Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Making Containerised Rundeck Instance Available Over HTTPS

58 views
Skip to first unread message

Sean McGurk

unread,
Jan 10, 2025, 12:16:40 PMJan 10
to rundeck-discuss
Hi,

We are migrating from a Rundeck instance hosted on a VM to a containerised instance and I was wondering how I would configure SSL for the containerised instance.

I was able to follow the steps here: https://docs.rundeck.com/docs/administration/security/ssl.html

For the VM i.e. import our existing SSL certificate into the keystore/ truststore, set the configuration options, restart rundeck and it was available over https.

However, it seems to work differently in the containerised version and I am at a loss as to how to get it to work in Docker.

Does anyone have any experience in successfully configuring this?

Thanks,
Sean

rac...@rundeck.com

unread,
Jan 10, 2025, 1:22:50 PMJan 10
to rundeck-discuss

Hi Sean,

The best practice for a containerized environment is to delegate the SSL stuff to a Load Balancer/Web Server. In fact, this is the main advice in any environment (check the “warning” section). Here is an example:

docker-compose.yml:

version: '3' services: nginx: image: nginx:alpine container_name: nginx hostname: nginx restart: unless-stopped volumes: - ./config/nginx.conf:/etc/nginx/conf.d/default.conf:ro - ./certs:/etc/nginx/certs ports: - 443:443 rundeck: image: rundeck/rundeck:5.8.0 ports: - 4440:4440 environment: RUNDECK_GRAILS_URL: https://localhost:443 RUNDECK_SERVER_FORWARDED: "true"

NGINX config: ./config/nginx.conf:

server { listen 443 ssl; server_name rundeck-cl; ssl_certificate /etc/nginx/certs/nginxcert.crt; ssl_certificate_key /etc/nginx/certs/nginx.key; location / { proxy_pass http://rundeck:4440; proxy_http_version 1.1; proxy_cache_bypass $http_upgrade; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; } }

In this example, the certificates (nginx.key and nginxcert.crt files) are located in the .certs directory as you see in the docker-compose.yml file.

Regards!

Sean McGurk

unread,
Jan 13, 2025, 5:10:55 AMJan 13
to rundeck-discuss
Thanks for this!

I had suspected as much but hoped to be able to do without the need for a web server but this makes perfect sense.

One more question: I have a number of Rundeck instances (all with the same certificate). Could the security certificate for all of these instances be server by a single nginx web server?

Thanks again!

rac...@rundeck.com

unread,
Jan 13, 2025, 6:30:40 AMJan 13
to rundeck-discuss
Hi Sean,

A good approach may be using different server blocks (web server side) or subdomains defined on the rundeck grails config side.

Regards.
Reply all
Reply to author
Forward
0 new messages