HTTPS for CheckMK web when in Docker

fig_wright · March 20, 2026, 3:32pm

We have CheckMK working quite nicely on our network, but need to move it to https access for web page. I see the help file at here:

…but unfortunately all it says is “Use a reverse proxy”! Huh? Simply using a reverse proxy doesn’t encrypt transmission to SSL, so I do not understand this advice.

There is very little on the forum on this, all I find is this single post, which also doesn’t provide much help:

Can someone post a simple guide to encrypt the web interface to SSL please? E.g. do we need to run a Let’sEncrypt container alongside, or something?

andreas-doehler · March 20, 2026, 5:09pm

Basically you need to run something like nginx or traefik beside your CMK container.
The final configuration depends on your selection of reverse proxy, also the certificate handling is different for the available reverse proxies. In the end you can say the reverse proxy terminates your SSL connection and forwards the traffic to the CMK container. For your container configuration this also means you don’t need to expose the internal Apache port from the CMK container.

fig_wright · March 21, 2026, 3:41pm

Okay, so configure a reverse proxy to run the SSL. Do you suggest to put the reverse proxy in the CheckMK container, or in another container alongside? The latter would be easier, i suspect, but obvs need a private container network to hide the CheckMK container.

andreas-doehler · March 21, 2026, 3:44pm

Second container beside CMK. You can use internal network connection between booth containers. Only remember that the port 8000 needs to be exposed to the outside from the docker container if you want to use the TLS agent registration.

fig_wright · April 1, 2026, 3:25pm

So this worked

For the forum, I simply deleted the old port 9080 mapping and added this to my CheckMK docker-compose.yml

  nginx:
    image: nginx:latest
    container_name: nginx-checkmk-proxy
    restart: unless-stopped
    ports:
      - "9080:443"
    volumes:
      - ./nginx/conf.d:/etc/nginx/conf.d
      - ./certs:/etc/nginx/certs:ro
    depends_on:
      - monitoring

networks:
  default:
    driver: bridge

And I added this as the /nginx/conf.d/checkmk.conf file:

server {
    listen 443 ssl http2;
    server_name _;

    # TLS certificates
    ssl_certificate     /etc/nginx/certs/cert.pem;
    ssl_certificate_key /etc/nginx/certs/privkey.pem;

    # Recommended security settings
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;

	access_log off; # Disable access logs
 
    # Proxy to Checkmk
    location / {
        proxy_pass http://monitoring:5000;

        # Forward correct headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;

        # Increase proxy buffers for Checkmk UI
        proxy_buffer_size   128k;
        proxy_buffers       4 256k;
        proxy_busy_buffers_size 256k;
    }
}