Installing Rancher Server With SSL

When setting up Rancher via its Docker container, you are not able to configure SSL termination out-of-the-box. Instead, the Rancher documentation gives some advice on how to set up SSL termination via nginx or Apache. But why would you install such a service on the host when Rancher is running in a container? Ideally the SSL proxy would also run in a container. Searching on Docker Hub for a solution, I found the dictcp/rancher-ssl image that provides exactly that. The set up is trivial.

Just launch your Rancher server instance like this:

docker run -d -v /srv/rancher:/var/lib/mysql --restart=unless-stopped
    --name=rancher-server rancher/server

It is important to not expose any ports, this will be done via dictcp/rancher-ssl which you need to launch like this:

docker run --restart=always -p 80:80 -p 443:443 
    --link rancher-server:rancher-server --name rancher-ssl -d 
    -e EMAIL=em@ail.de -e DOMAIN=rancher.mydomain.de 
    -v /etc/letsencrypt:/etc/letsencrypt dictcp/rancher-ssl

It is important to link both containers together and to make sure that the name of the link is called "rancher-server". This is the hostname that the nginx instance running inside the dictcp/rancher-ssl container uses to connect to Rancher. Since the container is configured to run with letsencrypt in the background, there is no need to mount a SSL certificate into the container, simply configure the environment variables EMAIL and DOMAIN to match your needs.

For a quick test this is a good solution, however we ended up building our own version of the ssl proxy which contains our company internal ssl certificate, there is no need to communicate with letsencrypt and even better, we do not need to expose any ports publicly so that letsencrypt could connect to the internal instance.