RocketChat add SSL using docker and nginx

[lights7]

A server usually is busy with different services. In case port 80 and 443 is already used by other service, such as webserver etc, how to add a https (SSL) port to RocketChat. We will choose port 8443, because it proxied by Cloudflare, so that the ip of RocketChat can be hidden behind Cloudflare.

1. Install RocketChat using docker

Assume you already installed docker, download the example docker-compose.yml from here,

I chose /srv/rocket.chat for the installation folder. Copy compose.yml to there,

Comment the labels and traefik
# labels:
# traefik.enable: "true"
# traefik.http.routers.rocketchat.rule: Host(${DOMAIN:-})
# traefik.http.routers.rocketchat.tls: "true"
# traefik.http.routers.rocketchat.entrypoints: https
# traefik.http.routers.rocketchat.tls.certresolver: le
change ROOT_URL to
ROOT_URL: https://example.domain.com #change the domain to your domain
change ports to (may not need to change)
ports:
- 3000:3000
change the latest to the latest stable version, such as 6.2.8, keep the "-"
RELEASE:-latest

Basically, install RocketChat use docker about the same as the official document, same as the .env file, follow the guidance in the link.

add
127.0.0.1 example.domain.com example
to /etc/hosts, change according to your domain name.

run the following command to install RocketChat and mongodb
docker compose up -d

use
docker logs container-name to check the log
use
curl 127.0.0.1:3000 to check if local port 3000 is open. If not, some thing is wrong, need further debug.

2. Nginx reverse proxy and docker for RocketChat

In a folder /srv/rocket.chat, mkdir ui (you can name the folder differently)
create docker_compose.yml in ui as follow:

services:
rocketchatui:
image: nginx:latest
network_mode: "host"
restart: always
volumes:
- /srv/rocket.chat/ui/nginx/default.conf:/etc/nginx/conf.d/default.conf
- /srv/rocket.chat/cert/:/etc/nginx/certs/

You can change rocketchatui and image name nginx, you can change latest to the version number you choose.
Next
mkdir ui/nginx
create default.conf under /srv/rocket.chat/ui/nginx as follow:

Upstreams

upstream backend {
server 127.0.0.1:3000;
}

server {
listen 8443 ssl;
server_name example.domain.com; #change the domain to yours

server_name localhost;

# You can increase the limit if your need to.
client_max_body_size 200M;

#force ssl

ssl on; this option is dropped after nginx 1.20, changed to listen port ssl;

ssl_certificate      /etc/nginx/certs/certification.crt;
ssl_certificate_key  /etc/nginx/certs/keyfile.key;

ssl_session_timeout  5m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE

ssl_ciphers  ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;

ssl_prefer_server_ciphers  on;

access_log  /var/log/nginx/host.access.log;
error_log  /var/log/nginx/host.error.log;
location / {
    proxy_pass http://backend;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header X-Nginx-Proxy true;

    proxy_redirect off;
}

}

Now create a cert folder under /srv/rocket.chat and add the certification file and key file obtained from Cloudflare or Letsenscrypt or self generated. Will not cover how to get certification and key here.

Create/Copy certification and key file to folder /srv/rocket.chat/cert, same as file name certification.crt and keyfile.key, change it accordingly in the default.conf if rename them.

then under folder /srv/rocket.chat/ui, run the command
docker compose up -d

Again, use docker logs contain-name to check logs.
Otherwise you should be able to access rocket chat from both http://example.domain.com:3000
and https://example.domain.com:8443

However only the 8443 port is SSL enabled, can be used for mobile login.
How if you want to hide your rocket.chat server behind Cloudflare in case you are from some country has no free speech,
You can switch your domain under Cloudflare from DNS only to Proxied. Now people cannot get access to port 3000 but still be able to get access to 8443. Note that Cloudflare SSL certificate is not trusted if DNS only, it only trusted by Cloudflare when using Proxied.

You can use this method not just for RocketChat, but also for other software packages.

I tried to use caddy or traefic to the same thing, however didn't success. If any one know how to use caddy and traefic to achieve the same goal, please let me know.