Great guide to setup Ubuntu 16.04, using Docker container for v1.8.x at Xibo 1.8.0 with Docker on Ubuntu 16.04.
I ran into one issue, I didn’t want to use LetsEncrypt because we already have a wildcard certificate that we purchase. LetsEncrypt is a great thing if you need a cert, I just didn’t need it in this case. Below is what I did to make it work with my purchased certificates.
Adding SSL Support
There are several ways you could add SSL support to this configuration.
The simplest will be to install Apache on the host Ubuntu server, and have it proxy the SSL requests in to our container.
First, we need to stop the running CMS since we’ll need port 80 for our Apache server.
cd /opt/xibo
docker-compose down
Lets now move Xibo on to a different port number.
We’ll be following the instructions in the manual here under the “using different ports” heading:
http://xibo.org.uk/manual-tempel/en/install_cms.html30
cp cms_custom-ports.yml.template cms_custom-ports.yml
vi cms_custom-ports.yml
Edit the “ports” section of the cms-xmr and cms-web services so they read as follows:
version: "2.1"
services:
cms-db:
image: mysql:5.6
volumes:
- "./shared/db:/var/lib/mysql"
restart: always
environment:
- MYSQL_DATABASE=cms
- MYSQL_USER=cms
- MYSQL_RANDOM_ROOT_PASSWORD=yes
mem_limit: 1g
env_file: config.env
cms-xmr:
image: xibosignage/xibo-xmr:release_1.8.0
ports:
- "9505:9505"
restart: always
mem_limit: 256m
env_file: config.env
cms-web:
image: xibosignage/xibo-cms:release_1.8.0
volumes:
- "./shared/cms/custom:/var/www/cms/custom"
- "./shared/backup:/var/www/backup"
- "./shared/cms/web/theme/custom:/var/www/cms/web/theme/custom"
- "./shared/cms/library:/var/www/cms/library"
- "./shared/cms/web/userscripts:/var/www/cms/web/userscripts"
restart: always
links:
- cms-db:mysql
- cms-xmr:50001
environment:
- XMR_HOST=cms-xmr
env_file: config.env
ports:
- "127.0.0.1:8080:80"
mem_limit: 1g
So specifically, we changed the line:
ports:
- "65500:9505"
to
ports:
- "9505:9505"
and
ports:
- "65501:80"
to
ports:
- "127.0.0.1:8080:80"
Save your changes. That will ensure that XMR runs on port 9505 as before, and the web service runs on port 8080 only on the loopback interface.
Bring the containers back up with those changes:
docker-compose -f cms_custom-ports.yml up -d
Now let’s protect that Container with an Apache server and an SSL certificate:
apt-get install apache2
a2enmod proxy
a2enmod proxy_http
a2enmod ssl
Now edit the default apache config file to create a reverse proxy to our container:
vi /etc/apache2/sites-available/000-default.conf
It should contain
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
RedirectMatch permanent /(.*) https://your-domain.url/$1
</VirtualHost>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
SSLEngine on
SSLCertificateFile /etc/ssl/certs/your-domain.url-wildcard.crt
SSLCertificateKeyFile /etc/ssl/private/your-domain.url-wildcard.key
SSLCertificateChainFile /etc/ssl/certs/GlobalSign_Intermediate_-_SHA256-G2.pem
</VirtualHost>
Save your changes. Upload your certificate files and copy them to their respective locations.
We will now need to make a few changes to the SSL engine in Apache. At a minimum you will need to make sure that you disable SSLv3 to prevent the POODLE vulnerability, disable the RC4 cipher, and enable Forward Secrecy.
To make these changes, we will need to edit the following file
vi /etc/apache2/mods-available/ssl.conf
First we change the following line:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
to:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4
Second we will un-comment the following line:
#SSLHonorCipherOrder on
to:
SSLHonorCipherOrder on
Last we will change the following line:
SSLProtocol all
to:
SSLProtocol all -SSLv3 -SSLv2
Save your changes. Then restart Apache.
service apache2 restart
Xibo CMS should now be available on port 443 with port 80 redirecting to 443.
If you’re using ufw, lets put a rule in for https traffic now
ufw allow 443/tcp