Add container-based HTTPS configuration documentation

Fixes #407

docs/setup/deployment.md

@@ -29,6 +29,8 @@ services:
     restart: unless-stopped
 ```
 
+See [HTTPS/SSL configuration](ssl.md) for information on how to secure Baby Buddy.
+
 For doing administrative work within the LSIO container, setting an environment variable may be necessary.
 For example:
 
@@ -191,3 +193,5 @@ and any number of children).
          sudo service nginx restart
 
 15. That's it (hopefully)!
+
+See [HTTPS/SSL configuration](ssl.md) for information on how to secure Baby Buddy.

docs/setup/ssl.md

@@ -3,12 +3,30 @@
 The example Docker and manual deployment methods do not include HTTPS/SSL by default.
 Additional tools and configuration are required to add HTTPS support.
 
-The information here assumes Baby Buddy has been deployed to a Debian-like system with
+## Configuration requirements
-[snapd installed](https://snapcraft.io/docs/installing-snapd) for Certbot support with
-Let's Encrypt. These requirements can skipped if SSL certificates are obtained by some
-other way.
 
-## Install NGINX
+For either approach (host- or container-based) Baby Buddy's configuration will need to
+be updated to account for the proxy. For details on these settings see [Proxy configuration](proxy.md).
+
+After configuring the proxy set the following two environment variables and then restart
+necessary services:
+
+```ini
+CSRF_TRUSTED_ORIGINS=https://babybuddy.example.com
+SECURE_PROXY_SSL_HEADER=True
+```
+
+## Host-based proxy
+
+This guide assumes Baby Buddy has been deployed to a Debian-like system with
+[snapd installed](https://snapcraft.io/docs/installing-snapd) using the [example deployment](deployment.md#example-deployment)
+however this approach can also be used with a Docker deployment if having the proxy
+in the host is desired (otherwise see [Container-based proxy](#container-based-proxy)).
+
+If the example deployment with uWSGI and NGINX is already used skip to [Install Certbot](#install-certbot)
+and [Obtain and install certificate](#obtain-and-install-certificate).
+
+### Install NGINX
 
 If NGINX is not already installed on the host system install it with a package manager.
 
@@ -20,7 +38,7 @@ NGINX will be used to proxy HTTPS traffic to Baby Buddy. There are many other pr
 available for this (often with Let's Encrypt support, as well) so a different one can
 be used if desired.
 
-### Configure NGINX
+#### Configure NGINX
 
 If Baby Buddy is running from Docker a new NGINX site will need to be created to send
 traffic to Docker. The configuration below uses the example domain `babybuddy.example.com`
@@ -57,7 +75,7 @@ Confirm the site is not accessible at `http://babybuddy.example.com`. Note: Atte
 to log in will result in a CSRF error! This will be addressed after HTTPS has been
 established.
 
-## Install Certbot
+### Install Certbot
 
 This example uses [Let's Encrypt's](https://letsencrypt.org/) free service for obtaining
 SSL certificates. Other methods can be used to obtain and install a certificate as
@@ -72,7 +90,7 @@ snap install --classic certbot
 ln -s /snap/bin/certbot /usr/bin/certbot
 ```
 
-## Obtain and install certificate
+### Obtain and install certificate
 
 The following command will ask for an email address to register with Let's Encrypt and
 then prompt a service agreement and which NGINX host to obtain a certificate for. The
@@ -120,17 +138,57 @@ server {
 If the certificate was obtained by some other means the configuration about should be
 instructive for how to add it to the NGINX site configuration.
 
-## Update Baby Buddy configuration
+## Container-based proxy
 
-Lastly Baby Buddy's configuration will need to updated to account for the proxy. For
+If Baby Buddy is already hosted in a Docker container the proxy (NGINX) can be hosted
-details on these settings see [Proxy configuration](proxy.md).
+there as well. The configuration provided here assumes the `docker-compose.yml` example
+from the [Docker deployment method](deployment.md#docker) is used.
 
-Add the following two environment variables via the Docker or uWSGI configuration (if
+### Add NGINX service
-using the [example deployment](deployment.md#example-deployment)):
 
-```ini
+Add the following `services` entry to `docker-compose.yml`:
-CSRF_TRUSTED_ORIGINS=https://babybuddy.example.com
+
-SECURE_PROXY_SSL_HEADER=True
+```yaml
+babybuddy-nginx:
+  image: nginx
+  container_name: babybuddy-nginx
+  volumes:
+    - /path/to/appdata/nginx.conf:/etc/nginx/conf.d/default.conf
+    - /path/to/appdata/logs:/var/log/nginx
+    - /path/to/appdata/certs:/certs
+  ports:
+    - 80:80
+    - 443:443
+  depends_on:
+    - babybuddy
 ```
 
-That's it! Restart Docker or uWSGI and Baby Buddy should not be accessible from HTTPS!
+Set the contents of `/path/to/appdata/nginx.conf` to:
+
+```nginx
+server {
+    server_name         babybuddy.example.com;
+    listen              443 ssl;
+    ssl_certificate     /certs/babybuddy.example.com.crt;
+    ssl_certificate_key /certs/babybuddy.example.com.key;
+    location / {
+        proxy_pass              http://babybuddy:8000;
+        proxy_set_header        Host $host;
+    }
+}
+
+server {
+    if ($host = babybuddy.example.com) {
+        return 301 https://$host$request_uri;
+    }
+
+    server_name         babybuddy.example.com;
+    listen              80;
+    return 404;
+}
+```
+
+### Add certificates
+
+Place certificates in `/path/to/appdata/certs` using the files name of `ssl_certificate`
+and `ssl_ceritifcate_key` in the NGINX configuration.