How do I enable HTTPs for an API hosted in Docker

Question

I have an API written in C# hosted in a DOCKER Container. It is accessible by calling http://server:port/api .. I want to enable it for HTTPS. Where do I make this change? In docker? In IIS? Do I need a certificate?

Sorry but I am very new to HTTPs and Docker.

Answer 1

You should not add the https to your docker container. The question at this point is, how you want to run your application in the future. The most simple solution would be to run you application in any cloud environment or Kubernetes cluster. But I'm not sure if you have already the experience for this. But you get the https integration for free for this environments by lets encrypt certificates and a cert-manager.

For your question a simple answer is not possible because the limited amount of informations about your environment. I suspect you will use windows with an iis and a local docker installation.

The https should be a layer, that is set on top of your application endpoint. That means you may add a https endpoint by iis and adding a certificate to this new https endpoint.

1. Yes, you will need a ssl certificate. This is used to provide by any http server like nginx, apache or iis the tls encryption. The configuration is not so simple if you are doing this for the first time. A simple guide my be here.

2. You need to route the incoming traffic from the https to the docker container. This might help you. You just route the https endpoint against you application http://server:port

3. The final question is, where you want to get the certificate for your https endpoint. You have several options here. Personally I would us a cert-manager, that will finally get and install the lets encrypt certificate. This is for free. You may use docker containers or local applications as well. You fine some infos for windows here too.

But you can also buy any tls certificate for an Webserver from any certificate authority. This is your choice.

Answer 2

You should implement it in a higher layer P.E in a reverse proxy by using Nginx or Apache. Or even, if you are deploying in a cloud environment, you could use an Application Load Balancer for this and apply the certificate directly to it.

In case you use, for example, NGinx, you can even deploy it as a Docker container which would receive all the requests, and then, redirect them to the specific container based on the URL Pattern.

P.E

• /api -> API Docker Container
• / -> Your Frontend Container (Client)
• /auth -> A auth app container (Keycloak, for example)

An NGINX Config file which would let you do this can look like this.

user  nginx;
worker_processes  1;

events {
   worker_connections  1024;
}

http {
include       /etc/nginx/mime.types;
default_type  text/html;


upstream client{
    server frontend:4200;
}

upstream api{
   server backend:80;
}

upstream auth{
    server auth:80 ;
}


server {
    listen 443;
    ssl_certificate    <your cert path>; 
    ssl_certificate_key    <your cert key>;

    location / {
        proxy_pass http://client;
    }


    location ~ ^/api {
        proxy_pass http://api;
    }

    location ~ ^/auth { 

        proxy_pass http://auth;

        proxy_set_header X-Forwarded-Host $host:$server_port;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    }

  }

}

The names that you give on the upstream section would be the names that refer to your specific container.

Answer 3

If you are using IIS, Just do the steps in below:

1. open IIS manager
2. click your application
3. In right menu (Actions) click on Bindings
4. Type: https and use the port you defined it before.

Answer 4

Don't use your hosting environment or application layer for https implementation. Use reverse proxies to implement HTTPS and proxy requests to your application layer using http protocol. It increases portability/ single responsibility/ (maybe performance) of your containerized application.

Some of useful reverse proxies for https implementation:

• Nginx
• Envoy
• Apache reverse proxy