Overview

 
Often we find ourselves in a situation where we have to share a password. But how do you do it? Do you email it? Do you phone it in? Do you text it?
 
Luckily, I have just the solution: docker, d-note, and Nginx.
 

Lets get started.

 
We are going to be using two docker containers for this:
drmurx/docker-d-note – This is an elaborate self destructing password sharing webscript.
mnuessler/tls-termination-proxy – This will handle terminating our SSL traffic, and forwarding our unencrypted traffic.

 
Lets pull down both containers:

[root@box ~]# docker pull mnuessler/tls-termination-proxy
Trying to pull repository docker.io/mnuessler/tls-termination-proxy ... 
latest: Pulling from docker.io/mnuessler/tls-termination-proxy
8b87079b7a06: Pull complete 
a3ed95caeb02: Pull complete 
f8205edde0b8: Pull complete 
31429f1944a4: Pull complete 
42e7c58ef2df: Pull complete 
Digest: sha256:8fdf5012a8fd1a019a073ce2f612b32d1da05b7fd1294c54f5915f7ea807e23b
Status: Downloaded newer image for docker.io/mnuessler/tls-termination-proxy:latest
[root@box ~]# 
[root@box ~]# docker pull drmurx/docker-d-note
Using default tag: latest
Trying to pull repository docker.io/drmurx/docker-d-note ... 
latest: Pulling from docker.io/drmurx/docker-d-note
0a8490d0dfd3: Pull complete 
c12ecb2121f1: Pull complete 
dd22ce677ace: Pull complete 
477ca3679243: Pull complete 
Digest: sha256:efb8a63a98330d0fc3ec964a314f0955f358fa282414985e4636c6b595a1837d
Status: Downloaded newer image for docker.io/drmurx/docker-d-note:latest
[root@box ~]# 

 

Make our SSL Certificate:

[root@box certs]# cd /etc/pki/tls/certs
[root@box certs]# ./make-dummy-cert localhost.pem
[root@box certs]#

 
We will need this to pass to our SSL Proxy container. If you have a specific self-signed or other cert you want to use, feel free. But make sure to pass it in the -v parameter later in place of this one.

 
Now lets run the d-note container:

[root@box ~]# docker run --detach --publish 8080:8080 --name dnote drmurx/docker-d-note
daedbd20a5b1750b6b0ebe1121e88c3dc099967549fad50d348611f858a2823b
[root@box ~]# 

 
If port 8080 is open, you should be able to reach unencrypted d-note via http to confirm this is working. Note that we named this container “dnote”.

 
Next, we get our SSL Proxy setup:

[root@box ~]# docker run --detach -e HTTPS_UPSTREAM_SERVER_ADDRESS=dnote -e HTTPS_UPSTREAM_SERVER_PORT=8080 --publish 443:443 -v /etc/pki/tls/certs/localhost.pem:/cert.pem:ro --link dnote:dnote mnuessler/tls-termination-proxy
75e57bef1870d15fc0da053933af6f5d0e2d611041ea362122ad2a820461841e
[root@box ~]# 

 
If you notice, there are 2 variables.

  • HTTPS_UPSTREAM_SERVER_ADDRESS - is the address we want forward the decrypted traffic to.
  • HTTPS_UPSTREAM_SERVER_PORT - is the port

In this case, docker knows about the other container because we named it “dnote”, and we linked it with --link. The syntax is $actual_name:$alias_name. Since we dont care to make an alias, we just reused the actual name.

 

Test our work.

So, we have a port mapped to the SSL Proxy container. The SSL Proxy container is terminating the SSL, and forwarding the unencrypted traffic to the UPSTREAM_SERVER.

[root@box2 ~]# curl -s -k https://box1/ | grep title
        <title>Self Destructing Notes</title>
[root@box2 ~]#