Enable SSL/TLS in NGINX and Postgres

This guide explains how to enable SSL/TLS encryption for the NGINX reverse proxy and PostgreSQL database services in your Dioptra deployment.

Prerequisites

• Prepare Your Deployment - A configured Dioptra deployment (before running init-deployment.sh)

• Use Docker Compose Override Files - Override file created

• SSL certificate and private key files for each service you want to secure

• (Optional) Add Custom CA Certificates - If using an internal CA

SSL/TLS Configuration

Step 1: Obtain Certificate Files

You will need a server certificate (server.crt) and private key (server.key) for each service. These can be:

• Obtained from a certificate authority (CA)

• Generated using Let’s Encrypt

• Self-signed certificates (for testing only)

Step 2: Copy Certificates to the Deployment

The certificate and key files must be named server.crt and server.key when copying them to the deployment directories.

For NGINX:

cp /path/to/your/nginx-certificate.crt ./ssl/nginx/server.crt
cp /path/to/your/nginx-private-key.key ./ssl/nginx/server.key

For Postgres:

cp /path/to/your/db-certificate.crt ./ssl/db/server.crt
cp /path/to/your/db-private-key.key ./ssl/db/server.key

You can use different certificate-key pairs for each service.

Step 3: Configure NGINX for SSL/TLS

If you are enabling SSL/TLS in NGINX, add the SSL port and update the health check in docker-compose.override.yml.

Open docker-compose.override.yml and add the following configuration for the NGINX service:

services:
  <deployment-name>-nginx:
    healthcheck:
      test:
        [
          "CMD",
          "/usr/local/bin/healthcheck.sh",
          "http://localhost:30080",
          "https://localhost:30443",
          "https://localhost:35000",
          "https://localhost:35050/login",
          "https://localhost:39000",
          "https://localhost:39001",
        ]
    ports:
      - "127.0.0.1:443:30443/tcp"

Note

Replace <deployment-name> with your deployment’s slugified name (default: dioptra-deployment).

Note

The ports: list in the override file appends to the existing ports in docker-compose.yml. You only need to specify the new HTTPS port (443:30443). The healthcheck: configuration replaces the existing health check to use HTTPS endpoints.

Step 4: Run the Initialization Script with SSL Flags

Run the initialization script with the appropriate SSL flags:

Enable NGINX SSL only:

./init-deployment.sh --branch <branch-name> --enable-nginx-ssl

Enable Postgres SSL only:

./init-deployment.sh --branch <branch-name> --enable-postgres-ssl

Enable both NGINX and Postgres SSL:

./init-deployment.sh --branch <branch-name> --enable-nginx-ssl --enable-postgres-ssl

Important

You must specify the --enable-nginx-ssl and --enable-postgres-ssl options each time you run the init-deployment.sh script. If you omit them on a subsequent run, SSL/TLS will be disabled for the services.

Note

Replace <branch-name> with the Dioptra branch that matches your container images (e.g., main for releases, dev for development builds).

Learn More

See the README.md files in the ssl/db/ and ssl/nginx/ folders for additional details about certificate requirements.

See Also

• Use Docker Compose Override Files - Docker Compose override file basics

• Add Custom CA Certificates - Add custom CA certificates

• Prepare Your Deployment - Full deployment customization