How to start pydio-cells docker with my own ssl certificate file?

Pydio Cells
1 
docker run -d --restart=always \
  --name pydio-cells \
  --network pydio \
  --hostname pydio-cells \
  --link pydio-fpm:pydio-fpm \
  --link pydio-mariadb:pydio-mariadb \
  -v /data/pydio/cells:/root/.config/pydio/cells \
  -e CELLS_BIND=domain.com:12443 \
  -e CELLS_EXTERNAL=domain.com:12443 \
  pydio/cells

Like this, I want to use https but not self signed. I have a valid certificate for my domain.

2

Hi there,

The easiest way would be to add a proxy in front of your docker. There are quite a few docker containers to help you with that (traefik, nginx, httpd, caddy, …) You also have a few examples of configuration on that page (https://pydio.com/fr/docs/cells/v1/run-behind-proxy)

I’ve seen you had submitted a pr to have the certificates setup directly during the installation, so that would be another way. Thanks for that, we’ll review it asap.

Personally, I’d rather have people use a proxy when using the docker version of the pydio cells as it eases the management in the long run to have things clearly separated (as we do for the mysql database and the php fpm for example)

Thanks,
Greg

3

Hi,

Thanks for reply. I’ve tried nginx reverse proxy before, but failed for several times. There is no nginx sample, so I tried to config by myself. I wrote some simple proxy_pass in the nginx conf file, and the install page runs well. But after installation, the server returned error 500, and I don’t know why.

Here’s nginx docker start command:

docker run -d --restart=always \
  --name pydio-nginx \
  --network pydio \
  --hostname pydio-nginx \
  --link pydio-cells:pydio-cells \
  -v /data/pydio/nginx-confs/nginx.conf:/etc/nginx/nginx.conf \
  -v /data/pydio/nginx-confs/conf.d:/etc/nginx/conf.d/ \
  -v /root/.acme.sh/*.domain.com/*.domain.com.cer:/etc/nginx/ssl/domain.com.crt:ro \
  -v /root/.acme.sh/*.domain.com/*.domain.com.key:/etc/nginx/ssl/domain.com.key:ro \
  -p 12080:80 -p 12443:443 nginx

Here’s my conf file in /etc/nginx/conf.d/:

server {
    listen 12080;
    listen [::]:12080;
    server_name domain.com;
    # enforce https
    return 301 https://$server_name:12443$request_uri;
}

server {
    listen 12443 ssl http2;
    listen [::]:12443 ssl http2;
    server_name domain.com;

    ssl_certificate /etc/nginx/ssl/domain.com.crt;
    ssl_certificate_key /etc/nginx/ssl/domain.com.key;

    fastcgi_read_timeout 600s;


    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    # add_header Strict-Transport-Security "max-age=15768000;
    # includeSubDomains; preload;";
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;

    # Path to the root of your installation
    root /var/www/html;

    # set max upload size
    client_max_body_size 20G;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    location / {
        proxy_pass http://pydio-cells:12443/;
        proxy_set_header Host $host;
    }
}

Is there and article about how to setup a proxy in front of pydio docker? Maybe I can read it word by word to figure out where is my mistake.

4

I’ve tried using caddy as proxy server docker, still get problems.

# install

export DB_PW=Passw0rd
export HOST_NAME=pydio.domain.com
export HTTP_PORT=12080
export HTTPS_PORT=12443
export SSL_CRT_FILE=/root/.acme.sh/*.domain.com/*.domain.com.cer
export SSL_KEY_FILE=/root/.acme.sh/*.domain.com/*.domain.com.key
export CADDY_FILE=/data/pydio/caddy/Caddyfile

docker network create --driver bridge --subnet 172.22.5.0/24 pydio

cat <<EOF > $CADDY_FILE
0.0.0.0:$HTTP_PORT {
    redir https://{hostonly}:$HTTPS_PORT{path}
}

