lines, but I haven't the foggiest idea what to look into next.

Being honest, whatever it is, it's beyond the intersection of my patience and skill level. I'm taking my sub-optimal IP address solution and calling it good enough.

Cheers!

[jgardner-qha]

Haha, no apologies necessary! I was just surprised at how many people were having a problem with it, which is why I replied with my own working config. There may be something else in the environment affecting it. I mostly use Ubuntu images on Amazon EC2, but other distributions or VM images on other networks may have something different that's causing these issues.

Caddy is another very easy alternative for a web server and reverse proxy that should work well with Dockge (although I haven't tried them together yet). If anyone is interested, I'll be happy to set one up to test it and provide a working config.

[snapshotleisure]

I guess for me, I see dockge as a core part of the docker setup, as in the first thing you would deploy after installing docker would be dockge to help deploy other containers.

As such I should be able to securely log into dockge the moment I deploy docker, so I can install containers like traefik to then proxy other applications. Kind of oxymoron for me to have to have to deploy traefik first, then dockge to then use it securely.... Just a bad user experience.

I think for most people here is fine, cause dockge came in quite late in the game and most people already have their docker setup already (i.e web proxy, etc). However for a newbie or someone who is building a brand new lab or environment, its a bit of a cumbersome step

[jgardner-qha]

A chicken and an egg are laying in a bed. The egg rolls over with a sigh of satisfaction and lights up a cigarette. The chicken angrily tugs on the covers and proclaims, "I guess we know the answer to THAT question!"

In all seriousness, I set up my docker environment with traefik and dockge at the same time. They can be in the same compose file with any other type of authentication containers you might need or want. Traefik provides the proxy needed to access dockge, and dockge helps with setting up everything else. You can accomplish nearly everything with a single docker compose file, so a new deployment takes only minutes to stand up.

[snapshotleisure]

@jgardner-qha aha I like the analogy and it is definately befitting of the question at hand, I guess for me that would put traefik in the same dockge compose file. Do you have dockge manage its own compose file too? Does that work? If that does work I guess it would be fine.

For my use case, I have dockge managing the compose file for reverse proxy seperately

[coreyaboy]

I don't thin Dockge can not manage it's own compose file.

Well. Actually, I guess I don't know that for certain. I just know that the install instructions direct you away from such, and those instructions include a stern worded warning about not guffing up the paths and such.

Thinking it over, I'm kinda making an assumption. So ... IDK.

[jgardner-qha]

Yes, interestingly, dockge can manage its own compose stack! Obviously if you stop the dockge container from Dockge, you won't be able to start it again as easily. ;) Sent from my Verizon, Samsung Galaxy smartphone Get Outlook for Android<https://aka.ms/AAb9ysg>

…

________________________________ From: snapshotleisure ***@***.***> Sent: Thursday, July 4, 2024 7:41:48 PM To: louislam/dockge ***@***.***> Cc: Jonathan Gardner ***@***.***>; Mention ***@***.***> Subject: Re: [louislam/dockge] ❓ How to setup with HTTPS? (Discussion #222) @jgardner-qha<https://github.com/jgardner-qha> aha I like the analogy and it is definately befitting of the question at hand, I guess for me that would put traefik in the same dockge compose file. Do you have dockge manage its own compose file too? Does that work? If that does work I guess it would be fine. For my use case, I have dockge managing the compose file for reverse proxy seperately — Reply to this email directly, view it on GitHub<#222 (reply in thread)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AT4CDYE5JDC6YBKHCYUKVNTZKXTUZAVCNFSM6AAAAABAD5TPEWVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TSNRTGEZTI>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[coreyaboy]

I can't imagine the workflow for standing up and configuring an all-in-one reverse proxy, cert manager, ssl host, and container manager, with active encryption certificates and appropriate DNS settings all at once. Would be a neat trick though.

I've been leaning on tailscale to keep my remote deployments secure while I'm sorting them out, and getting ready to expose things to the public.

But I'm an "aggressive hobbyist" at best.

[snapshotleisure]

Didn't see this reply, but for me I use ansible to do the workflow you describe. So I have ansible, which talks to my proxmox cluster to deploy a vm, once the vm is deploy it will run the harden script to auto harden the server, then install docker, then install dockge / portainer

So from that workflow, i have new VM which is ready for me to deploy docker compose stacks, i normally then deploy the reverse proxy (for me I use bunkerweb). Which is why I was seeing a good use for dockge to be deployed straight up with HTTPS.

[jgardner-qha]

I just put Dockge on the same path as the rest of the containers - seems to work fine. As I've mentioned in previous posts, it works well to put Traefik (or NGINX, or Caddy, etc.) in the same compose file so you can fire up the infrastructure in one step and have immediate access to Dockge to set up your other compose files. Sent from my Verizon, Samsung Galaxy smartphone Get Outlook for Android<https://aka.ms/AAb9ysg>

…

________________________________ From: Corey ***@***.***> Sent: Thursday, July 4, 2024 9:04:09 PM To: louislam/dockge ***@***.***> Cc: Jonathan Gardner ***@***.***>; Mention ***@***.***> Subject: Re: [louislam/dockge] ❓ How to setup with HTTPS? (Discussion #222) I don't thin Dockge can not manage it's own compose file. Well. Actually, I guess I don't know that for certain. I just know that the install instructions direct you away from such, and those instructions include a stern worded warning about not guffing up the paths and such. Thinking it over, I'm kinda making an assumption. So ... IDK. — Reply to this email directly, view it on GitHub<#222 (reply in thread)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AT4CDYAKPD5XGZW7SNX2MMLZKX5JTAVCNFSM6AAAAABAD5TPEWVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TSNRTGUYTM>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[vishalkadam47]

is there an example compose.yaml using caddy would be helpful

[snapshotleisure]

OK! I have been an idiot, I went looking into the code as I was thinking of adding the feature in, but then found it was already done. The steps are just no documented, so for anyone interested, I did the following

You need to make the following adjustments to the compose file that he supplies:
Add extra volume
volumes:

• /var/run/docker.sock:/var/run/docker.sock
• ./data:/app/data
• location_of_certs:/certs

Add extra environment variable
environment:

• DOCKGE_STACKS_DIR=/location you specified
• DOCKGE_SSL_KEY=./certs/key.pem (assuming you are using LE certs)
• DOCKGE_SSL_CERT=./certs/fullchain.pem

After it should work.