github.com/feiyang21687/docker@v1.5.0/docs/sources/articles/https.md (about) 1 page_title: Protecting the Docker daemon Socket with HTTPS 2 page_description: How to setup and run Docker with HTTPS 3 page_keywords: docker, docs, article, example, https, daemon, tls, ca, certificate 4 5 # Protecting the Docker daemon Socket with HTTPS 6 7 By default, Docker runs via a non-networked Unix socket. It can also 8 optionally communicate using a HTTP socket. 9 10 If you need Docker to be reachable via the network in a safe manner, you can 11 enable TLS by specifying the `tlsverify` flag and pointing Docker's 12 `tlscacert` flag to a trusted CA certificate. 13 14 In the daemon mode, it will only allow connections from clients 15 authenticated by a certificate signed by that CA. In the client mode, 16 it will only connect to servers with a certificate signed by that CA. 17 18 > **Warning**: 19 > Using TLS and managing a CA is an advanced topic. Please familiarize yourself 20 > with OpenSSL, x509 and TLS before using it in production. 21 22 > **Warning**: 23 > These TLS commands will only generate a working set of certificates on Linux. 24 > Mac OS X comes with a version of OpenSSL that is incompatible with the 25 > certificates that Docker requires. 26 27 ## Create a CA, server and client keys with OpenSSL 28 29 > **Note**: replace all instances of `$HOST` in the following example with the 30 > DNS name of your Docker daemon's host. 31 32 First generate CA private and public keys: 33 34 $ openssl genrsa -aes256 -out ca-key.pem 2048 35 Generating RSA private key, 2048 bit long modulus 36 ......+++ 37 ...............+++ 38 e is 65537 (0x10001) 39 Enter pass phrase for ca-key.pem: 40 Verifying - Enter pass phrase for ca-key.pem: 41 $ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem 42 Enter pass phrase for ca-key.pem: 43 You are about to be asked to enter information that will be incorporated 44 into your certificate request. 45 What you are about to enter is what is called a Distinguished Name or a DN. 46 There are quite a few fields but you can leave some blank 47 For some fields there will be a default value, 48 If you enter '.', the field will be left blank. 49 ----- 50 Country Name (2 letter code) [AU]: 51 State or Province Name (full name) [Some-State]:Queensland 52 Locality Name (eg, city) []:Brisbane 53 Organization Name (eg, company) [Internet Widgits Pty Ltd]:Docker Inc 54 Organizational Unit Name (eg, section) []:Boot2Docker 55 Common Name (e.g. server FQDN or YOUR name) []:$HOST 56 Email Address []:Sven@home.org.au 57 58 Now that we have a CA, you can create a server key and certificate 59 signing request (CSR). Make sure that "Common Name" (i.e., server FQDN or YOUR 60 name) matches the hostname you will use to connect to Docker: 61 62 > **Note**: replace all instances of `$HOST` in the following example with the 63 > DNS name of your Docker daemon's host. 64 65 $ openssl genrsa -out server-key.pem 2048 66 Generating RSA private key, 2048 bit long modulus 67 ......................................................+++ 68 ............................................+++ 69 e is 65537 (0x10001) 70 $ openssl req -subj "/CN=$HOST" -new -key server-key.pem -out server.csr 71 72 Next, we're going to sign the public key with our CA: 73 74 $ openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem \ 75 -CAcreateserial -out server-cert.pem 76 Signature ok 77 subject=/CN=your.host.com 78 Getting CA Private Key 79 Enter pass phrase for ca-key.pem: 80 81 For client authentication, create a client key and certificate signing 82 request: 83 84 $ openssl genrsa -out key.pem 2048 85 Generating RSA private key, 2048 bit long modulus 86 ...............................................+++ 87 ...............................................................