MediaWiki-Docker/Configuration recipes/Envoy

SSL Termination with Envoy on docker

To add an Envoy as a Proxy to handle requests you will need to perform three steps:

  • add a new service to your Docker configuration
  • generate ssl certificates
  • create the envoy configuration file

The configuration listed below, will allow you to access Wiki via SSL on port 8443. Additionally it will provide access to Envoy Admin panel on port 9901.

First, lets add a new service to our docker compose. Depends on your settings, this can be `docker-compose.yml` or `docker-compose.override.yml` file.

docker-compose.override.yml
services:

  envoy:
    image: envoyproxy/envoy:v1.25-latest
    ports:
       - "8443:443"
       - "9901:9901"
    volumes:
      - ./envoy.yaml:/etc/envoy/envoy.yaml
      - ./certs:/etc/envoy/certs
    depends_on:
      - mediawiki-web

Next, we need to generate a keys for HTTPS connection. To generate new key-cert pair please run following commands in the root folder of your MediaWiki instance:

mkdir certs
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout certs/server.key -out certs/server.crt \
  -subj "/CN=localhost"

And last, a sample `Envoy` configuration that routes the traffic from port `0.0.0.0:443` to `mediawiki-web:8080`.

./envoy.yaml
static_resources:
  listeners:
    - name: https_listener
      address:
        socket_address:
          address: 0.0.0.0
          port_value: 443
      filter_chains:
        - filters:
            - name: envoy.filters.network.http_connection_manager
              typed_config:
                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                codec_type: AUTO
                stat_prefix: ingress_http
                route_config:
                  name: local_route
                  virtual_hosts:
                    - name: local_service
                      domains: ["*"]
                      routes:
                        - match:
                            prefix: "/"
                          route:
                            cluster: mediawiki_cluster
                http_filters:
                  - name: envoy.filters.http.router
                    typed_config:
                      "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
          transport_socket:
            name: envoy.transport_sockets.tls
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
              common_tls_context:
                tls_certificates:
                  - certificate_chain:
                      filename: "/etc/envoy/certs/server.crt"
                    private_key:
                      filename: "/etc/envoy/certs/server.key"

  clusters:
    - name: mediawiki_cluster
      connect_timeout: 1s
      type: STRICT_DNS
      lb_policy: ROUND_ROBIN
      load_assignment:
        cluster_name: mediawiki_cluster
        endpoints:
          - lb_endpoints:
              - endpoint:
                  address:
                    socket_address:
                      address: mediawiki-web
                      port_value: 8080

admin:
  address:
    socket_address:
      address: 0.0.0.0
      port_value: 9901

To change how `Envoy` reaches your MediaWiki instance you will need to update the `clusters.mediawiki_cluster` section and change the endpoint address of `mediawiki-web` to the hostname/IP you're using.