setting up a drone server to use TLS/SSL

Question

The default installation instructions show how to set up a server on port 80 using HTTP and WS (i.e. unencrypted).

The agent installation shows that TLS enabled servers are possible (I'l link here, but I'm not allowed).

The server configuration options show that DRONE_SERVER_CERT and DRONE_SERVER_KEY are available http://readme.drone.io/0.5/install/server-configuration/

Are there any fuller instructions to set this up? e.g. have port 80 forward to port 443 and have all agents talking to the server over encrypted channels.

Answer 1

If you were using certificates with drone 0.4 it will be the same configuration, although the names perhaps changed slightly. You will need to pass the following variables to your container:

DRONE_SERVER_CERT=/path/to/drone.cert
DRONE_SERVER_KEY=/path/to/drone.key

These certificates will exist on your host machine, which means their paths need to be mounted into your drone server:

--volume=/path/to/drone.cert:/path/to/drone.cert
--volume=/path/to/drone.key:/path/to/drone.key

You can also instruct Docker to expose 443 and forward to drone's default port 8000

-p 443:8000

When you configure the agent, you will of course need to update the configuration to use wss. You can read more in the agent docs, but essentially something like this:

DRONE_SERVER=wss://drone.server.com/ws/broker

And finally, if you get cert errors I recommend including the cert chain in your bundle. Bottom line, drone does not parse certs. Drone uses http.ListenAndServeTLS(cert, key). So any cert issues are coming from the standard library directly, and questions should therefore be directed to the Go support channels.