How to get Roundcube web UI on port 443 with TLS for docker-compose-fpm.yaml ?

[nupulu]

I have Roundcube running as container using the docker-compose-fpm.yaml example.
So far I got it all working apart from getting the Roundcube web UI on port 443 with TLS.

I enabled the correct port in the compose file and also mapped the letsencrypt file tree as described in the compose file, but it seems that the ngnix template default.conf.template does only provide plaintext UI on port 80.

  roundcubenginx:
    image: nginx:latest
    container_name: roundcubenginx
    # restart: unless-stopped
    ports:
      - '80:80'         # host:container
      - '443:443'       # host:container'
    depends_on:
      - roundcubemail
    links:
      - roundcubemail
    volumes:
      - ./www:/var/www/html
      - ./nginx/templates:/etc/nginx/templates
      # Provide a custom nginx conf
      # - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
      # If you need SSL connection, you can provide your own certificates
      # - ./certs:/etc/letsencrypt
      # - ./certs-data:/data/letsencrypt
      - /etc/letsencrypt:/etc/letsencrypt

    environment:
      - NGINX_HOST=mail.mydomain.net  # set your local domain or your live domain
      - NGINX_PHP_CGI=roundcubemail:9000  # same as roundcubemail container name

What are further steps need to be taken to make nginx use port 443 for TLS with this container?

[pabzm]

Thank you for bringing this up, I was wondering about those commented lines, too.

Because to me it would make sense to either leave TLS-certificates and -termination to an outside proxy, or handle TLS completely in the nginx-container, including certificate management.

@thomascube Can you maybe shed some light on the idea? You introduced those lines in ef6dfbe.

@nupulu To answer your actual question: With the current setup you need to extend the nginx config with a snippet like the following, and you need an additional program that generates and renews the certificates.

    listen              443 ssl;
    ssl_certificate     /etc/letsencrypt/PATH/TO/TLS_CERT.crt;
    ssl_certificate_key /etc/letsencrypt/PATH/TO/TLS_KEY.key;

Here's a blog post that explains it in detail: https://mindsers.blog/en/post/https-using-nginx-certbot-docker/

[nupulu]

Thanks for shedding some light on this. The references article is not fitting the setup of ngnix as it has been made for the roundcube sample compose file for ngnix. The sample compose file gives us ./nginx/templates/default.conf.template mounted as editable on the docker host.

That file is provided with this content in the roundcube container repository:

server {
    index index.php index.html;
    server_name php-docker.local;
    error_log  /var/log/nginx/error.log;
    access_log /var/log/nginx/access.log;
    root /var/www/html;

    location ~ /(temp|logs)/ {
        deny all;
        return 403;
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass ${NGINX_PHP_CGI};
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
    }
}

What would be needed to be added to that file (./nginx/templates/default.conf.template)?

(Of course I could look inside the container image where the ngninx config is and expose this to the host, too and then edit it. But what is then the use and idea of ./nginx/templates/default.conf.template if it is no extending the nginx configuration file?!) Keep in mind I have no idea whatsoever, how to configure nginx.

[thomascube]

@thomascube Can you maybe shed some light on the idea?

Not really, sorry. Probably just a (incomplete) hint how to enable SSL support.

I think our examples should just focus on running Roundcube and leave out TLS as in most environments this is handled in a reverse proxy outside of the mail server container network. We could still add a link to existing guides like the one you just mentioned above.

[pabzm]

@nupulu You need the lines I posted, inside the server-block, adapted to your certificate paths. But with all due respect, if you don't know how to configure nginx, then maybe you should not change its config and instead use a reverse proxy to provide the TLS-encryption.

[pabzm]

@thomascube Thank you for the info! I agree to remove those bits, will post a pull request later. 👍

[nupulu]

It works now.

[pabzm]

Nice! Thanks again for bringing this up, it had itched me since a while!

I'll close this ticket accordingly. If you have other problems let us know!

[nupulu]

well would it be nice provide a ./nginx/templates/default.conf.template that already contains the required config lines as comments? Spares people the need to investigate to find this thread.