This guide walks you through configuring TLS on your Coder for Docker deployment using a reverse proxy.
Requirements
- A machine with Docker Engine and Docker Compose installed
- A domain name
- An SSL/TLS certificate
(Optional) Step 1: Validate the LetsEncrypt DNS
If you already have an TLS certificate, you can skip this step.
This step shows you how to get a free TLS certificate for your domain. Your domain must be set up with a supported DNS provider.
- Create a
docker-compose.yaml
file with the code below (make sure that you replace theURL
,DNSPLUGIN
, andEMAIL
variables with the appropriate values):
version: "3"
services:
letsencrypt:
image: linuxserver/letsencrypt
container_name: letsencrypt
environment:
- PUID=1000
- PGID=1000
- URL=<your-domain.com>
- SUBDOMAINS=wildcard
- VALIDATION=dns
- DNSPLUGIN="<dns-provider>"
- [email protected]
- DHLEVEL=4096
volumes:
- "~/letsencrypt:/config"
restart: unless-stopped
Leave the volumes
section of the code snippet as-is. Docker will automatically
create the ~/letsencrypt
folder and populate it with the contents of the
container. In this case, the contents will be .ini
files for your DNS
provider.
-
Run
docker-compose up -d
, and navigate to~/letsencrypt/dns-conf
. -
Update your DNS provider's
.ini
file with the requested values. -
Restart the container by running
docker-compose restart letsencrypt
.
You should now see your TLS certificate file in
~/letsencrypt/etc/letsencrypt/live/example.com
Step 2: Configure the Nginx reverse proxy and the Coder container
To properly start the NGINX reverse proxy, you'll need an nginx.conf
file
present on the host machine.
-
Create a
docker-compose.yaml
file if you have not yet done so. -
Create an
nginx
folder in the same directory as yourdocker-compose.yaml
file. -
Create an
nginx.conf
file inside of thenginx
directory that includes the following code (make sure that you replace each<your-domain.com>
string with your domain):If you skipped Step 1, replace the
ssl_certificate
&ssl_certificate_key
paths with the path to your certificate files.
worker_processes 1;
events {
worker_connections 1024;
}
http {
default_type application/octet-stream;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80;
server_name <your-domain.com>;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
location / {
proxy_pass http://coder:7080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
server {
listen 443 ssl;
server_name <your-domain.com>;
ssl_certificate /letsencrypt/etc/letsencrypt/live/<your-domain.com>/cert.pem;
ssl_certificate_key /letsencrypt/etc/letsencrypt/live/<your-domain.com>/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://coder:7080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
sendfile on;
keepalive_timeout 65;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
}
- Add the following code to your
docker-compose.yaml
file:
nginx:
container_name: nginx
hostname: reverse
image: nginx
ports:
- 80:80
- 443:443
volumes:
- "nginx:/etc/nginx"
- "~/letsencrypt:/letsencrypt/"
coder:
hostname: coder
image: codercom/coder:1.25.1
container_name: coder
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ~/.coder:/var/run/coder
ports:
- 7080:7080
environment:
- DEVURL_HOST=*.<your-domain.com>
The
~/letsecnrypt:/letsencrypt/
volume definition is required only if you followed Step 1.
Step 3: Configure and access Coder
Now that NGINX and the Coder containers are configured, run your Docker Compose file:
docker-compose up -d
Finally, in the Coder UI, navigate to Manage > Admin > Infrastructure. and provide your domain name in the Access URL field.
You should now be able to access Coder via your secure domain.