HTTPS access enabling issue

mrsu · 9 January 2025 13:45

Hello,

I’m new with Docker, so maybe someone could advice me, how to enable properly HTTPS access?

I’m trying to enable HTTPS access to our Speckle server using certificates from local CA.
While no changes, related to HTTPS enabling, were done - HTTP access worked fine and I could access Speckle server web portal.

Speckle server is running on Ubuntu 24.04. Speckle version is 2.23.4.
Traefik is used for HTTPS enabling.

Issue occurs after I’m updating “reverse-proxy” and “speckle-ingress” parts in docker-compose.yml file:

Speckle web portal can’t be reached using neither HTTP or HTTPS (even if all containers are running and healthy).

Reverse-proxy and speckle-ingress syntax (from docker-compose.yml file) is presented below:

reverse-proxy:
image: traefik:v2.10
restart: always
command:
- “–providers.docker=true”
- “–providers.docker.exposedbydefault=false”
- “–entrypoints.websecure.address=:443”
- “–api=true”
- “–api.dashboard=true”
- “–log.level=INFO”
- “–entrypoints.web.address=:3000”
- “–entrypoints.websecure.http.tls=true”
- “–entrypoints.websecure.http.tls.certificates[0].certFile=/cert/speckletestubuntu24.crt”
- “–entrypoints.websecure.http.tls.certificates[0].keyFile=/cert/speckletestubuntu24.key”

ports:
  # The HTTPS port (required for Traefik to listen to HTTPS requests)
  - "443:443"
  # The Traefik Web UI port if enabled by --api.insecure=true
  - "8080:8080"
  
volumes:
  - "/etc/ssl/speckle:/certs:ro"
  # So that Traefik can listen to the Docker events
  - "/var/run/docker.sock:/var/run/docker.sock:ro"

speckle-ingress:
image: speckle/speckle-docker-compose-ingress:2
restart: always
ports: []
# - “0.0.0.0:80:8080” #Needs to be removed according to the guide
environment:
FILE_SIZE_LIMIT_MB: “100”
NGINX_ENVSUBST_OUTPUT_DIR: “/etc/nginx”
labels:
- “traefik.enable=true”
#TODO: replace example.com with your domain. This should just be the domain, and do not include the protocol (http/https).
- “traefik.http.routers.speckle-ingress.rule=Host(mydomain.net)”
- “traefik.http.routers.speckle-ingress.entrypoints=websecure”
- “traefik.http.routers.speckle-ingress.tls.certresolver=myresolver”
- “traefik.http.services.speckle-ingress.loadbalancer.server.port=8080”

dimitrie · 10 January 2025 12:52

Hello @mrsu, we have a standing policy - which we sometimes ignore at our own peril - to not help debugging other people’s deployments, as it’s a messy mostly unsuccessful adventure (we don’t have access to your setup) with a lot of back and forth and indirection, pasted logs that are not the correct ones, etc.

Why don’t you go for a simple canonical deployment that’s open to the internet, and use letsencrypt? You can make your server invite only aftewards to restrict users to cowi employees later, and setup entra id too since you control the whole stack.

iainsproat · 10 January 2025 13:08

@mrsu - I will also add that speckle has not been tested to work with a self-signed certificate.

Some components of Speckle make an https call to the server container via the canonical url. When presented with a self-signed certificate they would need to verify that against their list of trusted certificates. We haven’t yet provided a mechanism to mount new trusted certificates and ensure the caller has access to them. It may work by mounting a volume to the docker compose container, but this is untested behaviour.

Hope this helps.