feat(infra): zero-config TLS for Nginx via Docker Compose profile#2579
Merged
crivetimihai merged 2 commits intomainfrom Jan 30, 2026
Merged
feat(infra): zero-config TLS for Nginx via Docker Compose profile#2579crivetimihai merged 2 commits intomainfrom
crivetimihai merged 2 commits intomainfrom
Conversation
Add a new `--profile tls` Docker Compose profile that enables HTTPS with zero configuration. Certificates are auto-generated on first run or users can provide their own CA-signed certificates. Features: - One command TLS: `make compose-tls` starts with HTTPS on port 8443 - Auto-generates self-signed certs if ./certs/ is empty - Custom certs: place cert.pem/key.pem in ./certs/ before starting - Optional HTTP->HTTPS redirect via `make compose-tls-https` - Environment variable NGINX_FORCE_HTTPS=true for redirect mode - Works alongside other profiles (monitoring, benchmark) New files: - infra/nginx/nginx-tls.conf: TLS-enabled nginx configuration - infra/nginx/docker-entrypoint.sh: Handles NGINX_FORCE_HTTPS env var New Makefile targets: - compose-tls: Start with HTTP:8080 + HTTPS:8443 - compose-tls-https: Force HTTPS redirect (HTTP->HTTPS) - compose-tls-down: Stop TLS stack - compose-tls-logs: Tail TLS service logs - compose-tls-ps: Show TLS stack status Docker Compose additions: - cert_init service: Auto-generates certs using alpine/openssl - nginx_tls service: TLS-enabled nginx reverse proxy Documentation: - Updated tls-configuration.md with Quick Start section - Updated compose.md with TLS section - Added to deployment navigation - Updated README.md quick start Closes #2571 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Fix hard-coded :8443 port in HTTPS redirect that broke internal container-to-container calls. Problem: - External access via port 8080 correctly redirected to :8443 - Internal container calls (no port) also redirected to :8443 - But nginx_tls only listens on 443 internally, so internal redirects failed Solution: Add a map directive that detects request origin based on Host header: - Requests with :8080 in Host → redirect to :8443 (external) - Requests without port → redirect without port, defaults to 443 (internal) Tested: - External: curl http://localhost:8080/health → https://localhost:8443/health ✓ - Internal: curl http://nginx_tls/health → https://nginx_tls/health (443) ✓ Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
4 tasks
hughhennelly
pushed a commit
to hughhennelly/mcp-context-forge
that referenced
this pull request
Feb 8, 2026
…M#2579) * feat(infra): add zero-config TLS for nginx via Docker Compose profile Add a new `--profile tls` Docker Compose profile that enables HTTPS with zero configuration. Certificates are auto-generated on first run or users can provide their own CA-signed certificates. Features: - One command TLS: `make compose-tls` starts with HTTPS on port 8443 - Auto-generates self-signed certs if ./certs/ is empty - Custom certs: place cert.pem/key.pem in ./certs/ before starting - Optional HTTP->HTTPS redirect via `make compose-tls-https` - Environment variable NGINX_FORCE_HTTPS=true for redirect mode - Works alongside other profiles (monitoring, benchmark) New files: - infra/nginx/nginx-tls.conf: TLS-enabled nginx configuration - infra/nginx/docker-entrypoint.sh: Handles NGINX_FORCE_HTTPS env var New Makefile targets: - compose-tls: Start with HTTP:8080 + HTTPS:8443 - compose-tls-https: Force HTTPS redirect (HTTP->HTTPS) - compose-tls-down: Stop TLS stack - compose-tls-logs: Tail TLS service logs - compose-tls-ps: Show TLS stack status Docker Compose additions: - cert_init service: Auto-generates certs using alpine/openssl - nginx_tls service: TLS-enabled nginx reverse proxy Documentation: - Updated tls-configuration.md with Quick Start section - Updated compose.md with TLS section - Added to deployment navigation - Updated README.md quick start Closes IBM#2571 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix(nginx): use smart port detection for HTTPS redirect Fix hard-coded :8443 port in HTTPS redirect that broke internal container-to-container