+++ 88 e is 65537 (0x10001) 89 $ openssl req -subj '/CN=client' -new -key key.pem -out client.csr 90 91 To make the key suitable for client authentication, create an extensions 92 config file: 93 94 $ echo extendedKeyUsage = clientAuth > extfile.cnf 95 96 Now sign the public key: 97 98 $ openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem \ 99 -CAcreateserial -out cert.pem -extfile extfile.cnf 100 Signature ok 101 subject=/CN=client 102 Getting CA Private Key 103 Enter pass phrase for ca-key.pem: 104 105 After generating `cert.pem` and `server-cert.pem` you can safely remove the 106 two certificate signing requests: 107 108 $ rm -v client.csr server.csr 109 110 With a default `umask` of 022, your secret keys will be *world-readable* and 111 writable for you and your group. 112 113 In order to protect your keys from accidental damage, you will want to remove their 114 write permissions. To make them only readable by you, change file modes as follows: 115 116 $ chmod -v 0400 ca-key.pem key.pem server-key.pem 117 118 Certificates can be world-readable, but you might want to remove write access to 119 prevent accidental damage: 120 121 $ chmod -v 0444 ca.pem server-cert.pem cert.pem 122 123 Now you can make the Docker daemon only accept connections from clients 124 providing a certificate trusted by our CA: 125 126 $ docker -d --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem \ 127 -H=0.0.0.0:2376 128 129 To be able to connect to Docker and validate its certificate, you now 130 need to provide your client keys, certificates and trusted CA: 131 132 > **Note**: replace all instances of `$HOST` in the following example with the 133 > DNS name of your Docker daemon's host. 134 135 $ docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem \ 136 -H=$HOST:2376 version 137 138 > **Note**: 139 > Docker over TLS should run on TCP port 2376. 140 141 > **Warning**: 142 > As shown in the example above, you don't have to run the `docker` client 143 > with `sudo` or the `docker` group when you use certificate authentication. 144 > That means anyone with the keys can give any instructions to your Docker 145 > daemon, giving them root access to the machine hosting the daemon. Guard 146 > these keys as you would a root password! 147 148 ## Secure by default 149 150 If you want to secure your Docker client connections by default, you can move 151 the files to the `.docker` directory in your home directory -- and set the 152 `DOCKER_HOST` and `DOCKER_TLS_VERIFY` variables as well (instead of passing 153 `-H=tcp://$HOST:2376` and `--tlsverify` on every call). 154 155 $ mkdir -pv ~/.docker 156 $ cp -v {ca,cert,key}.pem ~/.docker 157 $ export DOCKER_HOST=tcp://$HOST:2376 DOCKER_TLS_VERIFY=1 158 159 Docker will now connect securely by default: 160 161 $ docker ps 162 163 ## Other modes 164 165 If you don't want to have complete two-way authentication, you can run 166 Docker in various other modes by mixing the flags. 167 168 ### Daemon modes 169 170 - `tlsverify`, `tlscacert`, `tlscert`, `tlskey` set: Authenticate clients 171 - `tls`, `tlscert`, `tlskey`: Do not authenticate clients 172 173 ### Client modes 174 175 - `tls`: Authenticate server based on public/default CA pool 176 - `tlsverify`, `tlscacert`: Authenticate server based on given CA 177 - `tls`, `tlscert`, `tlskey`: Authenticate with client certificate, do not 178 authenticate server based on given CA 179 - `tlsverify`, `tlscacert`, `tlscert`, `tlskey`: Authenticate with client 180 certificate and authenticate server based on given CA 181 182 If found, the client will send its client certificate, so you just need 183 to drop your keys into `~/.docker/{ca,cert,key}.pem`. Alternatively, 184 if you want to store your keys in another location, you can specify that 185 location using the environment variable `DOCKER_CERT_PATH`. 186 187 $ export DOCKER_CERT_PATH=~/.docker/zone1/ 188 $ docker --tlsverify ps 189 190 ### Connecting to the Secure Docker port using `curl` 191 192 To use `curl` to make test API requests, you need to use three extra command line 193 flags: 194 195 $ curl https://$HOST:2376/images/json \ 196 --cert ~/.docker/cert.pem \ 197 --key ~/.docker/key.pem \ 198 --cacert ~/.docker/ca.pem