Configure docker run to use ssl / https / tls

Question

Is there a way to configure docker run to use https? Something like:

docker run --https --certs xyz  myimage 

or do you have to configure that stuff within a Dockerfile/image? Likewise for TLS.

 docker run --tls --certs xyz  myimage 

One advantage is we wouldn't have to copy the certs to the image - I'd rather avoid having the certs in the image and/or running container.

Although I guess the best practice is to use the -v option to share the certs from the host into the container.

Update: after some research I found this: https://docs.docker.com/engine/security/https/

it says to start the docker domain with something like this:

 dockerd --tlsverify --tlscacert=ca.pem \
   --tlscert=server-cert.pem --tlskey=server-key.pem \
   -H=0.0.0.0:2376

is this the right thing to do to secure all containers on the machine?

Answer 1

The dockerd tls options are for configuring the daemon to listen on a network port instead of, or in addition to, docker.sock. This is for docker API requests, not to reach your application, and I don't believe what you are asking for.

It sounds like you are looking for TLS termination and forwarding the request to your application in HTTP. For that, there are various reverse proxies that can run in front of your container. Examples include nginx, traefik, haproxy, and I believe most, if not all, feature TLS termination. They do tend to focus on layer 7 and the HTTP protocol, so if you have other types of protocols, you may be forced mounting the TLS credentials into your container, preferably as a secret, or at the worst, a read only volume.