π DeploymentΒΆ
π³ DockerΒΆ
Docker imageΒΆ
To deploy the CA, use the following Docker image:
harbor.confirm.ch/ca/ca
Docker commandΒΆ
To deploy the CA service via simple docker command, use the following CLI arguments:
docker run -d \
--name ca \
-e CA_DNS=ca.example.net \
-e CA_NAME="Example CA" \
-e CA_PROVISIONER=admin \
-p 8443:8443 \
-v ca:/ca \
harbor.confirm.ch/ca/ca
Hint
Itβs recommended to deploy the CA service via Docker Compose.
Docker ComposeΒΆ
Use the following docker-compose.yml file to start the CA:
---
services:
ca:
image: harbor.confirm.ch/ca/ca
environment:
CA_DNS: ca.example.net
CA_NAME: Example CA
CA_PROVISIONER: admin
ports:
- '8443:8443'
volumes:
- ca:/ca
restart: unless-stopped
volumes:
ca:
Then bring the stack up with:
docker compose up -d
π‘οΈ Reverse proxyΒΆ
When running the CA service behind a reverse proxy, you should follow these rules:
Remove all direct port mapppings (i.e.
8443)Point your reverse proxy to the port
8443instead (only exposed port)Passthrough TLS connections to the CA, donβt intercept them on the reverse proxy
Disable strict SNI checking
Put the CA into the same network as the proxy
TraefikΒΆ
To run the CA service behind a Traefik, the following labels must be added to the container:
services:
ca:
# β¦ existing config (see chapter above)
# Passthrough connections from Traefik directly to CA.
labels:
- traefik.enable=true
- traefik.tcp.routers.ca.rule=HostSNI(`ca.example.net`)
- traefik.tcp.routers.ca.tls.passthrough=true
# Add CA to proxy network.
networks:
- proxy
# Make proxy network available for Compose service.
networks:
proxy:
external: true
Hint
If youβve strict SNI checking enabled, create a new dynamic config such as this:
tls:
options:
sni-strict-disable:
sniStrict: false
Then use the option as another label:
labels:
# β¦ existing labels
- traefik.tcp.routers.ca.tls.options=sniStrictDisable@file