HTTPS and TLS

When Packet Viewer starts, it will create a self-signed certificate to use for HTTPS. By default, the docker image serves HTTPS using the server.crt and server.key TLS cert files found in the /config volume mounted in the Docker container. If you have signed certificates for this server, place them there prior to starting up.

If either server.crt or server.key does not exist, a new self-signed certificate is generated based on the HOSTNAME environment variable each time the container is created.

Redirects

The PV_HTTPS_HOST environment variable allows explicitly setting the host (or host:port) used to redirect HTTP traffic to HTTPS. The PV_HTTPS_HOST environment variable can be necessary when the Packet Viewer application running in the container and the ports it is bound to in the container are different from those on the host.

For example, by default the Packet Viewer application is running on 80/443 in the container. If these ports are mapped to 8080/4443 on the host, an HTTP request to the host on 8080 would be redirected to HTTPS on port 443, not 4443. The PV_HTTPS_HOST environment variable lets the user explicitly specify the host and port to use when redirecting to solve this problem.

Auto TLS via Lets Encrypt

If the PV_AUTO_TLS environment variable is set to true, Packet Viewer will attempt to use Let’s Encrypt to generate a publicly signed certificate. The domain name for the certificate is specified by either PV_HOSTNAME or HOSTNAME environment variables.

The request is validated via a HTTP-01 challenge (see here). These certificates will be saved in the /config volume mounted in the Docker container.

We recommend performing a dry-run using the Let’s Encrypt staging server first. This prevents errors from temporarily blocking your requests. Set PV_AUTO_TLS_STAGING to true.

Note: The HTTP-01 challenge can only be done on port 80. If you are using a non-standard HTTP port, port forwarding must be configured so that the HTTP-01 challenge request set by Let’s Encrypt to http://$PV_HOSTNAME:80 will reach the Packet Viewer container.

Disabling TLS

If you do not wish to run over TLS, or are offloading TLS elsewhere in your environment, setting the PV_NO_TLS environment variable to true disables HTTPS entirely. In this mode, only HTTP traffic is accepted on port 80.