# Web Server The web server container has all you need enabled for development; you can specify custom configurations using the `./docker/webserver/templates/*` files. In addition, the following directories are of interest: * The web root is available at `./www` * Web server logs are available at `./docker/webserver/logs` * LetsEncrypt certificates are available at `./docker/webserver/letsencrypt` {% hint style="info" %} On first `make up` the `www` folder will be created and the chosen [framework](https://docker.nailsapp.co.uk/frameworks) (if applicable) installed into it. {% endhint %} ## **SSL** Upon running `make up` the web server container will generate a certificate for the configured `$DOMAIN`, if one has already been generated it'll be reinstalled if it isn't already. When working on `localhost` a self-signed certificate will be used, for all other domains (as specified by the `$DOMAIN` env var) both the naked domain and `www` subdomain will have a Let's Encrypt certificate generated and installed. {% hint style="info" %} When working on `localhost` *expect* for your browser to throw insecure errors. This is because a self-signed certificate is being used. You can trust this certificate on your development machine to avoid this error. {% endhint %} Certificates will be renewed automatically by `certbot` using root's [`crontab`](https://github.com/nails/skeleton-docker-lamp/blob/develop/docker/docs/README.md#cron); if you need to create or renew these manually then you are free to use the `make ssl-create` and `make ssl-renew` commands. ### Trusting the `localhost` self-signed certificate To avoid "insecure website" errors and to show a padlock in your browser you can trust the certificate included in the Environment. This certificate is identical between all instances of the Docker environment so trusting it for one project will mean it is trusted for another. How you do this depends on your OS: {% tabs %} {% tab title="macOS" %} 1. Locate `./docker/webserver/ssl/localhost.crt` 2. Open Keychain Access 3. Navigate to the `Certificates` section in the sidebar 4. Drag the certifiate into Keychain Access 5. Double click the certificate 6. Under the `Trust` section, set it to `Always Trust` 7. Close the window, you will be asked for your password 8. Your Mac will now trust this certificate when it is used 🎉 {% endtab %} {% tab title="Windows" %} 1. Locate `./docker/webserver/ssl/localhost.crt` 2. Double click the certificate, then click **Next** 3. Choose **Place all certificates in the following store** and click **Browse...** 4. Choose **Trusted Root Certification Authorities** and click **OK** 5. Cick **Next** then **Finish** 6. Finally, restart your computer ✨ {% endtab %} {% endtabs %} {% hint style="info" %} 🕵️‍♂️ If you are extra cautious you may wish to generate your own self-signed certificate. You can inspect the generation process used \[and regenerate certs] in: ```bash ./docker/webserverb/ssl/generate.sh ``` **Note:** If you do re-generate a certificate you will need to trust each project independently or copy this new certificate into your existing and future projects. {% endhint %} ### Securing additional domains By default, certbot will check DNS for `$DOMAIN` and `www.$DOMAIN` and generate a single certificate for both. If you need to add additional domains to the certificate you can do so by specifying them as a comma separated list as the `$SSL_ADDITIONAL_DOMAINS` env var. ## **Cron** There is an empty crontab which you can populate at `./docker/webserver/crontab`. This will populate in the web server when `make up` is called. If needed, you can populate root's crontab using the template at `./docker/webserver/crontab-root`. {% hint style="info" %} The crontab is synced to the container each time `make up` is called. Changes made *within* the container (using `crontab -e`) will be synced back to the host immediately. {% endhint %}