Internet Explorer is no longer supported. Many things will still work, but your experience will be degraded and some things won't function. Please use a modern browser such as Edge, Chrome, or Firefox.

HTTPS Support on Linux

view on GitHub

HTTPS is increasingly becoming a requirement inside of many organizations, even for internal-only web applications. It's also required by several third-party client tools, such as NuGet and Docker.

In this article, we'll provide two options for enabing HTTPS for ProGet, BuildMaster, and Otter when installed on Linux. For Windows-based installations, see HTTPS Support on Windows.

The simplest way to configure HTTPS is by using a reverse proxy to terminate TLS and forward requests to your Inedo product. This has the added benefit of allowing multiple websites and applications to be hosted on the same IP address.

Any HTTP reverse proxy can work, but four specific examples are provided below:

Name: Proxy Link: TLS:
Caddy Proxy TLS
NGINX Proxy TLS
Apache Proxy TLS
HAProxy Proxy TLS

Example: ProGet NGINX Config

server {
	listen 80;
	listen [::]:80;

	server_name "";

	return 301 https://`$http_host`$request_uri;
}
server
{
   listen 443 ssl;
   listen [::]:443 ssl;

   ssl_certificate /etc/ssl/cert/your_cert_com.crt;
   ssl_certificate_key /etc/ssl/cert/your_cert_com.key;

   server_name proget.domain.com;

   access_log /var/log/nginx/nginx.vhost.access.log;
   error_log /var/log/nginx/nginx.vhost.error.log;

   # Disable any limits to avoid HTTP 413 for large image uploads
   # ProGet requirement for VS to publish to ProGet 
   client_max_body_size 0;
   # required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
   chunked_transfer_encoding on;

   location /
   {
       proxy_pass http://localhost:81;		# local server
       proxy_http_version 1.1;
       proxy_cache_bypass  $http_upgrade;

       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
	   proxy_set_header Host $http_host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto $scheme;
       proxy_set_header X-Forwarded-Host $http_host;
       proxy_set_header X-Forwarded-Port $server_port;
   }
}

Configuring HTTPS without a Reverse Proxy

Instead of using a reverse proxy, you can configure HTTPS bindings directly in your Inedo Product. This allows you to mount a volume that contains your certificate files and specify your ".pem" file and ".key" file as environment variables in your Docker container.

To enable an HTTPS binding on your Docker container, you will need the following parameters added to your docker run command:

  • Mount the volume containing your certificates to /var/proget/ssl (ex: -v /path/to/pem/proget-ssl:/var/proget/ssl)
  • Expose the SSL port 443 externally (ex: -p 8625:443)
  • Change your binding URLs to include an HTTPS binding (ex: -e ASPNETCORE_URLS='http://*:80;https://*:443' )
  • Specify your certificate file using the SSL_CERT_FILE environment variable (ex: -e SSL_CERT_FILE='ProGetCertificate.pem')
  • Specify your key file usng the SSL_KEY_FILE environment variable (ex: -e SSL_KEY_FILE='ProGetCertificateServer.key')

Here is an example Docker run command that will expose HTTPS bindings on port 8625:

docker run -d --name=proget --restart=unless-stopped \
-v /home/user/proget-ssl:/var/proget/ssl \
-v /home/user/proget-packages:/var/proget/packages \
-p 8624:80 \
-p 8625:443 \
--net=inedo \
-e ASPNETCORE_URLS='http://*:80;https://*:443' \
-e SSL_CERT_FILE='ProGetCertificate.pem' \
-e SSL_KEY_FILE='ProGetCertificateServer.key' \
-e SQL_CONNECTION_STRING='Data Source=inedo-sql; Initial Catalog=ProGet; User ID=sa; Password=«YourStrong!Passw0rd»' \
proget.inedo.com/productimages/inedo/proget:latest