IIS service running on Docker for Windows running Windows containers on
Microsoft Windows 10. It is a naive example that stores the webpage in a secret.
This example assumes that you have PowerShell installed.
1. Save the following into a new file `index.html`.
```html
<html lang="en">
<head><title>Hello Docker</title></head>
<body>
<p>Hello Docker! You have deployed a HTML page.</p>
</body>
</html>
```
2. If you have not already done so, initialize or join the swarm.
```console
> docker swarm init
```
3. Save the `index.html` file as a swarm secret named `homepage`.
```console
> docker secret create homepage index.html
```
4. Create an IIS service and grant it access to the `homepage` secret.
```console
> docker service create `
--name my-iis `
--publish published=8000,target=8000 `
--secret src=homepage,target="\inetpub\wwwroot\index.html" `
microsoft/iis:nanoserver
```
> [!NOTE]
>
> There is technically no reason to use secrets for this
> example; [configs](configs.md) are a better fit. This example is
> for illustration only.
5. Access the IIS service at `http://localhost:8000/`. It should serve
the HTML content from the first step.
6. Remove the service and the secret.
```console
> docker service rm my-iis
> docker secret rm homepage
> docker image remove secret-test
```
### Intermediate example: Use secrets with a Nginx service
This example is divided into two parts.
[The first part](#generate-the-site-certificate) is all about generating
the site certificate and does not directly involve Docker secrets at all, but
it sets up [the second part](#configure-the-nginx-container), where you store
and use the site certificate and Nginx configuration as secrets.
#### Generate the site certificate
Generate a root CA and TLS certificate and key for your site. For production
sites, you may want to use a service such as `Let’s Encrypt` to generate the
TLS certificate and key, but this example uses command-line tools. This step
is a little complicated, but is only a set-up step so that you have
something to store as a Docker secret. If you want to skip these sub-steps,
you can [use Let's Encrypt](https://letsencrypt.org/getting-started/) to
generate the site key and certificate, name the files `site.key` and
`site.crt`, and skip to
[Configure the Nginx container](#configure-the-nginx-container).
1. Generate a root key.
```console
$ openssl genrsa -out "root-ca.key" 4096
```
2. Generate a CSR using the root key.
```console
$ openssl req \
-new -key "root-ca.key" \
-out "root-ca.csr" -sha256 \
-subj '/C=US/ST=CA/L=San Francisco/O=Docker/CN=Swarm Secret Example CA'
```
3. Configure the root CA. Edit a new file called `root-ca.cnf` and paste
the following contents into it. This constrains the root CA to signing leaf
certificates and not intermediate CAs.
```ini
[root_ca]
basicConstraints = critical,CA:TRUE,pathlen:1
keyUsage = critical, nonRepudiation, cRLSign, keyCertSign
subjectKeyIdentifier=hash
```
4. Sign the certificate.
```console
$ openssl x509 -req -days 3650 -in "root-ca.csr" \
-signkey "root-ca.key" -sha256 -out "root-ca.crt" \
-extfile "root-ca.cnf" -extensions \
root_ca
```
5. Generate the site key.
```console
$ openssl genrsa -out "site.key" 4096
```
6. Generate the site certificate and sign it with the site key.
```console
$ openssl req -new -key "site.key" -out "site.csr" -sha256 \
-subj '/C=US/ST=CA/L=San Francisco/O=Docker/CN=localhost'
```
7. Configure the site certificate. Edit a new file called `site.cnf` and
paste the following contents into it. This constrains the site
certificate so that it can only be used to authenticate a server and