--- title: Additional deployment options url: https://www.tines.com/docs/admin/command-over-http/additional-deployment-options/ updated: 2024-11-01T17:58:20+00:00 --- *[tines.com](https://www.tines.com/llms.txt) › [Docs](https://www.tines.com/llms.txt) › [Admin](https://www.tines.com/llm/docs/admin.md) › [Command-over-HTTP](https://www.tines.com/llm/docs/admin/command-over-http.md)* # Additional deployment options *[View on tines.com](https://www.tines.com/docs/admin/command-over-http/additional-deployment-options/)* The following examples assume Docker, but similar approaches are possible with other container orchestration mechanisms. ## Deploying with SSL If you'd like to only allow command-over-http to listen on HTTPS (via SSL), then you can follow these steps. Typically its not needed if command-over-http is running in an air-gapped like network. This deployment assumes there is a directory under `/ssl/`, on the machine that is running the `docker run …` command. And, that the directory has `tls.crt` and `tls.key` files in it. Then, when the container boots, command-over-HTTP can look up those files locally in the container, from the volume mapping. ```bash docker run -it --env TINES_TUNNEL_SECRET="" \ --env FORCE_SSL="true" \ --env TLS_CERT_PATH="/ssl/tls.crt" \ --env TLS_KEY_PATH="/ssl/tls.key" \ -v /ssl:/ssl tines/command-over-http ``` ## Authenticating with Kerberos for PowerShell usage ```bash docker run -it --env KERBEROS_DEFAULT_REALM="TINES.DEV" \ --env KERBEROS_KDC_DOMAIN="TINES.DEV" \ --env KERBEROS_ADMIN_SERVER="TINES.DEV" \ --env KERBEROS_PRINCIPAL_USER_NAME="administrator" \ --env KERBEROS_PRINCIPAL_USER_PASSWORD="Password123" \ --env TINES_TUNNEL_SECRET="TunnelSecret" \ tines/command-over-http:latest ``` See ‘[Passing secret values to the deployment](#passing-secret-values-to-the-deployment)’ below for how to pass Kerberos credentials in. ## Deploying with custom DNS ```bash docker run \ --env TINES_TUNNEL_SECRET="secret" \ --dns="EnterDNSIP" \ --add-host="EnterHostFQDN:EnterHostIP" \ tines/tines-tunnel:latest ``` ## Passing secret values to the deployment In the event a credential vault or secrets need to be passed to the command-over-HTTP container during deployment, you can leverage [Docker Compose secrets](https://docs.docker.com/compose/use-secrets/). First, you’ll need to define where secrets should be pulled in from. In a directory on the container host, create a file named `secrets.env`. In the file enter the following information: ```bash KERBEROS_PRINCIPAL_USER_PASSWORD=ENTER_PASSWORD_HERE ``` Replace the value `ENTER_PASSWORD_HERE` with expected credential information, in this example the Keberos service account password. Save the file. Now create a file called `docker-compose.yml` with the following file structure: ```yaml version: "3.8" services: coh: image: tines/command-over-http:latest deploy: replicas: 1 environment: - KERBEROS_DEFAULT_REALM=ENTER_REALM - KERBEROS_KDC_DOMAIN=ENTER_KDC_DOMAIN - KERBEROS_ADMIN_SERVER=ENTER_DC_SERVER - KERBEROS_PRINCIPAL_USER_NAME=ENTER_USER_ACCOUNT_NAME secrets: - secret-env secrets: secret-env: file: ./secrets.env ``` > **NOTE:** > Instead of specifying the additional environment variables using the previous `--env` argument with `docker run`, you’ll need to fill in the environment variable information in the `docker-compose.yml` file with Docker Compose. > > Specifically, the values for `KERBEROS_DEFAULT_REALM`, `KERBEROS_KDC_DOMAIN`, `KERBEROS_ADMIN_SERVER`, and `KERBEROS_PRINCIPAL_USER_NAME` would be required. To use Docker secrets, [Docker Compose](https://docs.docker.com/compose/install/) must be installed on the system command-over-HTTP is being deployed on. The Docker Compose version must support Dockerfile version 3.8 (i.e Docker Compose v2.3.3). With the file configured run the following command from the directory in which the `docker-compose.yml` and `secrets.env` files exist: ```bash docker compose up -d ``` Once the command-over-HTTP container is created, validate the credentials were passed to the container by running the following command: ```bash docker compose run coh cat /run/secrets/secret-env ``` The value specified in the secrets file will be returned. This process can also be used for credential vaults as well, so long as the data being read in follows this format: ```bash KERBEROS_PRINCIPAL_USER_PASSWORD=ENTER_PASSWORD_HERE ``` > **NOTE:** The Docker Compose YAML file may need to be modified based on the credential vault