epistemophiliac/frappe_docker
1
0
Fork 0
mirror of https://github.com/frappe/frappe_docker.git synced 2026-06-17 13:55:08 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
frappe_docker/docs/03-production/01-tls-ssl-setup.md
RocketQuack 99d9a1dc38
feat: add nginx-proxy with acme companion as an alternative to traefik (#1800) 
* refactor: move core nginx files into more recognizable folder structure

* chore: include HTTPS_PUBLISH_PORT in example .env

* feat: add nginx-proxy and acme-companion compose overrides

* docs: add NGINX_PROXY_HOSTS to example.env

* docs: add nginx-proxy overrides

* docs: split docs, variables for usage of traefik or nginx-proxy

* docs: update override notes for traefik proxy on separate stack

* docs: split TLS/SSL overview and add own caddy guide

* docs: add nginx-proxy + acme companion guide

* docs: add nginx-proxy and acme single-server setup guide
2026-02-06 09:56:28 +05:30

3.1 KiB
Raw Blame History

TLS/SSL Setup Overview

Frappe Docker supports multiple TLS/SSL approaches. Choose the one that matches your routing needs and where you want the proxy to run.

Options

Traefik (built-in HTTPS)

  • Use overrides/compose.https.yaml
  • Best for multi-site setups and advanced routing rules
  • Requires SITES_RULE and LETSENCRYPT_EMAIL
  • See Environment Variables and Setup Examples

Traefik deployment models

  • Single stack (Traefik inside the stack):
    • Use compose.proxy.yaml (HTTP) or compose.https.yaml (HTTPS)
    • Traefik runs as proxy in the same stack
  • Central Traefik for multiple stacks:
    • Run a dedicated Traefik stack with compose.traefik.yaml (and optional compose.traefik-ssl.yaml for the dashboard)
    • Each Frappe stack uses compose.multi-bench.yaml (and optional compose.multi-bench-ssl.yaml)
    • This connects stacks to the shared traefik-public network

nginx-proxy + acme-companion

  • Use overrides/compose.nginxproxy.yaml plus overrides/compose.nginxproxy-ssl.yaml
  • Simple host-based routing for single-bench or small setups
  • Requires NGINX_PROXY_HOSTS and LETSENCRYPT_EMAIL
  • See nginx-proxy + acme-companion

Traefik vs nginx-proxy + acme-companion

Topic Traefik (compose.https.yaml) nginx-proxy + acme-companion
Configuration Labels with SITES_RULE expression Environment variables (NGINX_PROXY_HOSTS)
Routing Flexible (rules, headers, paths) Host-based only
Multi-site Strong Works for simple host lists
TLS/ACME Built-in Separate companion container
Certificate storage cert-data volume (/letsencrypt/acme.json) nginx-proxy-certs + acme-data volumes (/etc/nginx/certs, /etc/acme.sh)
Complexity Moderate Low
Observability Optional dashboard (not enabled here) No built-in dashboard

Caddy (external reverse proxy)

  • Run Caddy on the host and proxy to the frontend container
  • Useful for local HTTPS or when you already use Caddy
  • See Caddy reverse proxy

Common requirements

  • DNS must point to the server for public TLS certificates
  • Ports 80 and 443 must be reachable for HTTP-01 challenges
  • Use HTTP_PUBLISH_PORT and HTTPS_PUBLISH_PORT if you need non-default ports