How to secure connections between multiple containers in Docker Compose using TLS certificates

Docker Compose is a powerful tool for managing multiple Docker containers in a single environment. However, when multiple containers communicate with each other, it is essential to secure their connections to prevent unauthorized access or data breaches. One of the best ways to secure connections between multiple containers in Docker Compose is by using Transport Layer Security (TLS) certificates. In this blog, we will explore how to secure connections between multiple containers in Docker Compose using TLS certificates.


Step 1: Generate a Certificate Authority (CA)
The first step is to generate a Certificate Authority (CA). The CA is responsible for issuing TLS certificates that will be used to secure the communication between the Docker containers. The CA should be stored securely, as it is a critical component of the TLS certificate infrastructure.
To generate a CA, you can use OpenSSL or other certificate management tools. For example, to generate a CA using OpenSSL, run the following command:
openssl req -new -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes -out ca.crt -keyout ca.key

This command generates a new CA certificate and private key, which are valid for ten years.
Step 2: Generate Server Certificates
The next step is to generate server certificates for each Docker container that will communicate with other containers. These certificates are used to secure the communication between the Docker containers. Each Docker container should have its own certificate, and the certificate should be stored securely.
To generate a server certificate for a Docker container, you can use OpenSSL or other certificate management tools. For example, to generate a server certificate using OpenSSL, run the following command:
openssl req -new -newkey rsa:4096 -sha256 -days 3650 -nodes -out server.crt -keyout server.key

This command generates a new server certificate and private key, which are valid for ten years.
Step 3: Configure Docker Compose to use TLS Certificates
Once the certificates have been generated, Docker Compose needs to be configured to use them. This involves configuring the Docker containers to use TLS certificates for communication.
To configure Docker Compose to use TLS certificates, add the following lines to the Docker Compose YAML file:
version: '3'
services:
service1:
image: myimage
environment:
- SERVICE_NAME=service1
ports:
- "80:80"
volumes:
- ./certs:/certs
command: "nginx"
networks:
default:
aliases:
- service1
# Enable TLS
# https://docs.docker.com/compose/compose-file/compose-file-v3/#x509_certificates
tls:
cert: /certs/server.crt
key: /certs/server.key
ca: /certs/ca.crt

In this example, the Docker container named “service1” is configured to use TLS certificates for communication. The certificates are stored in the “/certs” directory, which is mounted as a volume in the container. The “tls” section specifies the paths to the server certificate, private key, and CA certificate.
Step 4: Verify that TLS is working
After configuring Docker Compose to use TLS certificates, it is essential to verify that TLS is working correctly. This can be done by testing the communication between Docker containers to ensure that it is encrypted and authenticated.
To test the communication between Docker containers, you can use tools like cURL or OpenSSL. For example, to test the communication between two Docker containers named “service1” and “service2,” you can run the following command:
curl --cacert /certs/ca.crt --cert /certs/server.crt --key /