0.0.0.0:$HTTPS_PORT {
    log stdout

    tls /etc/ssl/ssl.crt /etc/ssl/ssl.key

    timeouts 0

    # And the rest to pydio
    proxy / pydio-cells:$HTTPS_PORT {
        insecure_skip_verify
        transparent
        websocket
    }
}
EOF

docker run -d --restart=always \
  --name pydio-mariadb \
  --network pydio \
  --hostname pydio-mariadb \
  -v /data/pydio/mariadb:/var/lib/mysql \
  -p 12306:3306 \
  -e TZ='Asia/Shanghai' \
  -e MYSQL_ROOT_PASSWORD=$DB_PW mariadb

docker run -d --restart=always \
  --name pydio-fpm \
  --network pydio \
  --hostname pydio-fpm \
  --link pydio-mariadb:pydio-mariadb \
  -v /data/pydio/cells:/root/.config/pydio/cells pydio/cells-php-fpm

docker run -d --restart=always \
  --name pydio-cells \
  --network pydio \
  --hostname pydio-cells \
  --link pydio-fpm:pydio-fpm \
  --link pydio-mariadb:pydio-mariadb \
  -v /data/pydio/cells:/root/.config/pydio/cells \
  -e CELLS_BIND=$HOST_NAME:$HTTPS_PORT \
  -e CELLS_EXTERNAL=$HOST_NAME:$HTTPS_PORT \
  -e CELLS_NO_SSL=1 \
  pydio/cells

docker restart pydio-fpm

docker run -d \
  --name pydio-caddy \
  --network pydio \
  --hostname pydio-caddy \
  --link pydio-cells:pydio-cells \
  -v /data/pydio/caddy/Caddyfile:/etc/Caddyfile \
  -v $SSL_CRT_FILE:/etc/ssl/ssl.crt:ro \
  -v $SSL_KEY_FILE:/etc/ssl/ssl.key:ro \
  -p $HTTP_PORT:$HTTP_PORT \
  -p $HTTPS_PORT:$HTTPS_PORT \
  abiosoft/caddy



# uninstall

docker stop pydio-caddy && docker rm pydio-caddy
docker stop pydio-cells && docker rm pydio-cells
docker stop pydio-fpm && docker rm pydio-fpm
docker stop pydio-mariadb && docker rm pydio-mariadb

rm -rf /data/pydio/cells
rm -rf /data/pydio/mariadb

After install, server returned error 502.

5

Oooops, I find that the problem is not on the proxy, I’ll create another issue for details now.

6

Hi, i managed to make it work with apache as a reverse proxy,
you could take a look at how i configured everything it could give you an idea.


<IfModule mod_ssl.c>
<VirtualHost *:443>
  
   ServerName domain.pydio.com
  # May be necessary for API direct accesses
  AllowEncodedSlashes On
  RewriteEngine On
   # Make sure to proxy SSL
  SSLProxyEngine On
  # Disable SSLProxyCheck : maybe necessary if Cells is configured with self_signed
  SSLProxyCheckPeerCN Off
  SSLProxyCheckPeerName Off
  SSLProxyVerify none

  # Proxy WebSocket
  RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteRule /(.*)           wss://192.168.0.153:8080/$1 [P,L]
   # Finally simple proxy instruction
  ProxyPass "/" "https://192.168.0.153:8080/"
  ProxyPassReverse "/" "https://192.168.0.153:8080/"

# You can use your own path
SSLCertificateFile /home/user/cert/apache.crt
SSLCertificateKeyFile /home/user/cert/apache.key

</VirtualHost>
</IfModule>


version: '3'
services:

    # Cells image with two named volumes for the static and for the data
    cells:
        image: pydio/cells:latest
        restart: always
        volumes: ["static:/root/.config/pydio/cells/static/pydio", "data:/root/.config/pydio/cells/data"]
        ports: ["8080:8080"]
        environment:
            - CELLS_BIND=192.168.0.153:8080
            - CELLS_EXTERNAL=192.168.0.153
            - CELLS_NO_SSL=0

    # MySQL image with a default database cells and a dedicated user pydio
    mysql:
         image: mysql:5.7
         restart: always
         environment:
             MYSQL_ROOT_PASSWORD: root
             MYSQL_DATABASE: cells
             MYSQL_USER: cells
             MYSQL_PASSWORD: cells
         command: [mysqld, --character-set-server=utf8mb4, --collation-server=utf8mb4_unicode_ci]
         ports: ["3306:3306"]

    # PHP FPM image with the static named volume from the cells container
    php:
        image: pydio/cells-php-fpm:latest
        restart: always
        volumes: ["static:/root/.config/pydio/cells/static/pydio"]
        ports: ["9000:9000"]

volumes:
    static: {}
    data: {}
7

Yeah, my nginx config has no problem, just like what I said above.

The problem is here: if you set CELLS_NO_SSL=1 you’ll get a server error after install.