calls. Problem: - External access via port 8080 correctly redirected to :8443 - Internal container calls (no port) also redirected to :8443 - But nginx_tls only listens on 443 internally, so internal redirects failed Solution: Add a map directive that detects request origin based on Host header: - Requests with :8080 in Host → redirect to :8443 (external) - Requests without port → redirect without port, defaults to 443 (internal) Tested: - External: curl http://localhost:8080/health → https://localhost:8443/health ✓ - Internal: curl http://nginx_tls/health → https://nginx_tls/health (443) ✓ Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: hughhennnelly <hughhennelly06@gmail.com>
kcostell06
pushed a commit
to kcostell06/mcp-context-forge
that referenced
this pull request
Feb 24, 2026
…M#2579) * feat(infra): add zero-config TLS for nginx via Docker Compose profile Add a new `--profile tls` Docker Compose profile that enables HTTPS with zero configuration. Certificates are auto-generated on first run or users can provide their own CA-signed certificates. Features: - One command TLS: `make compose-tls` starts with HTTPS on port 8443 - Auto-generates self-signed certs if ./certs/ is empty - Custom certs: place cert.pem/key.pem in ./certs/ before starting - Optional HTTP->HTTPS redirect via `make compose-tls-https` - Environment variable NGINX_FORCE_HTTPS=true for redirect mode - Works alongside other profiles (monitoring, benchmark) New files: - infra/nginx/nginx-tls.conf: TLS-enabled nginx configuration - infra/nginx/docker-entrypoint.sh: Handles NGINX_FORCE_HTTPS env var New Makefile targets: - compose-tls: Start with HTTP:8080 + HTTPS:8443 - compose-tls-https: Force HTTPS redirect (HTTP->HTTPS) - compose-tls-down: Stop TLS stack - compose-tls-logs: Tail TLS service logs - compose-tls-ps: Show TLS stack status Docker Compose additions: - cert_init service: Auto-generates certs using alpine/openssl - nginx_tls service: TLS-enabled nginx reverse proxy Documentation: - Updated tls-configuration.md with Quick Start section - Updated compose.md with TLS section - Added to deployment navigation - Updated README.md quick start Closes IBM#2571 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix(nginx): use smart port detection for HTTPS redirect Fix hard-coded :8443 port in HTTPS redirect that broke internal container-to-container calls. Problem: - External access via port 8080 correctly redirected to :8443 - Internal container calls (no port) also redirected to :8443 - But nginx_tls only listens on 443 internally, so internal redirects failed Solution: Add a map directive that detects request origin based on Host header: - Requests with :8080 in Host → redirect to :8443 (external) - Requests without port → redirect without port, defaults to 443 (internal) Tested: - External: curl http://localhost:8080/health → https://localhost:8443/health ✓ - Internal: curl http://nginx_tls/health → https://nginx_tls/health (443) ✓ Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements zero-configuration TLS for the Docker Compose stack via a new
--profile tlsprofile. This enables HTTPS with a single command, auto-generating self-signed certificates on first run.make compose-tlsstarts the stack with HTTPS on port 8443./certs/is emptycert.pem/key.pemin./certs/before startingmake compose-tls-httpsforces all HTTP traffic to HTTPS--profile tls --profile monitoring)Changes
New Files
infra/nginx/nginx-tls.confinfra/nginx/docker-entrypoint.shNGINX_FORCE_HTTPSenv varModified Files
docker-compose.ymlcert_initandnginx_tlsservices withtlsprofileMakefilecompose-tls,compose-tls-https,compose-tls-down,compose-tls-logs,compose-tls-pstargetsinfra/nginx/Dockerfiledocs/docs/deployment/tls-configuration.mddocs/docs/deployment/compose.mddocs/docs/deployment/.pagesREADME.mdUsage
Test plan
make compose-tlsstarts stack with both HTTP:8080 and HTTPS:8443 workingmake compose-tls-httpsredirects HTTP requests to HTTPS (301)./certs/cert_initcontainer correctly skips generation when certs exist--profile tls --profile monitoring)Closes #2571