Reputation: 2258
Is it good practice to have my sites cert.key and cert.pem in a Nginx Docker container?
Locally I have been developing with a Nginx container that has all the ssl configs and ssl certs with in a directory.
However, now that I am about to move to prod, I'm curious if having the certs in the nginx container is good practice?
Alternatively, I could place the certs on the server directly.
Curious to what the community thinks about this.
Upvotes: 0
Views: 401
Answers (2)
Reputation: 1635
you may want to take a look at Kubernetes Secrets on how to share sensitive data to your containers. Newer versions of Docker (1.13) have a similar mechanism (docker secrets) to share secrets with containers.
Upvotes: 1
Reputation: 3759
Personally, I would never put secrets inside a docker image. Always mounting them at container boot time. Prefer volume mounts over env_var, because env_var is accessible by all processes inside the container and more likely to be logged by the app.
Images should be considered shareable (across teams/envs..), but once you ship them with crucial secrets such as cert.pem the shareable aspect is kind of dangerous..
Also, usually not every dev on your team needs to know your prod secrets, but they are likely to have access to the docker images.
Upvotes: 2
Related Questions
- Best practice for using certificates (.pem) files in a container
- Should TLS certs from LetsEncrypt be on all containers?
- docker-machine + docker-compose + ssl (lets encrypt through nginx & certbot)
- How to configure Let's encrypt certificates for nginx inside a docker image?
- What is the best way to manage cert/key for Docker containers that must talk TLS
- Best practices for certificates in docker
- Letsencrypt + Docker + Nginx
- Docker: LetsEncrypt for development of "Https everywhere"
- Proper Docker Setup for Multiple Websites
- Nginx SSL inside a docker container