This is not a replacement for scalable, managed hosting. It’s unknown how much traffic it can handle in a given environment.
Let’s Encrypt support not directly compatible with Traefik router
ddev config global --use-letsencrypt is not directly compatible with the Traefik router, but it can be configured using Traefik docs.
One of DDEV’s experimental features is lightweight hosting with Let’s Encrypt for HTTPS support. You can run DDEV on a public web server, point DNS to it, and use it as a limited hosting environment.
This may be appropriate for small or abandoned sites that have special requirements like old versions of PHP that aren’t supported elsewhere.
Here’s how to try it for yourself:
- Install DDEV on an internet-connected Linux server. (You’re responsible for your firewall and maintenance of the server!)
- On Debian/Ubuntu, you can set up a simple firewall with
ufw allow 80 && ufw allow 443 && ufw allow 22 && ufw enable.
- Point DNS for the site you’re going to host to the server.
- Before proceeding, your system and your project must be accessible on the internet on port 80 and your project DNS name (
myproject.example.com) must resolve to the appropriate server.
- Configure your project with
- Import your database and files using
Tell DDEV to listen on all network interfaces, omit phpMyAdmin and its SSH agent, use hardened images, and enable Let’s Encrypt:
Create your DDEV project as you normally would, but
ddev config --project-name=<yourproject> --project-tld=<your-top-level-domain>. If your website responds to multiple hostnames (e.g., with and without
www), you’ll need to add
Redirect HTTP to HTTPS. If you’re using
nginx-fpm, for example, create
ddev startand visit your site. With some CMSes, you may also need to clear your cache.
You may have to restart DDEV with
ddev poweroff && ddev start --all if Let’s Encrypt has failed because port 80 is not open, or the DNS name is not yet resolving. (Use
docker logs ddev-router to see Let’s Encrypt activity.)
Additional Server Setup¶
- Depending on how you’re using this, you may want to set up automated database and file backups—ideally off-site—like you would on any production system. Many CMSes have modules/plugins to allow this, and you can use
ddev snapshotas you see fit and do the backup on the host.
- You may want to allow your host system to send email. On Debian/Ubuntu
sudo apt-get install postfix. Typically you’ll need to set up reverse DNS for your system, and perhaps SPF and/or DKIM records to for more reliable delivery to other mail systems.
You may want to generally tailor your PHP settings for hosting rather than local development. Error-reporting defaults in
php.ini, for example, may be too verbose and expose too much information publicly. You may want something less:
To make DDEV start sites on system boot, you’ll want to set up a
systemdunit on systems like Debian/Ubuntu and Fedora. For example, a file named
# Start DDEV when system starts (after Docker) # Stop DDEV when Docker shuts down # Start with `sudo systemctl start ddev` # Enable on boot with `sudo systemctl enable ddev` # Make sure to edit the User= for your user and the # full path to `ddev` on your system. # Optionally give a list of sites instead of --all [Unit] Description=DDEV sites After=network.target Requires=docker.service PartOf=docker.service [Service] User=rfay Type=oneshot ExecStart=/usr/local/bin/ddev start --all RemainAfterExit=true ExecStop=/usr/local/bin/ddev poweroff [Install] WantedBy=multi-user.target
You’ll need to regularly renew the Let’s Encrypt certificates. This is often done on a system reboot, but that may not be soon enough. A cron with the command
docker exec ddev-router bash -c "certbot renew && nginx -s reload"will do the renewals.
You’ll likely want to turn off PHP errors to screen in a
- It’s unknown how much traffic a given server and Docker setup can sustain, or what the results will be if the traffic is more than the server can handle.
- DDEV does not provide outgoing SMTP mail handling service, and the development-focused MailHog feature is disabled if you’re using
use_hardened_images. You can provide SMTP service a number of ways, but the recommended way is to use SMTP in your application via a third-party transactional email service such as SendGrid, Postmark, or Mailgun. This is the best way to ensure mail is actually delivered.
- You may need an external cron trigger for some CMSes.
- Debugging Let’s Encrypt failures requires viewing the
docker logs ddev-router.
- A malicious attack on a website hosted with
use_hardened_imageswill likely not be able to do anything significant to the host, but it can certainly change your code, which is mounted on the host.
use_hardened_images is enabled, Docker runs the web image as an unprivileged user, and the container does not have sudo. However, any Docker server hosted on the internet is a potential vulnerability. Keep your packages up to date and make sure your firewall does not allow access to ports other than (normally) 22, 80, and 443.
There are no warranties implied or expressed.